Hilton Hotels Settles N.Y., Vermont Data Breach Action for $700K

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Gerald B. Silverman

Hotelier Hilton Domestic Operating Company Inc. has agreed to pay $700,000, upgrade its security, and undergo security assessments to settle a joint New York and Vermont data security enforcement action.

N.Y. Attorney General Eric Schneiderman (D) and Vermont Attorney General TJ Donovan (D) Oct. 31 announced their separate settlements over credit card breaches in 2015 that compromised more than 350,000 credit cards.

New York will receive $400,000 of the settlement payment and Vermont will receive $300,000 In re Hilton Domestic Operating Co. , Vt. Super. Ct., No. 623-10-17, assurance of discontinuance 10/31/17 ).

Hilton learned of the first breach in February 2016 and the second breach in July 2015, but didn’t notify affected customers until November 2015, Schneiderman said in a statement.

New York alleged that Hilton violated provisions of the state General Business Law that require notification of data breaches in the most expedient time possible. Vermont alleged that the company violated the Vermont Security Breach Act, which requires notification to the attorney general within 14 days of discovery and affected customers in the most expedient time possible.

“Companies, no matter the size nor industry, must understand that breach notification is paramount to a consumer’s ability to protect their digital reputation and economic cache,” Mark Sangster, vice president and industry security strategist at the cybersecurity company eSentire Inc., told Bloomberg Law. “The faster the notification, the better the odds of preventing cyber damage.”

Payment Card Standards

New York alleged that the company violated state laws prohibiting deceptive business practices by representing to customers that it would protect the security of personal financial information.

Both states alleged that Hilton violated requirements the Payment Card Industry Data Security Standard by failing to ensure cardholder data was securely processed.

Hilton “completed a thorough investigation into this incident, including working closely with third-party forensics experts, payment card companies and law enforcement, including certain state attorneys general,” a Hilton spokesperson said in a statement provided to Bloomberg Law. “Hilton is strongly committed to protecting our customers’ payment card information and maintaining the integrity of our systems.”

To contact the reporter on this story: Gerald B. Silverman in Albany, N.Y. at gsilverman@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

The Vermont settlement is available at http://src.bna.com/tRQ.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security