Hoteliers have to address cybersecurity from a number of angles, including technical, legal, law enforcement, insurance and payment systems. Experts from all those areas were represented on a cybersecurity panel I participated in at the Meet the Money conference recently held in Los Angeles. Here have five key takeaways from that session:
Compliance does not equal security
Each of the panelists agreed that while meeting legal and business requirements is essential, compliance does not necessarily achieve real cybersecurity — completing checkboxes on a task list or questionnaire is only a first step. The panelists noted that each of the major hotel breaches in the last year, which involved every major hotel chain, implicated point of service credit card systems that complied with industry standards. Hotels and hotel companies need to look beyond complying with standardized requirements and have to evaluate their own risk profile and apply meaningful security plans.
Informed response is better than instant response
Too many organizations make the mistake of reacting before they think, especially when reporting a breach. Data breaches can be complicated matters and it is essential to understand the scope of the breach, the data and individuals involved, and how a firm can remediate the source of the problem before disclosure. There is no question that speed is important, but some breaches do not require notification, while acting without ascertaining the facts can require multiple notifications, which is damaging to reputation and sends the wrong message.
Credit cards are not the only risk
While much focus is placed on the theft of credit card numbers, hotels must consider other risks. Hotels and hotel companies hold massive amounts of sensitive personal information that can be used to steal a guest’s identity. Moreover, hotels need to consider more than data; the interconnection of systems means that breaking into a financial structure can give a hacker access to door locks, heating and air conditioning systems, electrical, plumbing and other key structural and physical parts of the hotel. What would happen if a hacker flooded a hotel, or opened the doors? This damage can far exceed the damage from lost credit cards and could cause untold damage to the hotel, its brand and owners.
Cybersecurity cannot be achieved without addressing the human factor
95% of all data breaches can be traced to human causes. Individuals make mistakes, don’t consider cybersecurity, steal, or intentionally damage data systems. While technical measures are necessary, any individual can undo all technical planning – all it takes is a click on the wrong website or responding to the wrong email. The answer is for hotels and hotel companies to train their personnel at all levels to reduce incident and create a secure environment.
Hotels need to create a culture of security
Hotels are obligated to maintain the physical security of guests; if a guest does not feel safe in their room, they will not patronize the hotel or the hotel brand. This need for physical security applies to data security as well; hotels must make guests feel that the hotel they visit is as concerned about their personal and financial data as they are about their physical security. Moreover, hotels hold and must protect great amounts of data that is key to their competitive survival. Hotels companies can only achieve security for guests and integrity for their own data by creating a culture of security at all levels.
The last point might be the most important – hotels should look at themselves as leaders in the fight for cybersecurity. Hotels every day take responsibility for the security and safety of their guests. Guests will only feel secure if they believe all of their property, including their digital, property, is protected. Hotels can transform themselves from being the most likely source of data theft to becoming the model for data security.
Bob Braun is a Senior Member of JMBM’s Global Hospitality Group and is Co-Chair of the Firm’s Cybersecurity & Privacy Group. Bob has more than 20 years experience in representing hotel owners and developers in their contracts, relationships and disputes with hotel managers, licensors, franchisors and brands, and has negotiated hundreds of hotel management and franchise agreements. His practice includes experience with virtually every significant hotel brand and manager.
Bob also advises clients on condo hotel securities issues and many transactional matters, including entity formation, financing, and joint ventures, and works with companies on their data technology, privacy and security matters. These include software licensing, cloud computing, e-commerce, data processing and outsourcing agreements for the hospitality industry.
In addition, Bob is a frequent lecturer as an expert in technology, privacy and data security issues, and is one of only two attorneys in the 2015 listing of SuperLawyers to be recognized for expertise in Information Technology. Bob is on the Advisory Board of the Information Systems Security Association, Los Angeles chapter, and a member of the International Association of Privacy Professionals. Contact Bob Braun at 310.785.5331 or [email protected]. More on this topic can be found on www.HotelLawBlog.com.