On October 31, 2017, the New York and Vermont Attorneys General (“Attorneys General”) announced a settlement with Hilton Domestic Operating Company, Inc., formerly known as Hilton Worldwide, Inc. (“Hilton”), to settle allegations that the company lacked reasonable data security and waited too long to report a pair of 2015 data breaches, which exposed over 350,000 credit card numbers. The Attorneys General alleged that Hilton failed to maintain reasonable data security and waited more than nine months after the first incident to notify consumers of the breaches, in violation of the states’ consumer protection and breach notification laws.

Hilton agreed to pay $400,000 to the New York Attorney General and $300,000 to the Vermont Attorney General to resolve these allegations. In addition, the settlement requires Hilton to provide immediate notice to consumers affected by a breach, maintain a comprehensive information security program and conduct data security assessments, including an annual written assessment of its compliance with the Payment Card Industry Data Security Standard. With respect to the information security program, Hilton must protect consumer cardholder data by:

  • designating an employee to coordinate and supervise its information security program;
  • identifying material internal and external risks to information security that could lead to unauthorized disclosure, misuse, loss, alteration, destruction or other compromise of the information;
  • implementing reasonable safeguards to control those risks, and perform regular testing or monitoring of the safeguards’ effectiveness;
  • developing and using reasonable steps to select and retain service providers capable of appropriately safeguarding cardholder data and contractually require such service providers to also implement and maintain appropriate safeguards for the information; and
  • evaluating Hilton’s information security program and adjust it based on testing or monitoring results or other circumstances (including material changes to Hilton’s operations or business arrangements) that Hilton knows, or an entity acting reasonably under the circumstances would know, may have a material impact on the program’s effectiveness.

Speaking on the settlement, New York Attorney General Schneiderman stated: “Businesses have a duty to notify consumers in the event of a breach and protect their personal information as securely as possible. Lax security practices like those we uncovered at Hilton put New Yorkers’ credit card information and other personal data at serious risk. My office will continue to hold businesses accountable for protecting their customers’ personal information.”