Correction: The following article was updated to reflect Hilton would have been subject to a $420 million fine under GDPR.
Fines for data breaches may start hitting new highs under regulation changes. Under the European Union's General Data Protection Rule (GDPR) set to take effect in May 2018, companies can be fined more than $23 million (€20 million) or up to 4% of total global revenue for the year prior, depending on which is larger, according to the regulation.
Hilton Domestic Operating Company, Inc. is set to pay a $700,000 settlement following two data breaches in 2015 which compromised more than 350,000 credit card numbers, according to an announcement by the office of the New York Attorney General. The investigation into the breaches found the company did not have "reasonable data security" in place and failed to notify consumers in a timely manner.
- Were Hilton subject to GDPR's upcoming fine changes, the company would have to pay $420 million — or $1,200 for every compromised record, compared to $2 under the current fines, Digital Guardian reports. Though GDPR is an EU policy, but even U.S.-based companies, companies conducting business in the EU will be bound by upcoming regulations, according to the report.
GDPR will give consumers more control over who has their data, but this means big changes for the companies that collect, process and use PII. The regulations are expanding liability for data breaches, from just data controllers to controllers and third-party data processors.
Companies have had two years' warning to bring systems into compliance with the upcoming changes, but many may not be ready when May rolls around. More than half of companies GDPR impacts are not expected to be fully compliant with its requirements by the end of 2018, months after the legislation has taken effect anyway, according to Gartner.
Furthermore, many companies simply do not understand the extent to which GDPR may affect business. Cloud service providers often underestimate the impact of GDPR, according to IDC, but the onus is on companies using a CSP to ensure it is fully compliant.
Ignorance is not a basis for defense under the regulations, and with 90% of enterprises expected to use cloud-based storage and services by 2021, service providers are tiptoeing a dangerous line.
Many large companies and providers have begun preparing for May, but the compliance process is not as easy for smaller organizations with strapped resources. With cyberattacks and breaches dominating 2017 headlines, the cybersecurity landscape is dangerous for companies with sensitive consumer information. Those that conduct business in the EU and have not begun GDPR compliance preparation now have a very limited window to protect themselves financially.