Ms. Gorman

Sales & Marketing

Guest Data: An Asset or a Liability in the Age of Cybersecurity?

By Tara K. Gorman, Partner, Perkins Coie LLP

When guests check into a hotel, there are plenty of mechanisms to protect their physical "stuff", but how can they be so sure that their personal information is protected? This is the question that hotel owners and operators alike are keenly focused on in the aftermath of cybersecurity breaches in the hospitality industry - and in other industries as well. One of the key negotiating points between owners and operators during the initial negotiation of the hotel licensing and management agreements is "which party owns the guest data?" - each party fighting to win the battle and have the right to walk away with the guest data when the relationship ends.

This article will explore whether guest data is an asset or a liability in the age of cybersecurity by exploring the rules and regulations that govern privacy and security, steps that hotel operators and owners can take to ensure that they are in compliance with privacy and security requirements for guest data, and privacy considerations. For ease, we will use the term "hotel operations" when discussing the obligations of the hotel owner and hotel operator in connection with guest data.

What is Guest Data?

The bell hop takes the suitcases and places them in the guestroom, or in a locked and guarded closet. The guest has the option to park her car in a protected garage. And there is a safe deposit box in the guest room to protect the guest's valuables. But what is the first thing that the guest is asked at check in - "may I see your driver's license and credit card, please?" And this question is often asked after the guest has registered online or through the hotel's registration procedures, at which time even more personal information was obtained by the "hotel". That personal information is called guest data.

Name, address, email address, phone number, credit card number, driver's license number, make/model and license plate number of vehicle (if parking at the hotel), and in some cases even social security number. In an effort to make the guest's stay more pleasurable and to give personalized service, boutique hotels and even some of the larger hotel brands keep track of even more intimate personal information, such as food and beverage preferences, which newspapers or periodicals the guest reads, types of activities that the guest enjoys when staying at the hotel and the like. Thanks - that's a nice touch, but a bit creepy too.

So now that the hotel operations have collected all this guest data, what are they going to do with it? And is all that information an asset or a liability? Fred Fedynyshyn, a privacy and security compliance attorney at Perkins Coie, marveled at how times have changed: "For years, companies collected as much data as they possibly could, thinking that they could worry about how to monetize it later. Now, they are beginning to realize that this information is a liability, not an asset, unless they are collecting, storing, and using it properly."

Wyndham Worldwide Corp. discovered quite publically how failure to properly manage its guest data is no minor issue. As Fedynyshyn says, "all companies that collect customer information are in essence technology companies - and not just providers of the service they sell to their customers." The problem is that not all of these companies realize that they have turned themselves into tech companies, and as a result they have not embraced the mindset necessary to properly manage their customer information."

Pinnacle Hotel Cybersecurity Case

FTC v. Wyndham Worldwide Corp., is a pinnacle case in the cybersecurity and privacy space. The Wyndham case firmly authorizes the Federal Trade Commission's (FTC) to act as the nation's privacy and security investigator and enforcer under Section 5 of the FTC Act. Wyndham's main network fell prey to hackers who stole the personal information of 619,000 Wyndham's customers, which resulted in a loss of more than $10.6 million to these customers. The FTC commenced its investigation of Wyndham's security practices in April of 2010 to determine whether Wyndham was in violation of Section 5(a) of the FTC Act. Section 5(a) prohibits "unfair or deceptive acts or practices in or affecting commerce". Well, what does that mean? Section 5(a) is broken it down as follows:

Unfair Practices - An act or practice is unfair where it:

  • causes or is likely to cause substantial injury to consumers;
  • cannot be reasonably avoided by consumers; and
  • is not outweighed by countervailing benefits to consumers or to competition.

Deceptive Practices - An act or practice is deceptive where it:

  • a representation, omission, or practice misleads or is likely to mislead the consumer;
  • a consumer's interpretation of the representation, omission, or practice is considered reasonable under the circumstances; and
  • the misleading representation, omission or practice is material.

The FTC concluded that Wyndham "failed to address its data-security flaws" and engaged in "a number of practices that, taken together, unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft". Wyndham settled the case with the FTC by stipulated order in December 2015. Under the FTC order, Wyndham must establish a comprehensive information security program designed to protect cardholder data including payment card numbers, names and expiration dates, and Wyndham must undergo annual audits to ensure compliance with such program and the Payment Card Industry Data Security Standard, Requirements and Security Assessment Procedures.

Collect it, Use it, Share it

The FTC is interested in how hotel operations (i) collect guest data: (ii) once collected, secure guest data: and (iii) share guest data. During an investigation the FTC will make a determination as to whether the hotel operation is protecting the security of the guest data adequately and lawfully, and whether the hotel operation has the permission from the guest to do what it is doing with the guest data.

Now What?

Still confused? You are not alone. The Wyndham case does not provide a step-by- step procedure on what to do - but it does indeed provide a baseline of what is not acceptable and clearly sets forth what not to do. Each hotel operation must determine what works best for its hotel. What cybersecurity expert Michael Sussmann, of Perkins Coie LLP, has found in his work with clients is that cybersecurity breaches are often gateways to other problems. Sussmann said, "often a cyber security breach reveals other more threatening problems, which can be addressed once uncovered." Sussmann recommends that companies perform privacy assessments to ensure that they don't unwittingly commit data security and privacy violations.

If You Collect it, You Must Protect it.

"If You Build it They will Come" is a famous quote from Field of Dreams about building a baseball field. The same may not always hold true in the hospitality industry - but taking a twist on the quote "if you collect it you must protect it" - holds abundantly true in the area of guest data. If you build the hotel and the guests come, then if you collect guest data, you must protect it. "If you collect it, you must protect it" should be the mantra for all hotel operations. Sussmann provides a few baseline rules in connection with guest data as part of a comprehensive cybersecurity program:

Use Protection - aka Data Minimization:

  • Keep Only What You Need - Keep only what you need is not only applicable to cleaning out closets, sheds, and basements, it is a critical component to any cybersecurity policy. If you don't need it, don't collect it in the first place. And if you've collected it, discard it properly. For example, don't keep the guest's full social security number. A hotel operation is not the IRS or the Social Security Administration. In the case of social security numbers, less is more. You don't need all nine digits to identify the guest. So protect the guest data and protect yourself in the process. Just keep the last four digits - that's enough information to identify the guest for the hotel operation purposes. Implementing simple suggestions like this will protect the hotel operation from an unwanted investigation from the FTC.
  • Make a Value Determination - How valuable is the information to the hotel operation? What do you need it for? And if you determine that you need to keep the guest data - use protection. Discard the guest data that is not valuable and protect the retained guest data.
  • Use Protection - Once you have determined that the guest data is valuable to the hotel operation, or more broadly to the hotel operator's brand or the hotel owner's portfolio, then it is critical that the hotel operation has an adequate cybersecurity program to protect the retained guest data. While a Michelin chef may be world renowned for creative home-made recipes, and this creativity boosts the hotel's F&B revenue, creativity and home-made cybersecurity policies are a recipe for disaster. Savvy hotel operations bring in a five-star cybersecurity expert when creating and dishing up cybersecurity policies and procedures.

Warning Shot - It's All About Notice and Disclosure

One of the most critical components of a cybersecurity policy is disclosure. It is critical that the hotel operation disclose to the guest what it is going to do with the guest data. One of the easiest and most effective ways to get the word out is to provide notice on the website and at the front desk of the hotel. Sussmann says, "so much of this is governed by consent. If the hotel operation provides notice and the guest consents, you are well on your way to compliance." But do not be fooled, notice alone is not enough. Perfection is the goal, but a comprehensive and well-implemented cybersecurity program is realistic. A comprehensive security program will contain many of these elements:

  • Passwords - Require complex passwords with a combination of letters numbers and symbols and avoid using "default" settings.
  • No Third Party Vendor Access - Do not permit access of third-party vendors by specified IP addresses or require time-limited access.
  • Encrypted Format - Sensitive information should be stored in encrypted format.
  • Security Measures - Use firewalls and other security measures to limit access to systems, the company's network and the internet.
  • No Default User IDs - Prohibit the use of "default" user IDs and passwords.
  • Inventory Network Computers - Keep an inventory of computers connected to the network.
  • Detection and Prevention - Employ reasonable detection and prevention measures.
  • Update Operating Systems - Update operating systems and software and implement information security policies and procedures that require maintaining security updates.
  • Incident Response Procedures - Design comprehensive incident response procedures (e.g. identifying attack tools, methods and targets to avoid similar attack methods or malware).

Get Expert Advice.

You wouldn't perform brain surgery on yourself, would you? Bring in the experts to do a privacy assessment and take inventory of your cybersecurity policy to ensure that your hotel operations don't mistakenly violate the law. Just like any other audit, the experts will perform a detailed analysis of the hotel operation in connection with management of guest data to ensure that what the hotel operation is doing is lawful. Common sense and a "good college try" is not good enough when it comes to cybersecurity. For example, one hotel implemented a policy whereby they kept guests' driver's license information for an extended period of time. This hotel unwittingly violated a state law that requires that driver's license information be discarded within 6 months of collection. Even an annual data dump, wouldn't have been frequent enough to circumvent this violation. Rules vary from state to state and change often. So it is critical to bring in an expert to perform a cybersecurity audit with an eye on both federal and state compliance issues.

Guest data is a valuable asset to hotel operations when coupled with a comprehensive cybersecurity program. It is critical that hotel owners and operators are familiar with the rules and regulations that govern privacy and security, take steps to ensure that their hotel operations are in compliance with privacy and security requirements for guest data, and privacy considerations. The bottom line is: Don't go it alone. In order to ensure that your guest data is an asset, avoid the costly liability of guest data and hire an expert to conduce a privacy assessment.

Tara K. Gorman is a Partner at the law firm of Perkins Coie and focuses her practice on hospitality law. In addition to practicing law, Ms. Gorman writes a column for Hotel Business Review, is a Professor in Residence (Adjunct) at the Washington College of Law of American University in Washington, D.C., as part of the Hospitality and Tourism Law Program, has taught Foundations of Real Estate Law at Georgetown University as an Adjunct Professor, and regularly speaks at conferences and seminars on real estate and hospitality topics. Ms. Gorman focuses on hotel acquisitions, operations, development and finance and hotel management agreements. Ms. Gorman can be contacted at 202-654-6253 or Extended Bio... retains the copyright to the articles published in the Hotel Business Review. Articles cannot be republished without prior written consent by

Receive our daily newsletter with the latest breaking news and hotel management best practices.
Hotel Business Review on Facebook
General Search:
Coming Up In The November Online Hotel Business Review

Feature Focus
Architecture & Design: Authentic, Interactive and Immersive
If there is one dominant trend in the field of hotel architecture and design, its that travelers are demanding authentic, immersive and interactive experiences. This is especially true for Millennials but Baby Boomers are seeking out meaningful experiences as well. As a result, the development of immersive travel experiences - winery resorts, culinary resorts, resorts geared toward specific sports enthusiasts - will continue to expand. Another kind of immersive experience is an urban resort one that provides all the elements you'd expect in a luxury resort, but urbanized. The urban resort hotel is designed as a staging area where the city itself provides all the amenities, and the hotel functions as a kind of sophisticated concierge service. Another trend is a re-thinking of the hotel lobby, which has evolved into an active social hub with flexible spaces for work and play, featuring cafe?s, bars, libraries, computer stations, game rooms, and more. The goal is to make this area as interactive as possible and to bring people together, making the space less of a traditional hotel lobby and more of a contemporary gathering place. This emphasis on the lobby has also had an associated effect on the size of hotel rooms they are getting smaller. Since most activities are designed to take place in the lobby, there is less time spent in rooms which justifies their smaller design. Finally, the wellness and ecology movements are also having a major impact on design. The industry is actively adopting standards so that new structures are not only environmentally sustainable, but also promote optimum health and well- being for the travelers who will inhabit them. These are a few of the current trends in the fields of hotel architecture and design that will be examined in the November issue of the Hotel Business Review.