According to official statements released by investigators, the company was found to have made two glaring errors: failing to maintain reasonable data security, and failing to notify victims of the data breach in a timely manner.
This second was seen as being particularly egregious, given that the company waited more than nine months before notifying its customers of the first of the two breaches. Eric T. Schneiderman, the Attorney General of the state of New York, said:
“Businesses have a duty to notify consumers in the event of a breach and protect their personal information as securely as possible.
Lax security practices like those we uncovered at Hilton put New Yorkers’ credit card information and other personal data at serious risk. My office will continue to hold businesses accountable for protecting their customers’ personal information.”
According to the particulars of the agreement, New York State will receive $400,000 of the damages, and Vermont will receive $300,000.
The lesson here is as simple as it is painful. If you don’t take proper precautions and implement reasonable security when it comes to protecting your customers’ data or inform your impacted customers in a timely fashion, you’ll eventually pay the consequences.
Those consequences took two forms. First and most obvious to the eye is the hefty fine itself. Although Hilton is a large corporation with deep pockets, $700,000 isn’t exactly pocket change, and it’s bound to sting. Second, the company lost an enormous amount of face with its customers and tarnished its image and reputation. The lost trust arising from their mishandling will take far longer to rebuild than it will for the company to make up the financial loss represented by the fine.
File this one away under how not to handle a data breach.