Hotels rely on third-party vendors to help run their properties efficiently, and often must give them access to sensitive guest data. This leaves hotels vulnerable to cyber attacks; they're only as secure as their vendors are, and may find themselves directly liable for a data breach. My partner Bob Braun, senior member of JMBM's Global Hospitality Group® and co-chair of JMBM's Cybersecurity and Privacy Group, discusses recent hotel cybersecurity breaches and how hotel owners can protect themselves.
Moreover, the duration of the breach was long quite long. Sabre's investigation determined that the unauthorized party first obtained access to payment card and other reservation information on August 10, 2016, and the last access to payment card information was on March 9, 2017. The hackers had potential access for seven months.
Hotel owners and consumers are, unfortunately, common victims of security breaches – all of the major hotel brands and managers have been breached, often multiple times. In analyzing the breaches, there is something that is common to almost all incidents: the vulnerability was not with a hotel, its manager or brand, but with a vendor.
Hotels are not alone, of course in relying on vendors. Companies in other high threat industries like finance, retail, and healthcare regularly work with third party vendors, and these third parties commonly have access to their clients' systems and may share or store clients' sensitive and highly-valued data. But this Sabre breach (and those of the past several years) shows us that no matter how well-protected a hotel is from a direct cyberattack, its networks and data may still be easily accessed through third parties with weaker cybersecurity protections. In one of the most famous (or infamous) breaches, the 2013 breach of Target, cybercriminals were able to steal the retailer's sensitive data by accessing its systems with credentials stolen from a vendor responsible for Target's HVAC systems. Similarly, in 2017, thieves stole Netflix's "Orange is the New Black" episodes from an audio post-production company, not from Netflix itself.
The typical hotel management or franchise agreement requires the owner to abide by or adopt data security policies and procedures in conformance with the brand's or manager's standards and to comply with data security laws and regulations. As a result, even where an incident is the result of the manager's or brand's failure to adopt or maintain appropriate standards, the owner will likely be directly liable for a breach, and may be obligated to indemnify the brand or manager for any claims arising from a breach.
Hotel owners are at a particular disadvantage compared to other companies, since hotel brands and mangers typically select vendors, like Sabre, for multiple properties and often for an entire brand. Hotel owners may have little, if any say, in the vendor, the terms of engagement, and the impact of a breach. However, under the typical hotel management or franchise agreement, the hotel owner is required to bear the cost of a breach, whether in terms of direct costs (including notifying potential victims and the increased cost of cyberliability insurance) and the indirect cost of diminished trust in the hotel.
While managers and brands are reluctant to cede authority to owners, owners should take active steps to protect themselves and their properties:
Click here to view the original version of this release.
JMBM Global Hospitality Group®
1900 Avenue of the Stars, Seventh Floor
Los Angeles, CA 90067
Phone: (310) 203-8080
Fax: (310) 203-0567
Robert E. Braun
Bob Braun is a Senior Member of JMBM’s Global Hospitality Group® and is Co-Chair of the Firm’s Cybersecurity & Privacy Group. Bob has more than 20 years experience in representing hotel owners and developers in their contracts, relationships and disputes with hotel managers, licensors, franchisors and brands, and has negotiated hundreds of hotel management and franchise agreements. His practice includes experience with virtually every significant hotel brand and manager. Bob also advises clients on condo hotel securities issues and many transactional matters, including entity formation, financing, and joint ventures, and works with companies on their data technology, privacy and security matters. These include software licensing, cloud computing, e-commerce, data processing and outsourcing agreements for the hospitality industry. In addition, Bob is a frequent lecturer as an expert in technology, privacy and data security issues, and is one of only two attorneys in the 2015 listing of SuperLawyers to be recognized for expertise in Information Technology. Bob is on the Advisory Board of the Information Systems Security Association, Los Angeles chapter, and a member of the International Association of Privacy Professionals. Contact Bob Braun at 310.785.5331 or firstname.lastname@example.org.
Phone: +1 310 201 3526