{"id":2859,"date":"2017-11-13T16:00:33","date_gmt":"2017-11-13T16:00:33","guid":{"rendered":"https:\/\/tsisupport.com\/?p=2859"},"modified":"2021-07-19T00:51:19","modified_gmt":"2021-07-19T04:51:19","slug":"hilton-data-breach-results-700000-penalty","status":"publish","type":"post","link":"https:\/\/tsisupport.com\/tsistaging\/?p=2859","title":{"rendered":"Data Breaches News: Hilton Data Breach Results in Penalty"},"content":{"rendered":"

Malicious network attacks & data breaches often make headlines, what is rarely discussed are the repercussions following such events.\u00a0 Businesses of all sizes have a responsibility to their consumers, should such incidents affect their privacy, to notify them in a timely manner.\u00a0 Hilton Hotels<\/a> reached a settlement this month with New York Attorney General<\/a> Eric T. Schneiderman<\/a> and Vermont Attorney General TJ Donovan following two breaches in 2015.<\/p>\n

The settlement provides valuable lessons for any business seeking to understand state data breach laws, some of which have vague terminology like \u201cmost expedient time possible and without unreasonable delay\u201d in relation to notifying those affected, as well as how breaches can uncover even greater security standard deficiencies leading to costly exposures.<\/p>\n

Data Breach Incidents<\/span> <\/strong><\/p>\n

Hilton had two separate data breaches in 2015.\u00a0 On February 10, 2015 Hilton from their computer service provider that a system they utilized in the UK was communicating with a suspicious computer outside Hilton\u2019s computer network. An investigation was launched and revealed credit-card targeting malware that potentially exposed cardholder\u2019s data between November 18th<\/sup> and December 5th<\/sup>, 2014. The second breach was detected on July 10, 2015 through an intrusion detection system.\u00a0 The result was further malware designed to steal credit card information from point of sale (POS) machines.\u00a0 Payment information was potentially exposed for all transactions between April 21st<\/sup> and July 27th<\/sup>, 2015.<\/p>\n

In total, some 363,952 credit card numbers were believed to have been stolen by the attackers.\u00a0 Yet, Hilton chose not to notify customers until November 24th<\/sup>, 2015. Over nine months after the first intrusion was discovered.<\/p>\n

Timely Notifications<\/span> <\/strong><\/p>\n

According to the Attorneys General, Hilton had sufficient information to trigger consumer & regulator notice well before November 24th<\/sup>.\u00a0 Breach notification laws in New York require expedient time and without reasonable delay, which remains subjective, while Vermont\u2019s breach notification law maintains similar standards, but with the maximum limitation exceeding no later than 45 days after discovery.\u00a0 The Attorney General in Vermont must also be notified within 14 days.\u00a0 Pursuant to these laws, Hilton failed to comply on nearly every count.<\/p>\n

 <\/p>\n

\"\"<\/a><\/span><\/span><\/p>\n

Failure to Comply<\/span> <\/strong><\/p>\n

The Attorneys General also discovered that Hilton was not in compliance with the Payment Card Industry Data Security Standard<\/a> (PCI DSS Compliance).\u00a0 The PCI DSS is a proprietary information security standard for organizations that process branded credit cards from the major credit card companies, including Visa, MasterCard, American Express, & Discover. The standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council<\/a> to ensure cardholder data is processed in a secure environment.<\/p>\n

Vermont\u2019s Attorney General alleged that Hilton\u2019s failure to meet PCI DSS requirements for maintaining reasonable data security practices violated Vermont\u2019s Consumer Protection Act.<\/p>\n

Further, the New York Attorney General noted that Hilton misrepresented itself customers by stating that they would maintain the personal information of its customers using reasonable data security.\u00a0 Hilton demonstrated further insufficiencies by informing customer\u2019s that their personal information was secure. \u00a0For example, upon members logging into Hilton.com, they see a message stating \u201cYour Information is Secure\u201d with a hyperlink to Hilton\u2019s Global Privacy Statement.\u00a0 By violating and implied representations of reasonable data security, Hilton violated New York\u2019s Executive Law and General Business Law, which prohibits deceptive acts or practices in conducting business.<\/p>\n

Outcome of the Settlement<\/strong><\/span><\/p>\n

In addition to civil penalties totaling 700K (300K for Vermont & 400K for New York), Hilton must:<\/p>\n