Slashdot Mirror
Hilton Paid a $700K Fine For 2015 Breach; Under GDPR, It Would Be $420 Million (digitalguardian.com)
chicksdaddy writes from a report via Digital Guardian: If you want to understand the ground shaking change that the EU's General Data Protection Rule (GDPR) will have when it comes into force in May of 2018, look no further than hotel giant Hilton Domestic Operating Company, Inc., formerly known as Hilton Worldwide, Inc (a.k.a. "Hilton."). On Tuesday, the New York Attorney General Eric T. Schneiderman slapped a $700,000 fine on the hotel giant for two 2015 incidents in which the company was hacked, spilling credit card and other information for 350,000 customers. Schneiderman also punished Hilton for its response to the incident. The company first learned in February 2015 that its customer data had been exposed through a UK-based system belonging to the company, which was observed by a contractor communicating with "a suspicious computer outside Hilton's computer network." Still, it took Hilton until November 24, 2015 -- over nine months after the first intrusion was discovered -- to notify the public. That kind of lackluster response has become pretty typical among Fortune 500 companies (see also: Equifax). And why not? The $700,000 fine from the NY AG is a palatable $2 per lost record -- and a mere rounding error for Hilton, which reported revenues of $11.2 billion in 2015, the year of the breach. That means the $700,000 fine was just %.00006 of Hilton's annual revenue in the year of the breach. Schneiderman's fine was less "bringing down the hammer" than a butterfly kiss for Hilton's C-suite, board and shareholders.
But things are going to be different for Hilton and other companies like it come May 2018 when provisions of the EU's General Data Protection Rule (or GDPR) go into effect, as Digital Guardian points out on their blog. Under that new law, data "controllers" like Hilton (in other words: organizations that collect data on customers or employees) can be fined up to 4% of annual turnover in the year preceding the incident for failing to meet the law's charge to protect that data. What does that mean practically for a company like Hilton? Well, the company's FY 2014 revenue (or "turnover") was $10.5 billion. Four percent of that is a cool $420 million dollars -- or $1,200, rather than $2, for every customer record lost. Needless to say, that's a number that will get the attention of the company's Board of Directors and shareholders.
But things are going to be different for Hilton and other companies like it come May 2018 when provisions of the EU's General Data Protection Rule (or GDPR) go into effect, as Digital Guardian points out on their blog. Under that new law, data "controllers" like Hilton (in other words: organizations that collect data on customers or employees) can be fined up to 4% of annual turnover in the year preceding the incident for failing to meet the law's charge to protect that data. What does that mean practically for a company like Hilton? Well, the company's FY 2014 revenue (or "turnover") was $10.5 billion. Four percent of that is a cool $420 million dollars -- or $1,200, rather than $2, for every customer record lost. Needless to say, that's a number that will get the attention of the company's Board of Directors and shareholders.
Got to find the funds for those Christmas parties somehow.
The fines are one thing, but there needs to be criminal liability for senior management too. They want the big money, well the risk, responsibility and liability comes with it. Dont want the risks etc then get a Job like the rest of us.
$700,000 is small change for a corporation as big as Hilton, but make no mistake, the guy or team that cost Hilton $700,000 felt the pain, when it filters down to the IT managers and what kind of money they represent to Hilton and what they cost, $700,000 error is big. No bonus for the IT team this year!
If you want news from today, you have to come back tomorrow.
See Subject
The Hilton Hotel business is almost 100 years old. As you may know, copyrighted works become public domain after 100 years. In a similar fashion businesses that are a 100 years old should also become public domain. That means the Hilton Hotel is now a public domain business. They've made billions for themselves, their kids, their grand kids, their great grand kids etc. So now the business should be owned and used by the public.
So feel free to book a free Hilton hotel room for yourself, friends and family.
Well, if companies just decide to put data on UK servers and have UK HQs, and I am predicting a brexit that will allow most companies there to do business with the rest of Europe but still not abide to the EU court, I can already imagine the loopholes most companies are gonna abuse for simply ignoring that problem. Then again, I am hoping my elected representatives in the EU parliament won't be that fool.
Looks like the pressure of regulation might eventually lead to more desire for closed systems again. Building closed systems from a collection of intersecting open systems is tricky.
Imagine if you and I could do crimes like corporations.
Rule 1: You NEVER go to prison. Period. Shutting down a company? Unthinkable!
Rule 2: You, at worst, pay fines, that are relative to your yearly income!
Rule 3: The files will be limited to silly meaningless amounts like 4%. So, what, like $1600-3200? Not the usual fines that easily swallow more than the average person makes in a year, up to many millions.
Yeah. How much does a company get for murder?
Well, let's use Microsoft as an example.
What do you get for regularly having sex with people, injecting your pathogen into them, eating them out from the inside, and impersonating them, by wearing their skins?
Well, the "fine" of being allowed to ejaculate crack "licenses" over schoolchildren of a school, that cost you absolutely zero to produce, but hooks more children to your crack.
Yeah, if corporations were actually people ... SAW and The Devil's Rejects would be what happens everywhere, every day, all day.
%.00006 of $11.2B is $7,000.
Many corporations are designed to not make money, or go into the red, year-after-year. The EU will end up paying them money.
Every country has their own instance of the company. So in this case there will be a Hilton that owns Hilton USA, Hilton UK, Hilton Canada, etc. The data breach took place in the UK so the maximum fine would be based on revenue of the previous fiscal year of Hilton UK, not Hilton (Worldwide). Unless they propose on fining companies that aren't responsible for the data breach.
And if they do decide to go after the global entities then all they will do is create separate companies to handle all of the customer data processing that are paid just enough to keep things running. Then Hilton will say the data breach will the fault of Hilton Customer Data Processing Company and the fine will be minimal.
I'm not saying how these companies have acted is right. I think that there should be jail time involved for the CxOs instead of large fines for their inept handling of customer data (and especially those that brought about the global financial crisis).
I may be completely wrong, but it seems to me a company has to be fined in proportion to its profits, not its turnover.
Some companies have vast turnover and tiny profits.
A law (where the State has given to itself the power to do something, hmm...) which permits a percentage of *turnover* as a fine is actually potentially a huge abuse of power; because if a comapny has a massive turnover but a tiny profit, 4% of turnover could be for example well in excess of annual profits. It is literally a company-destroying fine. This power is really a "we can kill you" power, which is profoundly excessive for data breaches.
For those companeis with small turnover but huge profits on that turnover, they still don't care.
So what gives. Why is this law arranged in this way?
I don't see a link to the law in the article so I have to assume its language is correct. "can" isn't "will". I doubt we'll ever see a company hit with a 4% fine.
Also, since NY settled, I'd guess they didn't take as much as they might have either. I see no indication in the article as to what they could have gotten.
A more ethical journalistic choice I think would have been to state the numbers for profit here, not revenue.
> After 100 years. In a similar fashion businesses that are a 100 years old should also become public domain. That means the Hilton Hotel is now a public domain business.
Uhm, Hilton is less than 100 years old.
It is, however, publicly owned
https://finance.yahoo.com/quot...
> So feel free to book a free Hilton hotel room for yourself, friends and family.
You realize most hotels with a Hilton sign aren't owned by Hilton, right? Individual hotel owners pay the brands a monthly fee to use the sign and get booking referrals from hilton.com
>. get a Job like the rest of us.
That's precisely what any intelligent person would do if any mistakes by any of the thousands of employees at the company could cause the executives to go to prison. Only stupid or extremely ignorant people would accept an executive title. A company could either hire morons to actually run the company, meaning your job and your 401k would soon be gone, or have a string of puppets, where the moron who holds the title of CEO is controlled by people whose involvement is well hidden. The really stupid and desperate person, probably a crack head who had recently been homeless, would have the title "CEO". A crooked and easily influenced person, called the DWS, would relay orders to them from the person actually in control.
So far, GDPR fines exist only in the dreams of consulting firms selling their data privacy management services / solutions. Let's wait what the real outcome will be.
Hilton probably decided to pay out that 700k fine and get over it. Their legal response would have been much stronger if they had they been hit with a $400M bill.
Companies injure customers
Government levies fines against said companies
Government takes the fines for itself
Customers...?
I may be completely wrong, but it seems to me a company has to be fined in proportion to its profits, not its turnover.
While it can be really hard to maximize profits for some businesses, it's extremely easy for every business to reduce profits. If the fine was tied to profits, all a bad-faith corporation would have to do is to ensure it posted low/zero/negative profits in a year when a breach occurred to minimize its penalty. Recall that it's the business reporting the breach in the first place, so timing a loss quarter with a breach could also be quite easy.
The point of a fine is to ensure the business performs all due diligence to avoid the issue. If the amount is 0.006% of revenue like the Hilton fine, it's easily swept under the rug as a cost of doing business. If it presents a real threat to the business, there's actually a chance the fine might be taken seriously and affect the change it is intended to. It's good that a business could go under as the result of running afoul of the law.
I don't believe the the interpretation of "turnover" is likely to be correct here, but regardless it is pretty simple. A company like Hilton will make less than that in profit on EU business. The first time a fine that large occurs, the globals will just start shutting down all across the EU. It would be the end of Europe as an open market. It is just math...securing the data fully is a completely impossible problem, one breach wipes out more value than is made in the region after costs, the risk outweighs the reward of dealing with that continent anymore.
The issue isn't the difference between a neo-liberal, lassez-faire focused government (USA) and a 'human cost', welfare-capitalist focused government (EU): It's, how will these governments resolve jurisdiction of the internet in future failures? Other governments have already acquiesced to US law for instances of cyber-crime (according to US law): Will the same happen when it's time to punish a US-owned corporation?
$1,200 probably greatly exceeds the average damage to a customer from the breach. I would say around $500 in punitive damages per customer would be more reasonable. It's still closer in ratio than $2 though.
The 4% figure is correct and in fact the legislation does not allow for a lower or higher fine - it's always 4% of turnover ... except that there is also a maximum limit and that limit is set to a mere 20M Euro. The $420M figure from the article is therefore completely wrong, unfortunately.
The key part of the fine provision (Article 83) is that there is an opportunity to fine €20 million (reduced from €100 million in earlier drafts) or 4% of global annual turnover (whichever is higher), for Tier 2 violations (e.g. violations of data subject rights), while this is halved for Tier 1 violations (breach of data controller/processor obligations). Given that the organisation was hacked and data leaked, they are perhaps at most guilty of negligence in their obligations as data controllers, which would imply a Tier 1-style fine. Similarly, provided they took adequate provisions to meet their obligations as data controllers, it's difficult to imagine that the higher end of the fine would be sought, either (as opposed to a more willful violation, as per Equifax). The fine would still be likely to be higher than the $700k outlined, but would never approach anything near the fantastical $420 million suggested.
As long as the law or a document referenced by the law defines the term Global Turnover, the court will not be confused. Everyone else can have an opinion which the court will eventually overrule.
Overall Turnover
Revenue Streams Law and Legal Definition
I may be completely wrong, but it seems to me a company has to be fined in proportion to its profits, not its turnover.
Profit is manipulable, turnover far less so without actual fraud.
To have a right to do a thing is not at all the same as to be right in doing it
And that should be illegal. Franchazing should be illegal. If I am booking Hilton I expect to be staying at Hilton, not at an independently owned hotel. Franchising is fraud, false advertising, willful defrauding and so on,
I don't think that word means what the summary writer thinks it means...
Americans - what can you do with 'em?
Profit is manipulated away by extracting the money through some other company. I.e. my data processing company is too profitable. So to avoid taxes, I arrange fake costs. I buy hideously expensive supplies form a Cayman islands company. A loss for this company, but not for me, since I own that other company.
You can hide bot cost and profit - in order to present a low turnover:
I want to run a credit data processing company that might leak and get punished based on turnover. This time, we don't hide profit through fake cost. We hide profit by charging only a handful of dollars per month for services. The company don't have any real costs. It hires equipment, offices etc. from a "provider" for only a few dollars per month. No employees, only consultants hired from a consulting firm - for a few dollars per month.
So neither income nor costs in this shell company. And it works out well because all those other companies agreeing to fake pricing is ultimately owned by the same owner(s). The owners simply extract profits from the shell company that pays for extremely cheap data processing - and "invests" into the companies that seemingly loose money renting out cheap offices & consultants.
You can put profit where taxes are low, and "turnover" where they don't punish you based on turnover.
Hilton makes $100k to $200k in initial franchising fees + 5% of monthly hotel revenue. Why should Hilton heirs collect millions/billions for just the Hilton brand name? They should get off their asses and work like the rest.
Franchising their name also sounds like fraud to tourists booking these hotels, like the other poster said.
1. If companies are people, then of course the other people they murder, are companies too! --> This is basically half of MIcrosoft's business model! They killed countless other companies. E.g. via Embrace-Extend-Extinguish. Or via offering key employees twice the pay and a $40 million one-time gift, if they leave, and leave the competitor in ruins. Or injecting moles like Elop who deliberately fuck up the company, while having shares in the competitor.
2. Companies murder real actual people every day! Do you know how many big corporations basically have their own military and do real actual warfare in third world countries? Shell springing to mind. ... And then there's Monsanto. ... Or Eli Lilly, who put up stands in schools to literally hook schoolchildren on hard drugs ("giving out free samples") that make them psychopathic and school-shooty and suicidal. And they are fully aware of that. ...
So... in what delusional reality distortion safe space bubble do you live??
It could be 420 Million, but I very much doubt it would be. So the subject is incorrect.
I'm looking over the CRA/FCA handbook and I don't immediately see anything relevant to this discussion. Perhaps you can point out what you're talking about?
https://www.handbook.fca.org.u...
I see if a company criminally defrauds the government, the people involved in perpetrating that crime can (of course) be held criminally liable.
I don't see anything about "all the executives go to prison if a sysadmin doesn't a do a good job patching or a server, or any other security mistake". Can you help me find that?
> If I am booking Hilton I expect to be staying at Hilton
Which is precisely the benefit of franchising.
With franchising, when you travel to a new city you'll see these options in hotels and food:
Hilton
Super 8
McDonald's
Wendy's
Though you've never been to that city before, you can make a reasonable choice because you know what to expect from a Hilton, from a Super 8, and from a McDonald's.
Without franchising, when you visited a new city you'd see these choices:
Bob's Hotel
Hotel Mary
Frank's Burgers
Jeff's burgers
Which hotel is better? Which burger place will also have baked potatoes? No telling.
The franchise system means you, the consumer, can know more or less what you're going to get, by looking at the sign, though you've never been to that person's restaurant or hotel before. You know a McDonald's, any McDonald's, is going to offer certain menu choices, at a certain level of quality. You know what to expect from any hotel with a "Hilton" sign, without needing to know what particular owner ahead of time.
Thank you for that link. I see the first half of the speech discusses the age-old problem of determining who is responsible, the specific people who did the crime vs the company they work for. That is, of course, fact-dependent, but the question posed is "is the human person who actually, physically did the crime responsible, or the company" - there is no mention of "all the executives who work at the company" being imprisoned. That idea is found only on Slashdot, not in any law anywhere in the world (because it's a stupid idea).
The paper/speech then goes on to discuss the new UK law and the regulator is careful to clearly point out to facts, to avoid any confusion: ...
----
First, the duty of responsibility does not create a
separate and independent basis for senior
management liability.
Secondly, a senior manager is not liable just because
the firm has breached a requirement
-----
He's careful to point out it does NOT create a new liability and does NOT make an executive liable every time an employee, or the organization as a whole, commits a criminal act.
He explains:
-----
In enforcing this duty, the FCA must establish:
first that the firm committed a relevant contravention of our requirements;
secondly that the defendant was the senior person responsible for the activities in question, and
thirdly the defendant failed to take such reasonable steps to avoid or prevent the firm from contravening.
-----
So it applies to specific criminal violations of Financial Conduct Authority requirements, not just any random screw up, so the appropriate senior managers can know exactly what they are responsible for.
Secondly, the requirements are divided up among specific senior manager roles, so again one specific executive, such as the CFO, has a list of the specific compliance items he is expected to make an effort on.
Thirdly, he's required to make a reasonable effort, no more or less. If an employee, or several employees, don't follow the law despite his reasonable effort to formulate appropriate policy, he's not liable.
So each person in an executive management role has their list of things for which they must make a reasonable effort toward compliance. That's quite different from:
> if any mistakes by any of the thousands of employees at the company could cause the executives to go to prison
Umm Hilton is 100 years old and that whole idea is stupid. If I own a house thatâ(TM)s been in my family 99 years does that mean next year I have to give it to the public? What about a ring? Should I sell it and make sure my neighbors split the profit? What if my house is used to house antiques from my family and I charge an entry fee? Next year itâ(TM)s not mine but yours? Itâ(TM)s my familyâ(TM)s house and antiques. Iâ(TM)m just the lucky one to have it the 100 mark. How about you start something big to pass down to your own. Socialism at its finest. BTW I am just a plain Jane Joe shmo like you. Believe in working for what I have. But if I had anything from my ancestors I believe it should be mine.