Submission + - Hilton Paid a $700k fine for 2015 breach. Under GDPR, it would be $420 million (digitalguardian.com)
chicksdaddy writes: If you want to understand the ground shaking change that the EU's General Data Protection Rule (GDPR) will have when it comes into force in May of 2018, look no further than hotel giant Hilton Domestic Operating Company, Inc., formerly known as Hilton Worldwide, Inc. a.k.a. “Hilton.”)
On Tuesday, the New York Attorney General Eric T. Schneiderman slapped a $700,000 fine on the hotel giant for two, 2015 incidents in which the company was hacked, spilling credit card and other information for 350,000 customers. (https://ag.ny.gov/press-release/ag-schneiderman-announces-700000-joint-settlement-hilton-after-data-breach-exposed)
Schneiderman also punished Hilton for its response to the incident. The company first learned in February 2015 that its customer data had been exposed through a UK based system belonging to the company, which was observed by a contractor communicating with “a suspicious computer outside Hilton’s computer network.” Still, it took Hilton until November 24, 2015 — over nine months after the first intrusion was discovered — to notify the public.
That kind of lackluster response has become pretty typical among Fortune 500 companies (see also: Equifax). And why not? The $700,000 fine from the NY AG is a palatable $2 per lost record — and a mere rounding error for Hilton, which reported revenues of $11.2 billion in 2015, the year of the breach. That means the $700,000 fine was just %.00006 of Hilton’s annual revenue in the year of the breach. Schneiderman's fine was less 'brining down the hammer' than a butterfly kiss for Hilton's C-suite, board and shareholders.
But things are going to be different for Hilton and other companies like it come May 2018 when provisions of the EU’s General Data Protection Rule (or GDPR) go into effect, as Digital Guardian points out on their blog. Under that new law, data “controllers” like Hilton (in other words: organizations that collect data on customers or employees) can be fined up to 4% of annual turnover in the year preceding the incident for failing to meet the law’s charge to protect that data. (http://www.eugdpr.org/)
What does that mean practically for a company like Hilton? Well, the company’s FY 2014 revenue (or “turnover”) was $10.5 billion. Four percent of that is a cool $420 million dollars — or $1,200, rather than $2, for every customer record lost. Needless to say, that’s a number that will get the attention of the company’s Board of Directors and shareholders.
On Tuesday, the New York Attorney General Eric T. Schneiderman slapped a $700,000 fine on the hotel giant for two, 2015 incidents in which the company was hacked, spilling credit card and other information for 350,000 customers. (https://ag.ny.gov/press-release/ag-schneiderman-announces-700000-joint-settlement-hilton-after-data-breach-exposed)
Schneiderman also punished Hilton for its response to the incident. The company first learned in February 2015 that its customer data had been exposed through a UK based system belonging to the company, which was observed by a contractor communicating with “a suspicious computer outside Hilton’s computer network.” Still, it took Hilton until November 24, 2015 — over nine months after the first intrusion was discovered — to notify the public.
That kind of lackluster response has become pretty typical among Fortune 500 companies (see also: Equifax). And why not? The $700,000 fine from the NY AG is a palatable $2 per lost record — and a mere rounding error for Hilton, which reported revenues of $11.2 billion in 2015, the year of the breach. That means the $700,000 fine was just %.00006 of Hilton’s annual revenue in the year of the breach. Schneiderman's fine was less 'brining down the hammer' than a butterfly kiss for Hilton's C-suite, board and shareholders.
But things are going to be different for Hilton and other companies like it come May 2018 when provisions of the EU’s General Data Protection Rule (or GDPR) go into effect, as Digital Guardian points out on their blog. Under that new law, data “controllers” like Hilton (in other words: organizations that collect data on customers or employees) can be fined up to 4% of annual turnover in the year preceding the incident for failing to meet the law’s charge to protect that data. (http://www.eugdpr.org/)
What does that mean practically for a company like Hilton? Well, the company’s FY 2014 revenue (or “turnover”) was $10.5 billion. Four percent of that is a cool $420 million dollars — or $1,200, rather than $2, for every customer record lost. Needless to say, that’s a number that will get the attention of the company’s Board of Directors and shareholders.
