Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hilton Paid a $700K Fine For 2015 Breach; Under GDPR, It Would Be $420 Million (digitalguardian.com)

Posted by BeauHD on from the price-difference dept.

chicksdaddy writes from a report via Digital Guardian: If you want to understand the ground shaking change that the EU's General Data Protection Rule (GDPR) will have when it comes into force in May of 2018, look no further than hotel giant Hilton Domestic Operating Company, Inc., formerly known as Hilton Worldwide, Inc (a.k.a. "Hilton."). On Tuesday, the New York Attorney General Eric T. Schneiderman slapped a $700,000 fine on the hotel giant for two 2015 incidents in which the company was hacked, spilling credit card and other information for 350,000 customers. Schneiderman also punished Hilton for its response to the incident. The company first learned in February 2015 that its customer data had been exposed through a UK-based system belonging to the company, which was observed by a contractor communicating with "a suspicious computer outside Hilton's computer network." Still, it took Hilton until November 24, 2015 -- over nine months after the first intrusion was discovered -- to notify the public. That kind of lackluster response has become pretty typical among Fortune 500 companies (see also: Equifax). And why not? The $700,000 fine from the NY AG is a palatable $2 per lost record -- and a mere rounding error for Hilton, which reported revenues of $11.2 billion in 2015, the year of the breach. That means the $700,000 fine was just %.00006 of Hilton's annual revenue in the year of the breach. Schneiderman's fine was less "bringing down the hammer" than a butterfly kiss for Hilton's C-suite, board and shareholders.

But things are going to be different for Hilton and other companies like it come May 2018 when provisions of the EU's General Data Protection Rule (or GDPR) go into effect, as Digital Guardian points out on their blog. Under that new law, data "controllers" like Hilton (in other words: organizations that collect data on customers or employees) can be fined up to 4% of annual turnover in the year preceding the incident for failing to meet the law's charge to protect that data. What does that mean practically for a company like Hilton? Well, the company's FY 2014 revenue (or "turnover") was $10.5 billion. Four percent of that is a cool $420 million dollars -- or $1,200, rather than $2, for every customer record lost. Needless to say, that's a number that will get the attention of the company's Board of Directors and shareholders.

66 of 110 comments (clear)

  1. Excellent by sit1963nz · · Score: 5, Insightful

    The fines are one thing, but there needs to be criminal liability for senior management too. They want the big money, well the risk, responsibility and liability comes with it. Dont want the risks etc then get a Job like the rest of us.

    1. Re:Excellent by ShanghaiBill · · Score: 4, Insightful

      there needs to be criminal liability for senior management too.

      If we are going to start putting people in prison for incompetence, then we will need a lot more prisons.

      America already imprisons four times as many people as any other 1st world country. Perhaps we should stop looking at incarceration as the solution to every problem.

    2. Re: Excellent by ShanghaiBill · · Score: 4, Informative

      How many are incarcerated for petty drug crimes?

      In America, about 20% are incarcerated for non-violent drug offenses.

    3. Re:Excellent by Anonymous Coward · · Score: 3, Insightful

      It's not incompetence -- that's just the veneer of plausible deniability. This is willful negligence, and there's a difference. Incompetence is when giving your best effort isn't good enough. These criminals have a willful disinterest in protecting anything that doesn't belong to them.

      To give you an rough analogy: incompetence is when the bank builds a standard vault, but criminals find a way to break in anyhow. Criminal negligence is when your bank puts its depositors' cash and valuables in a chicken-wire cage with a padlock.

    4. Re:Excellent by Anonymous Coward · · Score: 2, Insightful

      Step 1: Find poor guy with little means (likely to end up in prison anyway)
      Step 2: Offer him a role as CxO for $250,000
      Step 3: Control everything as before, except now with the title of "Puppet master"
      Step 4: Not go to prison when things go wrong.

      I bet there are thousands of people willing to sit in a chair for $250,000 a year in return for the possibility of going to prison.

    5. Re:Excellent by JaredOfEuropa · · Score: 1

      This. On top of that, the Hilton execs waited 9 months before informing the public of the breach. Now that really merits some jail time for those responsible. Even if they "didn't know". That's what being responsible means.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    6. Re:Excellent by TheRaven64 · · Score: 1

      Not necessarily. The big problem is not the lack of jail time, it's the lack of any consequences. If companies start to pay such large fines, then that gives the shareholders a big incentive to make salary, bonuses, and share options contingent on avoiding such fines.

      --
      I am TheRaven on Soylent News
    7. Re:Excellent by Xest · · Score: 1

      There already is under the EU's existing Data Protection Directive, this doesn't change under GDPR, the problem is it's never enforced because regulators are scared of enforcing personal liability in case the person they're enforcing against is mates with the politician who hires and fires them.

      Even when the regulator did do this when one of the porn piracy parasite lawyers left a list of every person he was trying to blackmail for money on a public server meaning people were outed and such publicly through his incompetence the fine was something pathetic like £500 because otherwise there's a risk he'd lose his £800,000 house or whatever it was worth.

      The problem therefore isn't the law, it's lack of regulators with balls. It's a joke, the whole point is that people like that are supposed to suffer hardship as a result of their actions, if he loses his house then tough fucking shit, he knew what he was doing was wrong and did it anyway so should expect and accept the consequences.

    8. Re:Excellent by GameboyRMH · · Score: 1

      You can find ads from criminal enterprises looking to hire fall guys like this on Craigslist. The fall guy's job is just to sign some papers and handle mail...

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    9. Re:Excellent by jabuzz · · Score: 1

      Yeah problem is that won't work in most sane legal jurisdictions. Might make the prosecution harder, but it won't absolve you of legal responsibility.

    10. Re:Excellent by DNS-and-BIND · · Score: 1

      Wow, I haven't seen corporate criminals defended like that before. Good job, and the payment should arrive in your Paypal soon.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    11. Re:Excellent by eth1 · · Score: 3, Informative

      there needs to be criminal liability for senior management too.

      If we are going to start putting people in prison for incompetence, then we will need a lot more prisons.

      America already imprisons four times as many people as any other 1st world country. Perhaps we should stop looking at incarceration as the solution to every problem.

      In this case, it's not incompetence. I work in infosec at the engineer/architect level, and we NEVER have the resources to do things properly. It's expensive and time consuming, and profits are more important to senior management than security, plain and simple. Add to that the fact that everyone above our heads (including the CEO) complains loudly at even the slightest inconvenience in the name of security ("two-factor is too much trouble, turn it off!"), and it's hopeless without some kind of "incentives" that the higher-ups can understand.

    12. Re: Excellent by tomhath · · Score: 1

      Keep in mind that most of those convictions are plea bargains. The actual crimes are usually far more serious, but a repeat felon pleading guilty to even a minor crime will get jail time.

    13. Re: Excellent by mspohr · · Score: 1

      The plea bargain is usually used to avoid the cost of a trial. The DA charges the suspect with the maximum severity and type of infractions. The suspect (who may be innocent), pleads to a lesser charge to avoid the cost of a trial. (And most suspects don't have tens of thousands of dollars for a good lawyer)
      Win-win (except if you are innocent).

      --
      I don't read your sig. Why are you reading mine?
  2. No Bonus This Year! by Frosty+Piss · · Score: 1

    $700,000 is small change for a corporation as big as Hilton, but make no mistake, the guy or team that cost Hilton $700,000 felt the pain, when it filters down to the IT managers and what kind of money they represent to Hilton and what they cost, $700,000 error is big. No bonus for the IT team this year!

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:No Bonus This Year! by rtb61 · · Score: 1

      You know what is even worse, a percentage fine of turnover. Hilton now owns a data company that it pays to control it's data, the company operates at cost, turnover just barely enough to sustain the $2 company - HAH HAH SUCKERS.

      --
      Chaos - everything, everywhere, everywhen
    2. Re:No Bonus This Year! by JaredOfEuropa · · Score: 2

      Hilton can outsource its data processing, but they still own the data, and carry the responsibility that comes with it.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    3. Re:No Bonus This Year! by stephanruby · · Score: 1

      when it filters down to the IT managers and what kind of money they represent to Hilton and what they cost, $700,000 error is big.

      Hilton lost a lot more than $700,000 because of the breach. I'll bet you that the overall blow to their worldwide brand was much higher. After all, if you're going to hold a corporate event, hold a wedding, cheat on your spouse, have a furry convention, or travel the world, why would you risk using a Hilton hotel when there are so many other hotels to choose from.

      So their IT is responsible for losing a lot more than $700,000, but I'm not sure the delay of the notification to the public once discovered can be blamed on them too.

      Most likely, Public Relations, their general counsel, and the CEO chose to delay the disclosure of the breach to a time when no one else would be paying attention. And the reason the fine is $700,000 is due in big part to that 9+ month delay from the time of first discovery to the time of the disclosure, which just made the situation a lot more worse.

    4. Re:No Bonus This Year! by Cajun+Hell · · Score: 1

      The mission: outsource the owning/responsibility without outsourcing the actual revenue.

      There's gotta be a way. No way EU's law-drafters thought of everything. Hilton just needs some clever black hat lawyers.\

      --
      "Believe me!" -- Donald Trump
    5. Re:No Bonus This Year! by Tawnos · · Score: 1

      The GDPR makes such shenanigans difficult. In such a case, the data company would be a "processor", not a "controller", and that other company would still incur the fines.

  3. "up to" doesn't mean will be by ChoGGi · · Score: 2

    See Subject

    1. Re:"up to" doesn't mean will be by jopsen · · Score: 1

      bThat's true, and surely there will be distinction between various degrees of negligence, stupidity and bad luck.
      But keeping the intrusion under wraps for months on end will probably be considered fairly "calculated" and very deliberate, hence, the hammer would fall very hard.

      With any luck, we'll see more openness and more investments in security. For sure the new rules are going to mean 2FA everywhere.

    2. Re:"up to" doesn't mean will be by Cederic · · Score: 1

      Sadly in the UK the ICO seems reluctant to issue any fines, and seems to be suggesting that they'll never fully use the powers available to them.

      I'd like to see a couple of companies properly spanked, maximum fines and/or prevented from data processing, just to demonstrate that it's taken seriously. Don't think it's likely though, excluding small companies that nobody cares about and that can be reconstituted in a few days.

  4. UK by cloud.pt · · Score: 1

    Well, if companies just decide to put data on UK servers and have UK HQs, and I am predicting a brexit that will allow most companies there to do business with the rest of Europe but still not abide to the EU court, I can already imagine the loopholes most companies are gonna abuse for simply ignoring that problem. Then again, I am hoping my elected representatives in the EU parliament won't be that fool.

    1. Re:UK by Anonymous Coward · · Score: 1

      This is one of the key loopholes the GDPR is designed to address. It also applies to companies outside the EU that are collecting data about people in the EU, or selling goods and services to people in the EU.

    2. Re:UK by Anonymous Coward · · Score: 1

      In addition to the other response you got, UK is also going on the GDPR bandwagon. Not only they are *still* in the EU (and will be when it comes to effect), but they will keep the legislation.

    3. Re: UK by Anonymous Coward · · Score: 1

      Not it wonâ(TM)t. the data owner wonâ(TM)t change and is liable for its 3rd parties.

  5. 4%?? I wish I could do crime at that price! by Anonymous Coward · · Score: 3, Informative

    Imagine if you and I could do crimes like corporations.

    Rule 1: You NEVER go to prison. Period. Shutting down a company? Unthinkable!
    Rule 2: You, at worst, pay fines, that are relative to your yearly income!
    Rule 3: The files will be limited to silly meaningless amounts like 4%. So, what, like $1600-3200? Not the usual fines that easily swallow more than the average person makes in a year, up to many millions.

    Yeah. How much does a company get for murder?
    Well, let's use Microsoft as an example.
    What do you get for regularly having sex with people, injecting your pathogen into them, eating them out from the inside, and impersonating them, by wearing their skins?
    Well, the "fine" of being allowed to ejaculate crack "licenses" over schoolchildren of a school, that cost you absolutely zero to produce, but hooks more children to your crack.

    Yeah, if corporations were actually people ... SAW and The Devil's Rejects would be what happens everywhere, every day, all day.

  6. Slashdot percentages are always off by 10000% by DavenH · · Score: 1

    %.00006 of $11.2B is $7,000.

    1. Re:Slashdot percentages are always off by 10000% by ShanghaiBill · · Score: 1

      %.00006 of $11.2B is $7,000.

      The $11.2B is revenue, not profit. Their profit last year was $309M, or less than 3% of revenue.

    2. Re:Slashdot percentages are always off by 10000% by msauve · · Score: 1
      Congratulations, you achieved a new low, you didn't even bother to read the summary, which incorrectly claimed

      ...revenues of $11.2 billion in 2015, the year of the breach. That means the $700,000 fine was just %.00006 of Hilton's annual revenue...

      The GP is correct - the writer was wrong by a factor of 10000%.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
  7. Fines won't be that large by CanadianMacFan · · Score: 3, Informative

    Every country has their own instance of the company. So in this case there will be a Hilton that owns Hilton USA, Hilton UK, Hilton Canada, etc. The data breach took place in the UK so the maximum fine would be based on revenue of the previous fiscal year of Hilton UK, not Hilton (Worldwide). Unless they propose on fining companies that aren't responsible for the data breach.

    And if they do decide to go after the global entities then all they will do is create separate companies to handle all of the customer data processing that are paid just enough to keep things running. Then Hilton will say the data breach will the fault of Hilton Customer Data Processing Company and the fine will be minimal.

    I'm not saying how these companies have acted is right. I think that there should be jail time involved for the CxOs instead of large fines for their inept handling of customer data (and especially those that brought about the global financial crisis).

    1. Re:Fines won't be that large by Anonymous Coward · · Score: 1

      Actually, no. GDPR clearly states the 4% is calculated for the worldwide turnover of the group or parent company. It was designed to avoid that kind of loophole.

    2. Re:Fines won't be that large by John.Banister · · Score: 1

      Since it's an EU rule, it perhaps it would just only be the combined revenue of operations in countries who are members of the EU. If Hilton wants to isolate financial harm done by a separate data processing company, they'd likely want to be certain that they own less than 50% of it. Otherwise, it isn't separate.

    3. Re:Fines won't be that large by ShanghaiBill · · Score: 1

      Actually, no. GDPR clearly states the 4% is calculated for the worldwide turnover

      That is NOT clear, since "turnover" is not an accounting or legal term, and is ambiguous. Depending on context "turnover" can mean gross revenue, net revenue, net income, or even include consignments that are neither revenue nor income. I doubt very much that the actual law will use that word.

    4. Re:Fines won't be that large by chicksdaddy · · Score: 1

      Every country has their own instance of the company. So in this case there will be a Hilton that owns Hilton USA, Hilton UK, Hilton Canada, etc. The data breach took place in the UK so the maximum fine would be based on revenue of the previous fiscal year of Hilton UK, not Hilton (Worldwide). Unless they propose on fining companies that aren't responsible for the data breach.

      And if they do decide to go after the global entities then all they will do is create separate companies to handle all of the customer data processing that are paid just enough to keep things running. Then Hilton will say the data breach will the fault of Hilton Customer Data Processing Company and the fine will be minimal.

      I'm not saying how these companies have acted is right. I think that there should be jail time involved for the CxOs instead of large fines for their inept handling of customer data (and especially those that brought about the global financial crisis).

      That could be - though we presume that the UK IT asset that was breached belonged to a separate corporate entity from Hilton itself - a big assumption. Also, there were actually two breaches in 2015, only one in the UK. The other was in the US. The question is: does it matter how many of the 350,000 affected were EU citizens or is even one victim enough to bring a fine - let alone the maximum fine?

    5. Re:Fines won't be that large by Cederic · · Score: 1

      Nope. "20 million Euros or 4% of the undertakingâ(TM)s total annual worldwide turnover in the preceding financial year, whichever is higher"

      -- https://publications.parliamen...

      Although interestingly that wording doesn't explore complex corporate structures, and 'undertaking' doesn't look like it's defined anywhere. Although if it was it probably wouldn't help, I read the definition of 'controller' and couldn't make any fucking sense of it at all. Bloody legalese.

    6. Re:Fines won't be that large by tehcyder · · Score: 3, Informative

      "turnover" is not an accounting or legal term

      It is/was here in the UK.

      and is ambiguous

      No, here in the UK it is the old term for the first line on the Profit and Loss account, which is now called "Revenue". It wouldn't be used to mean anything else.

      --
      To have a right to do a thing is not at all the same as to be right in doing it
  8. "can be" isn't "will be" by RhettLivingston · · Score: 1

    I don't see a link to the law in the article so I have to assume its language is correct. "can" isn't "will". I doubt we'll ever see a company hit with a 4% fine.

    Also, since NY settled, I'd guess they didn't take as much as they might have either. I see no indication in the article as to what they could have gotten.

    1. Re:"can be" isn't "will be" by coofercat · · Score: 1

      I'm actually far more sure that someone will get hit with a 4% fine - and probably relatively soon (like 2-3 years, maybe). Partly because they want to make an example, but also because there'll be a fairly big company somewhere that just isn't well enough prepared and will be in breach on day one. It'll probably be a foreign owned company, who (like many people here, it seems) mistakenly believe it doesn't really apply to them. They'll do some half-arsed job of implementing the required procedures, data will be lost and the authorities will come knocking.

      I'd imagine in the first instance, so long as you disclose reasonably quickly, even though you're technically in breach, they'll work with you to try to get you to improve. If after 6 months or something you're not showing enough progress or you're not co-operating, then you'll get fined (maybe not the 4% just yet). If you get breached again, then expect the 4% fine right away with very little discussion though.

  9. It is publicly owned, less 100, doesn't own the ho by raymorris · · Score: 1

    > After 100 years. In a similar fashion businesses that are a 100 years old should also become public domain. That means the Hilton Hotel is now a public domain business.

    Uhm, Hilton is less than 100 years old.

    It is, however, publicly owned
    https://finance.yahoo.com/quot...

    > So feel free to book a free Hilton hotel room for yourself, friends and family.

    You realize most hotels with a Hilton sign aren't owned by Hilton, right? Individual hotel owners pay the brands a monthly fee to use the sign and get booking referrals from hilton.com

  10. That's precisely what any smart person would do by raymorris · · Score: 2

    >. get a Job like the rest of us.

    That's precisely what any intelligent person would do if any mistakes by any of the thousands of employees at the company could cause the executives to go to prison. Only stupid or extremely ignorant people would accept an executive title. A company could either hire morons to actually run the company, meaning your job and your 401k would soon be gone, or have a string of puppets, where the moron who holds the title of CEO is controlled by people whose involvement is well hidden. The really stupid and desperate person, probably a crack head who had recently been homeless, would have the title "CEO". A crooked and easily influenced person, called the DWS, would relay orders to them from the person actually in control.

    1. Re:That's precisely what any smart person would do by Cederic · · Score: 2

      That's not the case - as an example, the UK executives at financial services organisations have criminal liability for the behaviour of their companies and can be prosecuted for failing to obey the law.

      When CRAs came under the FCA I do know two people that chose to move to an unregulated business; their colleagues generally celebrated, as the FCA merely expect you to run a business properly with some semblance of ethics.

      However, there were a substantial number of other people that said, "Yeah, I'm now facing prison if we cock up. That's fine, I can do my job" and got on with it. Indeed, the UK has one of the strongest financial services sectors on the planet so there is clearly no shortage of people willing to work under that particular constraint.

  11. Re:Why a percentage of turnover, rather than profi by Anonymous Coward · · Score: 1

    I may be completely wrong, but it seems to me a company has to be fined in proportion to its profits, not its turnover.

    While it can be really hard to maximize profits for some businesses, it's extremely easy for every business to reduce profits. If the fine was tied to profits, all a bad-faith corporation would have to do is to ensure it posted low/zero/negative profits in a year when a breach occurred to minimize its penalty. Recall that it's the business reporting the breach in the first place, so timing a loss quarter with a breach could also be quite easy.

    The point of a fine is to ensure the business performs all due diligence to avoid the issue. If the amount is 0.006% of revenue like the Hilton fine, it's easily swept under the rug as a cost of doing business. If it presents a real threat to the business, there's actually a chance the fine might be taken seriously and affect the change it is intended to. It's good that a business could go under as the result of running afoul of the law.

  12. Headline doesn't match reality by Pimpy · · Score: 1

    The key part of the fine provision (Article 83) is that there is an opportunity to fine €20 million (reduced from €100 million in earlier drafts) or 4% of global annual turnover (whichever is higher), for Tier 2 violations (e.g. violations of data subject rights), while this is halved for Tier 1 violations (breach of data controller/processor obligations). Given that the organisation was hacked and data leaked, they are perhaps at most guilty of negligence in their obligations as data controllers, which would imply a Tier 1-style fine. Similarly, provided they took adequate provisions to meet their obligations as data controllers, it's difficult to imagine that the higher end of the fine would be sought, either (as opposed to a more willful violation, as per Equifax). The fine would still be likely to be higher than the $700k outlined, but would never approach anything near the fantastical $420 million suggested.

    1. Re:Headline doesn't match reality by LowTechSwede · · Score: 1

      One thing they didn't do was disclose in a timely manner. This is a breach of paragraph 38, which is a 2% administrative fine. I agree, it's not likely they would see $420 Million, but willfully not disclosing for 9 months would likely qualify them for a very significant fine.

    2. Re:Headline doesn't match reality by Cederic · · Score: 1

      Thank you both - informed and interesting contribution, and helped me understand it all a little better too.

      Complex nasty legislation. Going to be fun in May :)

  13. Re:Fines are limited to 20M Euro by LowTechSwede · · Score: 1

    You are wrong. 20 M Euro is not a ceiling, it's a floor. A lot of other arm-chair advocates here are also wrong. This legislation, as written, has quite a bit of teeth in it and is extremely hostile to big business. Outsourcing only works if you do your due diligence very thoroughly and then there shouldn't be a breach, should there. It will be very interesting to see some of the pilot cases come through the legal system over the next two years. I assume Google, Microsoft Apple and Amazon will all be targeted early on. The site below has a lot of information. http://www.eugdpr.org/key-chan... ” Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.”

  14. Re:No more EU business by Cederic · · Score: 1

    Shrug. So Hilton shut down and we all use one of the other 99.97% of hotels available.

    No loss.

  15. Re:Fines are limited to 20M Euro by Cederic · · Score: 1

    Fines can be up to 4% of annual turnover, but if your turnover is less than 800m then your fine can be up to 20m anyway. Yes, it's possible to receive a fine that's four times your annual turnover if you're a small business.

    Those are explicitly stated though as the maximum fines. The legislation does allow for lower fines and in the UK the ICO has indicated that they'd prefer to avoid fines where possible and impose substantially smaller fines where needed.

  16. Re:Why a percentage of turnover, rather than profi by tehcyder · · Score: 1

    I may be completely wrong, but it seems to me a company has to be fined in proportion to its profits, not its turnover.

    Profit is manipulable, turnover far less so without actual fraud.

    --
    To have a right to do a thing is not at all the same as to be right in doing it
  17. Re: Fines are limited to 20M Euro by guruevi · · Score: 1

    So this regulation is hostile to small business while it wonâ(TM)t affect big business. Great, exactly what we need.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  18. Re:No more EU business by JonnyCalcutta · · Score: 1

    More than that, all the hotels would be open the next day under new ownership so there would be zero loss of anything.

    To be honest, I'm not ever sure that Hilton could shut down as its really just a franchise. The hotels are not generally owned by Hilton, who are simply paid a franchise fee for the brand and booking systems. Shutting down 'Hilton' in the EU would just lead to multiple lawsuits from the franchisees for breach of contract.

  19. Re:No more EU business by Hognoxious · · Score: 1

    Shutting down 'Hilton' in the EU would just lead to multiple lawsuits from the franchisees for breach of contract.

    Against whom, and for what?

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  20. Re:Fines: another fraudulent government tax by InvalidsYnc · · Score: 1

    Was thinking this myself.

    It's all nice and good that someone wants to give companies the [additional] impetus they need to "do the right thing" and shore up their data security, but being greedy bastards along the way (talking about the government greedy bastards this time) without any information as to how that money would be spent, that's just wrong.

    If a government is going to fine a company for their data breach so heavily, shouldn't they be making themselves responsible for helping the consumers that were injured in that breach using the windfall they just made for themselves with the fine?

    But, knowing the way things work, they will not only fine the company, but also require the company to provide identity theft remediation for those affected, effectively a double hit for the offending company.

    So many different thoughts on this... I can see it from too many directions. As a consumer, if my data gets stolen, I would want to be sure that I was somehow taken care of. But if the government levies a fine that is so egregious as to prevent that company from having sufficient funds to even be able to take care of the consumers that have had their personal data compromised, where is the benefit in that?

  21. Re:Excessive? by InvalidsYnc · · Score: 1

    Again the issue is WHO benefits from the fine? If it's not the consumer, but some greedy government body, then perhaps the consumers should sue the government for their share of the fines.

  22. Re:No more EU business by JonnyCalcutta · · Score: 1

    Against Hilton Worldwide Holdings, Inc for breach of the franchise contract. I imagine they have contractual obligations to supply services to franchisees (bookings, etc) and franchisees have a license to use the name and business processes.

    They don't own the hotels - they license the name and business model/services. Its a franchise - http://www.franchisedirect.com.... To shut down they would have to have the agreement of all the businesses that have a franchise. Why would a local business with a Hilton Hotel in Little Uppington agree to destroy their business because of some dispute between Hilton Worldwide Holdings, Inc and the EU?

  23. Re:No more EU business by Hognoxious · · Score: 1

    Good luck suing a US company from outside. You wouldn't stand a cat in hells chance of collecting even if you won.

    And if the contract is with a local subsidiary, good luck suing a business when it doesn't exist any more.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  24. Re:No more EU business by JonnyCalcutta · · Score: 1

    You're talking like its Jimmy's Breaks and Shocks and his 3 franchisees in Belize. Many of these franchisees are also multi-national companies, with hotels across the world. You'd need to be some crazy ass cowboy executive to give away all your European assets, trademarks and current and future income as well as your goodwill across the world (how are your other franchisees going to feel about you simply abandoning your European franchisees out of spite). And you would still owe the fine, still have to go through the lawsuits (no matter how sure you are they'd win), face diplomatic pressure and have to explain it to the shareholders.

    And the EU hotels would now have free reign to use the Hilton name without any need to pay.

  25. Re:Excessive? by Jerry+Atrick · · Score: 1

    All consumers benefit when companies start taking security seriously. This is a deterrent, not a tax. If companies just pay up then it's not working and something more onerous will be created.

  26. Fake News by thsths · · Score: 1

    It could be 420 Million, but I very much doubt it would be. So the subject is incorrect.

  27. CRA is how related to this how? by raymorris · · Score: 1

    I'm looking over the CRA/FCA handbook and I don't immediately see anything relevant to this discussion. Perhaps you can point out what you're talking about?
    https://www.handbook.fca.org.u...

    I see if a company criminally defrauds the government, the people involved in perpetrating that crime can (of course) be held criminally liable.

    I don't see anything about "all the executives go to prison if a sysadmin doesn't a do a good job patching or a server, or any other security mistake". Can you help me find that?

    1. Re:CRA is how related to this how? by Cederic · · Score: 1

      Ok, that's tricky to source. Best I can find with a quick hunt is this:
      https://www.fca.org.uk/news/sp...

      It's light on the measures available, but clearly demonstrates the FCA's expectations around individual accountability and their ability to intervene.

  28. Which is precisely what franchising gives consumer by raymorris · · Score: 1

    > If I am booking Hilton I expect to be staying at Hilton

    Which is precisely the benefit of franchising.

    With franchising, when you travel to a new city you'll see these options in hotels and food:
    Hilton
    Super 8
    McDonald's
    Wendy's

    Though you've never been to that city before, you can make a reasonable choice because you know what to expect from a Hilton, from a Super 8, and from a McDonald's.

    Without franchising, when you visited a new city you'd see these choices:
    Bob's Hotel
    Hotel Mary
    Frank's Burgers
    Jeff's burgers

    Which hotel is better? Which burger place will also have baked potatoes? No telling.

    The franchise system means you, the consumer, can know more or less what you're going to get, by looking at the sign, though you've never been to that person's restaurant or hotel before. You know a McDonald's, any McDonald's, is going to offer certain menu choices, at a certain level of quality. You know what to expect from any hotel with a "Hilton" sign, without needing to know what particular owner ahead of time.

     

  29. Thank you for that. Quoting that source ... by raymorris · · Score: 1

    Thank you for that link. I see the first half of the speech discusses the age-old problem of determining who is responsible, the specific people who did the crime vs the company they work for. That is, of course, fact-dependent, but the question posed is "is the human person who actually, physically did the crime responsible, or the company" - there is no mention of "all the executives who work at the company" being imprisoned. That idea is found only on Slashdot, not in any law anywhere in the world (because it's a stupid idea).

    The paper/speech then goes on to discuss the new UK law and the regulator is careful to clearly point out to facts, to avoid any confusion:
    ----
            First, the duty of responsibility does not create a
            separate and independent basis for senior
          management liability. ...
          Secondly, a senior manager is not liable just because
          the firm has breached a requirement
    -----

    He's careful to point out it does NOT create a new liability and does NOT make an executive liable every time an employee, or the organization as a whole, commits a criminal act.

    He explains:
    -----
    In enforcing this duty, the FCA must establish:
    first that the firm committed a relevant contravention of our requirements;
    secondly that the defendant was the senior person responsible for the activities in question, and
    thirdly the defendant failed to take such reasonable steps to avoid or prevent the firm from contravening.
    -----

    So it applies to specific criminal violations of Financial Conduct Authority requirements, not just any random screw up, so the appropriate senior managers can know exactly what they are responsible for.

    Secondly, the requirements are divided up among specific senior manager roles, so again one specific executive, such as the CFO, has a list of the specific compliance items he is expected to make an effort on.

    Thirdly, he's required to make a reasonable effort, no more or less. If an employee, or several employees, don't follow the law despite his reasonable effort to formulate appropriate policy, he's not liable.

    So each person in an executive management role has their list of things for which they must make a reasonable effort toward compliance. That's quite different from:

    > if any mistakes by any of the thousands of employees at the company could cause the executives to go to prison

  30. Re: It is publicly owned, less 100, doesn't own th by SusanLaForce · · Score: 1

    Umm Hilton is 100 years old and that whole idea is stupid. If I own a house thatâ(TM)s been in my family 99 years does that mean next year I have to give it to the public? What about a ring? Should I sell it and make sure my neighbors split the profit? What if my house is used to house antiques from my family and I charge an entry fee? Next year itâ(TM)s not mine but yours? Itâ(TM)s my familyâ(TM)s house and antiques. Iâ(TM)m just the lucky one to have it the 100 mark. How about you start something big to pass down to your own. Socialism at its finest. BTW I am just a plain Jane Joe shmo like you. Believe in working for what I have. But if I had anything from my ancestors I believe it should be mine.