Hilton Paid a $700K Fine For 2015 Breach; Under GDPR, It Would Be $420 Million (digitalguardian.com) 110
chicksdaddy writes from a report via Digital Guardian: If you want to understand the ground shaking change that the EU's General Data Protection Rule (GDPR) will have when it comes into force in May of 2018, look no further than hotel giant Hilton Domestic Operating Company, Inc., formerly known as Hilton Worldwide, Inc (a.k.a. "Hilton."). On Tuesday, the New York Attorney General Eric T. Schneiderman slapped a $700,000 fine on the hotel giant for two 2015 incidents in which the company was hacked, spilling credit card and other information for 350,000 customers. Schneiderman also punished Hilton for its response to the incident. The company first learned in February 2015 that its customer data had been exposed through a UK-based system belonging to the company, which was observed by a contractor communicating with "a suspicious computer outside Hilton's computer network." Still, it took Hilton until November 24, 2015 -- over nine months after the first intrusion was discovered -- to notify the public. That kind of lackluster response has become pretty typical among Fortune 500 companies (see also: Equifax). And why not? The $700,000 fine from the NY AG is a palatable $2 per lost record -- and a mere rounding error for Hilton, which reported revenues of $11.2 billion in 2015, the year of the breach. That means the $700,000 fine was just %.00006 of Hilton's annual revenue in the year of the breach. Schneiderman's fine was less "bringing down the hammer" than a butterfly kiss for Hilton's C-suite, board and shareholders.
But things are going to be different for Hilton and other companies like it come May 2018 when provisions of the EU's General Data Protection Rule (or GDPR) go into effect, as Digital Guardian points out on their blog. Under that new law, data "controllers" like Hilton (in other words: organizations that collect data on customers or employees) can be fined up to 4% of annual turnover in the year preceding the incident for failing to meet the law's charge to protect that data. What does that mean practically for a company like Hilton? Well, the company's FY 2014 revenue (or "turnover") was $10.5 billion. Four percent of that is a cool $420 million dollars -- or $1,200, rather than $2, for every customer record lost. Needless to say, that's a number that will get the attention of the company's Board of Directors and shareholders.
But things are going to be different for Hilton and other companies like it come May 2018 when provisions of the EU's General Data Protection Rule (or GDPR) go into effect, as Digital Guardian points out on their blog. Under that new law, data "controllers" like Hilton (in other words: organizations that collect data on customers or employees) can be fined up to 4% of annual turnover in the year preceding the incident for failing to meet the law's charge to protect that data. What does that mean practically for a company like Hilton? Well, the company's FY 2014 revenue (or "turnover") was $10.5 billion. Four percent of that is a cool $420 million dollars -- or $1,200, rather than $2, for every customer record lost. Needless to say, that's a number that will get the attention of the company's Board of Directors and shareholders.
Excellent (Score:5, Insightful)
Re:Excellent (Score:5, Insightful)
there needs to be criminal liability for senior management too.
If we are going to start putting people in prison for incompetence, then we will need a lot more prisons.
America already imprisons four times as many people as any other 1st world country. Perhaps we should stop looking at incarceration as the solution to every problem.
Re: Excellent (Score:5, Informative)
How many are incarcerated for petty drug crimes?
In America, about 20% are incarcerated for non-violent drug offenses.
Re: (Score:2)
Re: (Score:2)
The plea bargain is usually used to avoid the cost of a trial. The DA charges the suspect with the maximum severity and type of infractions. The suspect (who may be innocent), pleads to a lesser charge to avoid the cost of a trial. (And most suspects don't have tens of thousands of dollars for a good lawyer)
Win-win (except if you are innocent).
Re: (Score:3, Insightful)
It's not incompetence -- that's just the veneer of plausible deniability. This is willful negligence, and there's a difference. Incompetence is when giving your best effort isn't good enough. These criminals have a willful disinterest in protecting anything that doesn't belong to them.
To give you an rough analogy: incompetence is when the bank builds a standard vault, but criminals find a way to break in anyhow. Criminal negligence is when your bank puts its depositors' cash and valuables in a chicken-w
Re: (Score:2)
Re: (Score:2)
Re:Excellent (Score:4, Informative)
there needs to be criminal liability for senior management too.
If we are going to start putting people in prison for incompetence, then we will need a lot more prisons.
America already imprisons four times as many people as any other 1st world country. Perhaps we should stop looking at incarceration as the solution to every problem.
In this case, it's not incompetence. I work in infosec at the engineer/architect level, and we NEVER have the resources to do things properly. It's expensive and time consuming, and profits are more important to senior management than security, plain and simple. Add to that the fact that everyone above our heads (including the CEO) complains loudly at even the slightest inconvenience in the name of security ("two-factor is too much trouble, turn it off!"), and it's hopeless without some kind of "incentives" that the higher-ups can understand.
That's precisely what any smart person would do (Score:3)
>. get a Job like the rest of us.
That's precisely what any intelligent person would do if any mistakes by any of the thousands of employees at the company could cause the executives to go to prison. Only stupid or extremely ignorant people would accept an executive title. A company could either hire morons to actually run the company, meaning your job and your 401k would soon be gone, or have a string of puppets, where the moron who holds the title of CEO is controlled by people whose involvement is we
Re: (Score:3)
That's not the case - as an example, the UK executives at financial services organisations have criminal liability for the behaviour of their companies and can be prosecuted for failing to obey the law.
When CRAs came under the FCA I do know two people that chose to move to an unregulated business; their colleagues generally celebrated, as the FCA merely expect you to run a business properly with some semblance of ethics.
However, there were a substantial number of other people that said, "Yeah, I'm now faci
CRA is how related to this how? (Score:2)
I'm looking over the CRA/FCA handbook and I don't immediately see anything relevant to this discussion. Perhaps you can point out what you're talking about?
https://www.handbook.fca.org.u... [fca.org.uk]
I see if a company criminally defrauds the government, the people involved in perpetrating that crime can (of course) be held criminally liable.
I don't see anything about "all the executives go to prison if a sysadmin doesn't a do a good job patching or a server, or any other security mistake". Can you help me find that
Re: (Score:2)
Ok, that's tricky to source. Best I can find with a quick hunt is this:
https://www.fca.org.uk/news/sp... [fca.org.uk]
It's light on the measures available, but clearly demonstrates the FCA's expectations around individual accountability and their ability to intervene.
Thank you for that. Quoting that source ... (Score:2)
Thank you for that link. I see the first half of the speech discusses the age-old problem of determining who is responsible, the specific people who did the crime vs the company they work for. That is, of course, fact-dependent, but the question posed is "is the human person who actually, physically did the crime responsible, or the company" - there is no mention of "all the executives who work at the company" being imprisoned. That idea is found only on Slashdot, not in any law anywhere in the world (bec
Re: (Score:2, Insightful)
Step 1: Find poor guy with little means (likely to end up in prison anyway)
Step 2: Offer him a role as CxO for $250,000
Step 3: Control everything as before, except now with the title of "Puppet master"
Step 4: Not go to prison when things go wrong.
I bet there are thousands of people willing to sit in a chair for $250,000 a year in return for the possibility of going to prison.
Re: (Score:2)
You can find ads from criminal enterprises looking to hire fall guys like this on Craigslist. The fall guy's job is just to sign some papers and handle mail...
Re: (Score:2)
Yeah problem is that won't work in most sane legal jurisdictions. Might make the prosecution harder, but it won't absolve you of legal responsibility.
Re: (Score:2)
Re: (Score:2)
There already is under the EU's existing Data Protection Directive, this doesn't change under GDPR, the problem is it's never enforced because regulators are scared of enforcing personal liability in case the person they're enforcing against is mates with the politician who hires and fires them.
Even when the regulator did do this when one of the porn piracy parasite lawyers left a list of every person he was trying to blackmail for money on a public server meaning people were outed and such publicly through
No Bonus This Year! (Score:2)
$700,000 is small change for a corporation as big as Hilton, but make no mistake, the guy or team that cost Hilton $700,000 felt the pain, when it filters down to the IT managers and what kind of money they represent to Hilton and what they cost, $700,000 error is big. No bonus for the IT team this year!
Re: (Score:2)
You know what is even worse, a percentage fine of turnover. Hilton now owns a data company that it pays to control it's data, the company operates at cost, turnover just barely enough to sustain the $2 company - HAH HAH SUCKERS.
Re: (Score:3)
Re: (Score:2)
The mission: outsource the owning/responsibility without outsourcing the actual revenue.
There's gotta be a way. No way EU's law-drafters thought of everything. Hilton just needs some clever black hat lawyers.\
Re: (Score:2)
The GDPR makes such shenanigans difficult. In such a case, the data company would be a "processor", not a "controller", and that other company would still incur the fines.
Re: (Score:2)
when it filters down to the IT managers and what kind of money they represent to Hilton and what they cost, $700,000 error is big.
Hilton lost a lot more than $700,000 because of the breach. I'll bet you that the overall blow to their worldwide brand was much higher. After all, if you're going to hold a corporate event, hold a wedding, cheat on your spouse, have a furry convention, or travel the world, why would you risk using a Hilton hotel when there are so many other hotels to choose from.
So their IT is responsible for losing a lot more than $700,000, but I'm not sure the delay of the notification to the public once discovered can b
"up to" doesn't mean will be (Score:3)
See Subject
Re: (Score:2)
But keeping the intrusion under wraps for months on end will probably be considered fairly "calculated" and very deliberate, hence, the hammer would fall very hard.
With any luck, we'll see more openness and more investments in security. For sure the new rules are going to mean 2FA everywhere.
Re: (Score:2)
Sadly in the UK the ICO seems reluctant to issue any fines, and seems to be suggesting that they'll never fully use the powers available to them.
I'd like to see a couple of companies properly spanked, maximum fines and/or prevented from data processing, just to demonstrate that it's taken seriously. Don't think it's likely though, excluding small companies that nobody cares about and that can be reconstituted in a few days.
It is publicly owned, less 100, doesn't own the ho (Score:2)
> After 100 years. In a similar fashion businesses that are a 100 years old should also become public domain. That means the Hilton Hotel is now a public domain business.
Uhm, Hilton is less than 100 years old.
It is, however, publicly owned
https://finance.yahoo.com/quot... [yahoo.com]
> So feel free to book a free Hilton hotel room for yourself, friends and family.
You realize most hotels with a Hilton sign aren't owned by Hilton, right? Individual hotel owners pay the brands a monthly fee to use the sign and get
Which is precisely what franchising gives consumer (Score:2)
> If I am booking Hilton I expect to be staying at Hilton
Which is precisely the benefit of franchising.
With franchising, when you travel to a new city you'll see these options in hotels and food:
Hilton
Super 8
McDonald's
Wendy's
Though you've never been to that city before, you can make a reasonable choice because you know what to expect from a Hilton, from a Super 8, and from a McDonald's.
Without franchising, when you visited a new city you'd see these choices:
Bob's Hotel
Hotel Mary
Frank's Burgers
Jeff's burg
Re: It is publicly owned, less 100, doesn't own th (Score:1)
UK (Score:2)
Well, if companies just decide to put data on UK servers and have UK HQs, and I am predicting a brexit that will allow most companies there to do business with the rest of Europe but still not abide to the EU court, I can already imagine the loopholes most companies are gonna abuse for simply ignoring that problem. Then again, I am hoping my elected representatives in the EU parliament won't be that fool.
Re: (Score:1)
This is one of the key loopholes the GDPR is designed to address. It also applies to companies outside the EU that are collecting data about people in the EU, or selling goods and services to people in the EU.
Re: UK (Score:1)
Not it wonâ(TM)t. the data owner wonâ(TM)t change and is liable for its 3rd parties.
Re: (Score:1)
In addition to the other response you got, UK is also going on the GDPR bandwagon. Not only they are *still* in the EU (and will be when it comes to effect), but they will keep the legislation.
4%?? I wish I could do crime at that price! (Score:3, Informative)
Imagine if you and I could do crimes like corporations.
Rule 1: You NEVER go to prison. Period. Shutting down a company? Unthinkable!
Rule 2: You, at worst, pay fines, that are relative to your yearly income!
Rule 3: The files will be limited to silly meaningless amounts like 4%. So, what, like $1600-3200? Not the usual fines that easily swallow more than the average person makes in a year, up to many millions.
Yeah. How much does a company get for murder?
Well, let's use Microsoft as an example.
What do you get for regularly having sex with people, injecting your pathogen into them, eating them out from the inside, and impersonating them, by wearing their skins?
Well, the "fine" of being allowed to ejaculate crack "licenses" over schoolchildren of a school, that cost you absolutely zero to produce, but hooks more children to your crack.
Yeah, if corporations were actually people ... SAW and The Devil's Rejects would be what happens everywhere, every day, all day.
Slashdot percentages are always off by 10000% (Score:1)
Re: (Score:2)
%.00006 of $11.2B is $7,000.
The $11.2B is revenue, not profit. Their profit last year was $309M, or less than 3% of revenue.
Re: (Score:2)
The GP is correct - the writer was wrong by a factor of 10000%.
Fines won't be that large (Score:4, Informative)
Every country has their own instance of the company. So in this case there will be a Hilton that owns Hilton USA, Hilton UK, Hilton Canada, etc. The data breach took place in the UK so the maximum fine would be based on revenue of the previous fiscal year of Hilton UK, not Hilton (Worldwide). Unless they propose on fining companies that aren't responsible for the data breach.
And if they do decide to go after the global entities then all they will do is create separate companies to handle all of the customer data processing that are paid just enough to keep things running. Then Hilton will say the data breach will the fault of Hilton Customer Data Processing Company and the fine will be minimal.
I'm not saying how these companies have acted is right. I think that there should be jail time involved for the CxOs instead of large fines for their inept handling of customer data (and especially those that brought about the global financial crisis).
Re: (Score:1)
Actually, no. GDPR clearly states the 4% is calculated for the worldwide turnover of the group or parent company. It was designed to avoid that kind of loophole.
Re: (Score:2)
Actually, no. GDPR clearly states the 4% is calculated for the worldwide turnover
That is NOT clear, since "turnover" is not an accounting or legal term, and is ambiguous. Depending on context "turnover" can mean gross revenue, net revenue, net income, or even include consignments that are neither revenue nor income. I doubt very much that the actual law will use that word.
Re:Fines won't be that large (Score:4, Informative)
"turnover" is not an accounting or legal term
It is/was here in the UK.
and is ambiguous
No, here in the UK it is the old term for the first line on the Profit and Loss account, which is now called "Revenue". It wouldn't be used to mean anything else.
Re: (Score:2)
Re: (Score:2)
Nope. "20 million Euros or 4% of the undertakingâ(TM)s total annual worldwide turnover in the preceding financial year, whichever is higher"
-- https://publications.parliamen... [parliament.uk]
Although interestingly that wording doesn't explore complex corporate structures, and 'undertaking' doesn't look like it's defined anywhere. Although if it was it probably wouldn't help, I read the definition of 'controller' and couldn't make any fucking sense of it at all. Bloody legalese.
Re: (Score:2)
Every country has their own instance of the company. So in this case there will be a Hilton that owns Hilton USA, Hilton UK, Hilton Canada, etc. The data breach took place in the UK so the maximum fine would be based on revenue of the previous fiscal year of Hilton UK, not Hilton (Worldwide). Unless they propose on fining companies that aren't responsible for the data breach.
And if they do decide to go after the global entities then all they will do is create separate companies to handle all of the customer data processing that are paid just enough to keep things running. Then Hilton will say the data breach will the fault of Hilton Customer Data Processing Company and the fine will be minimal.
I'm not saying how these companies have acted is right. I think that there should be jail time involved for the CxOs instead of large fines for their inept handling of customer data (and especially those that brought about the global financial crisis).
That could be - though we presume that the UK IT asset that was breached belonged to a separate corporate entity from Hilton itself - a big assumption. Also, there were actually two breaches in 2015, only one in the UK. The other was in the US. The question is: does it matter how many of the 350,000 affected were EU citizens or is even one victim enough to bring a fine - let alone the maximum fine?
Re: (Score:1)
I may be completely wrong, but it seems to me a company has to be fined in proportion to its profits, not its turnover.
While it can be really hard to maximize profits for some businesses, it's extremely easy for every business to reduce profits. If the fine was tied to profits, all a bad-faith corporation would have to do is to ensure it posted low/zero/negative profits in a year when a breach occurred to minimize its penalty. Recall that it's the business reporting the breach in the first place, so timing a loss quarter with a breach could also be quite easy.
The point of a fine is to ensure the business performs all due
Re: (Score:2)
I may be completely wrong, but it seems to me a company has to be fined in proportion to its profits, not its turnover.
Profit is manipulable, turnover far less so without actual fraud.
"can be" isn't "will be" (Score:2)
I don't see a link to the law in the article so I have to assume its language is correct. "can" isn't "will". I doubt we'll ever see a company hit with a 4% fine.
Also, since NY settled, I'd guess they didn't take as much as they might have either. I see no indication in the article as to what they could have gotten.
Re: (Score:2)
I'm actually far more sure that someone will get hit with a 4% fine - and probably relatively soon (like 2-3 years, maybe). Partly because they want to make an example, but also because there'll be a fairly big company somewhere that just isn't well enough prepared and will be in breach on day one. It'll probably be a foreign owned company, who (like many people here, it seems) mistakenly believe it doesn't really apply to them. They'll do some half-arsed job of implementing the required procedures, data wi
Re: (Score:1)
Was thinking this myself.
It's all nice and good that someone wants to give companies the [additional] impetus they need to "do the right thing" and shore up their data security, but being greedy bastards along the way (talking about the government greedy bastards this time) without any information as to how that money would be spent, that's just wrong.
If a government is going to fine a company for their data breach so heavily, shouldn't they be making themselves responsible for helping the consumers that we
Re: (Score:2)
Shrug. So Hilton shut down and we all use one of the other 99.97% of hotels available.
No loss.
Re: (Score:2)
More than that, all the hotels would be open the next day under new ownership so there would be zero loss of anything.
To be honest, I'm not ever sure that Hilton could shut down as its really just a franchise. The hotels are not generally owned by Hilton, who are simply paid a franchise fee for the brand and booking systems. Shutting down 'Hilton' in the EU would just lead to multiple lawsuits from the franchisees for breach of contract.
Re: (Score:2)
Against whom, and for what?
Re: (Score:2)
Against Hilton Worldwide Holdings, Inc for breach of the franchise contract. I imagine they have contractual obligations to supply services to franchisees (bookings, etc) and franchisees have a license to use the name and business processes.
They don't own the hotels - they license the name and business model/services. Its a franchise - http://www.franchisedirect.com... [franchisedirect.com]. To shut down they would have to have the agreement of all the businesses that have a franchise. Why would a local business with a Hilton Ho
Re: (Score:2)
Good luck suing a US company from outside. You wouldn't stand a cat in hells chance of collecting even if you won.
And if the contract is with a local subsidiary, good luck suing a business when it doesn't exist any more.
Re: (Score:2)
You're talking like its Jimmy's Breaks and Shocks and his 3 franchisees in Belize. Many of these franchisees are also multi-national companies, with hotels across the world. You'd need to be some crazy ass cowboy executive to give away all your European assets, trademarks and current and future income as well as your goodwill across the world (how are your other franchisees going to feel about you simply abandoning your European franchisees out of spite). And you would still owe the fine, still have to go t
Re: (Score:1)
Again the issue is WHO benefits from the fine? If it's not the consumer, but some greedy government body, then perhaps the consumers should sue the government for their share of the fines.
Re: (Score:2)
All consumers benefit when companies start taking security seriously. This is a deterrent, not a tax. If companies just pay up then it's not working and something more onerous will be created.
Re: (Score:1)
Re: (Score:2)
Fines can be up to 4% of annual turnover, but if your turnover is less than 800m then your fine can be up to 20m anyway. Yes, it's possible to receive a fine that's four times your annual turnover if you're a small business.
Those are explicitly stated though as the maximum fines. The legislation does allow for lower fines and in the UK the ICO has indicated that they'd prefer to avoid fines where possible and impose substantially smaller fines where needed.
Re: Fines are limited to 20M Euro (Score:2)
So this regulation is hostile to small business while it wonâ(TM)t affect big business. Great, exactly what we need.
Headline doesn't match reality (Score:1)
The key part of the fine provision (Article 83) is that there is an opportunity to fine €20 million (reduced from €100 million in earlier drafts) or 4% of global annual turnover (whichever is higher), for Tier 2 violations (e.g. violations of data subject rights), while this is halved for Tier 1 violations (breach of data controller/processor obligations). Given that the organisation was hacked and data leaked, they are perhaps at most guilty of negligence in their obligations as data controllers,
Re: (Score:1)
Re: (Score:2)
Thank you both - informed and interesting contribution, and helped me understand it all a little better too.
Complex nasty legislation. Going to be fun in May :)
Fake News (Score:2)
It could be 420 Million, but I very much doubt it would be. So the subject is incorrect.