CONTACT: Ryan Kriger, Assistant Attorney General, (802) 828-5507
Vermont Attorney General TJ Donovan reached a settlement today regarding two security breaches involving the credit card numbers of potentially thousands of Vermonters. The agreement settles allegations that Hilton lacked reasonable data security and took too long to notify consumers and the Attorney General of the breaches. It includes a $300,000 penalty and requirements that Hilton change its security practices. The Attorney General worked with New York’s Attorney General to resolve the investigation which resulted in a total penalty of $700,000.
Hilton Domestic Operating Company Inc., formerly Hilton Worldwide, Inc., experienced two separate network intrusions in 2014 and 2015. Hilton did not provide notice to the Attorney General or consumers until November 24, 2015. The Attorney General alleged this notification was 287 days after Hilton knew of the first incident and 100 days after it knew of the second incident.
“We continue to make enforcement of our data breach laws a top priority,” said Attorney General T.J. Donovan. “Every business should notify the public and our office as soon as possible when a breach occurs to ensure consumers can protect themselves,” he said.
Vermont law requires preliminary notice to the Attorney General within 14 days of discovering a breach, and notice to consumers in the most expedient time possible, but no later than 45 days after the incident. This time period is supposed to provide the business enough time to investigate the incident and determine that a breach has in fact occurred. The settlement requires Hilton to provide the Attorney General with notice whenever it retains a PCI Forensic Investigator – a requirement of the credit card companies when a business experiences a breach.
More information about the Attorney General Donovan’s efforts to protect consumers and address data breaches can be found at: Privacy and Data Security.
Last modified: February 26, 2018