Hilton Paid a $700K Fine For 2015 Breach; Under GDPR, It Would Be $420 Million

chicksdaddy writes from a report via Digital Guardian: If you want to understand the ground shaking change that the EU's General Data Protection Rule (GDPR) will have when it comes into force in May of 2018, look no further than hotel giant Hilton Domestic Operating Company, Inc., formerly known as Hilton Worldwide, Inc (a.k.a. "Hilton."). On Tuesday, the New York Attorney General Eric T. Schneiderman slapped a $700,000 fine on the hotel giant for two 2015 incidents in which the company was hacked, spilling credit card and other information for 350,000 customers. Schneiderman also punished Hilton for its response to the incident. The company first learned in February 2015 that its customer data had been exposed through a UK-based system belonging to the company, which was observed by a contractor communicating with "a suspicious computer outside Hilton's computer network." Still, it took Hilton until November 24, 2015 -- over nine months after the first intrusion was discovered -- to notify the public. That kind of lackluster response has become pretty typical among Fortune 500 companies (see also: Equifax). And why not? The $700,000 fine from the NY AG is a palatable $2 per lost record -- and a mere rounding error for Hilton, which reported revenues of $11.2 billion in 2015, the year of the breach. That means the $700,000 fine was just %.00006 of Hilton's annual revenue in the year of the breach. Schneiderman's fine was less "bringing down the hammer" than a butterfly kiss for Hilton's C-suite, board and shareholders.

But things are going to be different for Hilton and other companies like it come May 2018 when provisions of the EU's General Data Protection Rule (or GDPR) go into effect, as Digital Guardian points out on their blog. Under that new law, data "controllers" like Hilton (in other words: organizations that collect data on customers or employees) can be fined up to 4% of annual turnover in the year preceding the incident for failing to meet the law's charge to protect that data. What does that mean practically for a company like Hilton? Well, the company's FY 2014 revenue (or "turnover") was $10.5 billion. Four percent of that is a cool $420 million dollars -- or $1,200, rather than $2, for every customer record lost. Needless to say, that's a number that will get the attention of the company's Board of Directors and shareholders.

4%?? I wish I could do crime at that price!

Imagine if you and I could do crimes like corporations.

Rule 1: You NEVER go to prison. Period. Shutting down a company? Unthinkable!
Rule 2: You, at worst, pay fines, that are relative to your yearly income!
Rule 3: The files will be limited to silly meaningless amounts like 4%. So, what, like $1600-3200? Not the usual fines that easily swallow more than the average person makes in a year, up to many millions.

Yeah. How much does a company get for murder?
Well, let's use Microsoft as an example.
What do you get for regularly having sex with people, injecting your pathogen into them, eating them out from the inside, and impersonating them, by wearing their skins?
Well, the "fine" of being allowed to ejaculate crack "licenses" over schoolchildren of a school, that cost you absolutely zero to produce, but hooks more children to your crack.

Yeah, if corporations were actually people ... SAW and The Devil's Rejects would be what happens everywhere, every day, all day.

Fines won't be that large

[CanadianMacFan]

Every country has their own instance of the company. So in this case there will be a Hilton that owns Hilton USA, Hilton UK, Hilton Canada, etc. The data breach took place in the UK so the maximum fine would be based on revenue of the previous fiscal year of Hilton UK, not Hilton (Worldwide). Unless they propose on fining companies that aren't responsible for the data breach.

And if they do decide to go after the global entities then all they will do is create separate companies to handle all of the customer data processing that are paid just enough to keep things running. Then Hilton will say the data breach will the fault of Hilton Customer Data Processing Company and the fine will be minimal.

I'm not saying how these companies have acted is right. I think that there should be jail time involved for the CxOs instead of large fines for their inept handling of customer data (and especially those that brought about the global financial crisis).

Re:Fines won't be that large

[tehcyder]

"turnover" is not an accounting or legal term

It is/was here in the UK.

and is ambiguous

No, here in the UK it is the old term for the first line on the Profit and Loss account, which is now called "Revenue". It wouldn't be used to mean anything else.

Re: Excellent

[ShanghaiBill]

How many are incarcerated for petty drug crimes?

In America, about 20% are incarcerated for non-violent drug offenses.

Re:Excellent

[eth1]

there needs to be criminal liability for senior management too.

If we are going to start putting people in prison for incompetence, then we will need a lot more prisons.

America already imprisons four times as many people as any other 1st world country. Perhaps we should stop looking at incarceration as the solution to every problem.

In this case, it's not incompetence. I work in infosec at the engineer/architect level, and we NEVER have the resources to do things properly. It's expensive and time consuming, and profits are more important to senior management than security, plain and simple. Add to that the fact that everyone above our heads (including the CEO) complains loudly at even the slightest inconvenience in the name of security ("two-factor is too much trouble, turn it off!"), and it's hopeless without some kind of "incentives" that the higher-ups can understand.