The new Star Wars film, The Last Jedi, is being released later this year, December 2017. Two years back when the previous film was in cinemas, the hotel chain commonly known as Hilton (Hilton Domestic Operating Company, Inc.) was being hacked and breached, with hackers making off with credit card details and other identifying information for around 350,000 customers.
On Halloween 2017, nearly two years later, the New York Attorney General, Eric T. Schneiderman, imposed a fine of $700,000 fine on hotel chain.
The Attorney General made particular punitive reference to the Chain’s failure to respond effectively to the data breach and hack, noting that although the business first learned of the hack in February 2015 and that its customer data had been exposed through a UK based computer system, the business failed to notify the public about the breach until 24 November 2015.
The $700,000 fine equates to approximately $2 per lost record, significantly less than the average cost (when accounting for brand damage, professional services, fees and remediation) of closer to $141 per record.
This fine amounts to around 0.00006% of Hilton’s annual revenue in 2015.
However, come May 2018, with the enforcement powers provided to the European data regulators such as the UK’s Information Commissioner's Office through the General Data Protection Regulation (GDPR), what would that fine look like? Just a little higher…
With maximum fines of 4% of annual turnover in the year preceding the incident, the penalty could have been $420 million.
$1,200 per record lost.
Grant Thornton’s research and many studies continue to reiterate that many businesses that WILL be impacted by the GDPR and soon to be updated Data Protection Act are not prepared:
- Do you know what the GDPR means to your business?
- Are you aware of the fines?
- Are you living the Accountability Principle that requires you to demonstrate how you are seeking to comply with your data obligations?
71% of business haven't realised they will be heavily fined if they fail to follow guidance, even though 18% of businesses say the size of the fines are likely to put them out of business.
25% of businesses would be unable to detect a breach if it happened.
Speak to Grant Thornton’s experts for a free seminar or whitepaper on GDPR and how to relieve the burden of your data governance.
Gain value and insight, not fines, from your data.
What does that mean practically for a company like Hilton? Well, the company’s FY 2014 revenue (or “turnover”) was $10.5 billion. Four percent of that is a cool $420 million dollars - or $1,200 for every customer record lost. Needless to say, that’s a number that will get the attention of the company’s Board of Directors and shareholders.