Hilton could have paid a fine of over $400 million if its data breach had happened after May 2018 and included European citizens. The General Data Protection Regulation (GDPR) goes into effect May 25th, and nobody wants to be the first company to be hit with a large fine. The bigger the company, the more its people should worry, and the Hilton breach is a great example of why.
The GDPR is aimed at protecting the privacy of European citizens by making sure companies that store their data take that responsibility seriously. One of the biggest requirements is that such companies should protect personal data from inappropriate access, such as what happened to Hilton. Failure to do so can lead to huge fines unlike any we’ve seen so far.
For those unfamiliar with the story, there were two incidents, in 2015 in which Hilton exposed the credit card information of 350,000 customers. The New York Attorney General’s office determined that Hilton did not provide adequate data security and did not notify their customers in a timely manner after the breaches — both considerations under the GDPR. Hilton and the Attorney General’s office negotiated a settlement of a fine of $400,000. Under the GDPR, a similar incident could generate a fine of over $400 million.
Fines for this type of incident under the GDPR are up to 20 million Euros or 4% of the annual revenue of the company (“turnover” in GDPR parlance), whichever is greater. Since Hilton’s annual revenue is just over $10 billion, 4% of that would be over $400 million! Since the GDRP has not gone into effect, there is no case law to look at, which means we have no idea how the courts will interpret these fines. The fines go up to this amount, and the higher amounts are meant for the most egregious, willful acts. The New York Attorney General’s office felt that Hilton’s actions were willful. If the GDPR courts felt the same way, it’s possible such a breach could get the maximum fine.
Are you ready for GDPR?
Hopefully this article is not the first time you are looking at GDPR. If so, feel free to read our other articles on the topic. The most important thing to do at this point is to familiarize yourself with the regulation, taking great care to understand that it does indeed apply to you — assuming you are storing personal data of EU citizens. After that, the most important thing to do is to begin conversations with your suppliers to ask them how they are going to help you comply with the requirements of the GDPR.
The initial onus will be on your information security team to make sure you are protecting any personal data you are storing against unauthorized access. Once that is underway, the next thing to look at is how you are going to comply with information requests for retrieval or deletion of personal data. Failure to do so may result in the kinds of fines already mentioned in this article.
Get started now to protect your company from becoming a GDPR cautionary tale by visiting our GDPR Solutions Page.