On a basic level, the hospitality business is simple - as is often said, it amounts to putting heads in beds. But finding the heads to put in the beds is a complex process and requires hotel companies to find out a great deal of information about their guests. Gathering and processing that information provides not only opportunities, but creates obligations, one of the most basic of which is ensuring the security of guests' personal information.
This focus must be seen in the context of two key issues: first, that hotels collect large amounts of data from their guests, both directly and through third parties; and second, that the hospitality industry has a checkered track record in protecting personal information. Both these demand that the hospitality industry take a renewed focus on data security
Hotels and hotel companies collect tremendous amounts of information, directly and through others, including vendors, credit card companies, websites, use of wifi and other systems. The fact that hotels are increasing reliant on technology - and responsive to guest demands for increased connectivity - increases both the amount of information and the risk involved in collecting and processing information.
The increasing incorporation of technology into hotel operations can lead to more breaches. Hotels are seemingly in a race to become more innovative - consider the trend to allow guests to bypass the need to go to the front desk by using their mobile devices to select a room, check-in, receive texts when their room is ready, and even unlock the door to their room. Guests are encouraged to use mobile devices to customize their stay by requesting items, ordering room service, planning activities, or purchasing upgrades. Not only does this trend increase the likelihood of a breach by adding new access points to the system; these programs collect even more data, making a hotel breach more valuable.
Hotels are also pressured to expand Wi-Fi networks, share data with OTAs, and proliferate other interconnected systems, making the hospitality industry more vulnerable to a data breach. Each of these factors increases the number of parties that have access - authorized or otherwise - to hotel data, and increase the number of threats to the industry.
Trustwave's 2018 Global Security Report reported that nearly 12% of the incidences investigated by Trustwave originated at hotels - the third largest share of data breaches, preceded only by retail and the food and beverage industries, which share many of the same vulnerabilities. The hospitality industry possesses a number of factors that make them attractive to hackers: large volumes of valuable information, multiple vectors for accessing information, large workforces and dependence on vendors, to name a few. There are, however, a number of trends that make hotels more vulnerable. However, there are other reasons that contribute the frequency of cyberattacks on hotels.
One of the key issues facing the industry is the prevalence of outside vendors who provide key hotel functions. Almost every breach involving hotels that have been reported over the past several years generated not with core hotel functions - check-in and check-out, reservations, etc. – but from companies engaged by hotels to provide services to the hotel. Virtually every major hotel chain has suffered a data breach through point of sale merchants - each of Hyatt, Marriott (and before its acquisition by Marriott, Starwood), InterContinental, Hard Rock, Four Seasons, Trump and Loews has reported at least one breach in the past two years, and many have reported multiple breaches.
Third parties are a common source of breaches for many industries, but the hotel industry is particularly reliant on third parties for many functions. In addition to credit card processing, hotels look to third parties for reservation services, payroll, human resources, asset management, maintenance and improvements - many hotels have determined that third parties are better qualified to provide specialized services, and thus have access to hotel systems. Many hotel companies have not fully recognized the need to monitor vendors and require them to implement adequate secure standards.
It is not surprising that hotel brands are particularly vulnerable. Brands often select vendors for multiple properties and often for an entire flag. Individual hotels may have little, if any say, in the vendor, the terms of engagement, and the impact of a breach. Moreover, even when a weakness is discovered, the cost of remediation may be untenable - a security breach involving key-operated door locks required the replacement of almost every door lock in the United States! At the same time, under the typical hotel management or franchise agreement, the hotel owner is required to bear the cost of a breach, whether in terms of direct costs (including notifying potential victims and the increased cost of cyber liability insurance) and the indirect cost of diminished trust in the hotel.
The widespread dependence on third party vendors is a greater problem because hotel systems are widely interconnected. To follow up on the point of sale example, these vendors must tap into basic hotel systems in order to allow for room charges and financial reporting. Hotel operators want and need single point access to hotel operations, meaning that information from separate systems must be accessible and shared by a variety of systems. Even where direct access is limited, varying systems may share a single hotel network, and often a wireless network; the network itself has the potential of breach, which can impact all systems. Ultimately, hotels face the dilemma that the system as a whole is only as strong as its weakest link, and a single vulnerability may expose the entire system.
A variety of other factors exacerbate the vulnerability of hotels:
Multiple Systems. Hotels use a variety of different systems for operations, ranging from off-the-shelf, commercial programs to specialty programs. Each of these programs presents the potential for breach and, as noted above, a single weakness can create a weak system. Moreover, the transfer of information from one system to another is, in itself, a source of weakness.
Legacy Systems. Along with the existence of multiple systems, many hotel systems are legacy systems that were never designed with security as a key element. Legacy systems are a particular weakness.
Unclear Lines of Responsibility. As the hospitality industry has developed, there is rarely a unity of ownership and management; instead, most hotel properties are owned by one party, which has entered into a franchise agreement to operate under a particular brand, and managed by yet another company. While each of these entities shares responsibility for data security, it is often unclear who is ultimately responsible - it is the manager, who operates the hotel, the franchisor, who selects or approves systems, or the owner, who has financial responsibility for the venture? The lack of precise responsibility can lead to a vacuum in leadership.
The Human Factor. Hotels rely on large numbers of employees, many of whom have access to hotel information systems. Most data breaches can be traced to individuals, whether acting maliciously, negligently or with complete innocence, and training hotel personnel is time-consuming and expensive. Added to this, many hotels have high turnover rates and uneven training in privacy and security, further complicating creating a culture that promotes security.
While creating a secure environment is a daunting task, hotel owners and operators can and should begin the process, and the most important thing owners can do is to take responsibility for the security of the properties they own. Rather than leaving the issue to franchisors and managers, all involved should take actions that will start the process of creating a data secure environment.
Take Control. Cybersecurity cannot be relegated to a single party; owners, operators and brands all need to take an active role in reducing cyber risks. Even where one party might contractually assume responsibility for security, all parties must conduct their operations so as to promote security. If a franchisor establishes effective security guidelines, it does no good if the manager ignores those guidelines. Taking control means conducting a detailed risk analysis of your enterprise, and determine what risks must be avoided, what risks can be assumed, and what risks must be shifted to other, including insurers. With that analysis in hand, a company can make realistic business decisions that reduce cyber risk.
Prepare for the Inevitable. It is often, and accurately, said that a data breach is a matter of "when," not "if." With that in mind, all parties should be prepared to react to a breach by having a well-constructed and tested incident response plan in place - reacting in the midst of an emergency is ineffective and counterproductive. Similarly, in light of the prevalence of ransomware, wiperware and other threats, firms need to have robust and effective backup programs that allow them to recover and protect their guests, employees and properties. Finally, preparing for the inevitable means identifying means of mitigating damages, which must include obtaining effective cyber insurance that addresses and covers the actual damages hotels face.
Respond to Breaches. Much of the criticism of hotel companies has been not just to the perceived insecurity of their systems, but to delays in responding to breaches. The Hyatt and Hilton incidents noted above, as well as the FTC's action against Wyndham, are all based on failure to take the existence of breaches seriously. Hotels, like all companies, need to have in place and have tested effective incident response teams and plans, including identifying all internal and external sources (attorneys, security consultants and public relations, among others) who will respond to a breach.
Create a Culture of Security. Probably the hardest task, but arguably the most important, is to create a top-to-bottom culture of cybersecurity. Every individual in the organization, and every affiliate and third-party vendor, must take the task of cybersecurity seriously, and take on the responsibility of creating a cyber secure environment.
While the hospitality industry continues to grapple with data breaches and the vulnerability of existing systems, recent legal developments in Europe and in the United States will have require hotel companies to re-evaluate how they collect information, how they process it, and how to comply with varying and conflicting requirements.
The European Union adopted the General Data Protection Regulation (GDPR), which became effective on May 25, 2018. The GDPR is a watershed event that will impact every business that collects personal information, wherever located, and it is likely that no industry will be more impacted that the hospitality industry. Other companies can choose not to do business with EU citizens; some companies have determined that it is impossible to comply and have actually closed. That is not an option for hotels. Hotel companies need to understand the goals and requirements of the GDPR. The nature of hotels and the various data holding sources such as OTA bookings and PMS systems escalate the regulation for travel and hospitality industries.
The consequences for non-compliance can be extreme: The maximum fine that can be imposed for serious infringements of GDPR is the greater of €20 million or four percent of an undertaking's worldwide turnover for the preceding financial year. There is only limited experience in enforcement actions under GDPR, and those experiences have been inconsistent. No one knows yet how European regulators will apply GDPR it to firms based outside the EU, but there are already public interest groups that are targeting multinational companies, and it seems likely that there will be some fallout.
And GDPR is not the end of the story. The EU is actively pursuing the adoption of an "ePrivacy Regulation." The e-Privacy Regulation will, in many respects, go beyond GDPR and create additional challenges for companies that have contacts in the European Union.
The California Consumer Privacy Act of 2018 (CaCPA) addresses many of the concerns and requirements of GDPR. Companies that take prompt action to comply with the California Act and the GDPR will likely gain a substantial advantage over competitors who wait. While CaCPA has already been amended, and while there are a variety of attacks CaCPA that create uncertainty, businesses need to consider immediate steps to avoid the significant penalties for non-compliance. Businesses must be in full compliance on the effective date of January 1, 2020. It will not be adequate to start compliance efforts on that date.
Addressing both the GDPR and CaCPA requires new policies and procedures. Hotel companies need to take initial steps to ensure compliance by creating a standardized approach for handling consumer requests for personal information; develop procedures for responding to consumer requests and data collection and processing tracking procedures to understand what data is collected, where it resides, how it is maintained, and who is responsible for it. Importantly, hotels will need to analyze the legal basis for collecting and processing personal information - businesses will need to explain their legal rationale for exemptions to the consumer's right to have their information deleted.
Finally, each hotel company must review its public-facing website disclosures, including adding a description of consumers' rights under the Act, listing the categories of data collected and a conspicuous link titled "Do Not Sell My Personal Information."
The hospitality industry is facing both continuing challenges protecting the personal data of guests, as well as grappling with a new legal landscape. Companies need to recognize that while the trials are great, success will create trust in the industry's most important commodity - its guests. A comprehensive approach can give companies the chance not only to confront these issues, but create brand value in doing so.
Reprinted from the Hotel Business Review with permission from http://www.hotelexecutive.com/
JMBM Global Hospitality Group®
1900 Avenue of the Stars, Seventh Floor
Los Angeles, CA 90067
Phone: (310) 203-8080
Fax: (310) 203-0567
Robert E. Braun
Bob Braun is a Senior Member of JMBM’s Global Hospitality Group® and is Co-Chair of the Firm’s Cybersecurity & Privacy Group. Bob has more than 20 years experience in representing hotel owners and developers in their contracts, relationships and disputes with hotel managers, licensors, franchisors and brands, and has negotiated hundreds of hotel management and franchise agreements. His practice includes experience with virtually every significant hotel brand and manager. Bob also advises clients on condo hotel securities issues and many transactional matters, including entity formation, financing, and joint ventures, and works with companies on their data technology, privacy and security matters. These include software licensing, cloud computing, e-commerce, data processing and outsourcing agreements for the hospitality industry. In addition, Bob is a frequent lecturer as an expert in technology, privacy and data security issues, and is one of only two attorneys in the 2015 listing of SuperLawyers to be recognized for expertise in Information Technology. Bob is on the Advisory Board of the Information Systems Security Association, Los Angeles chapter, and a member of the International Association of Privacy Professionals. Contact Bob Braun at 310.785.5331 or firstname.lastname@example.org.