Protecting Personal Information from Data Breaches Through Joint Cyber-Defense

By Marc Stephen Shuster Partner, Berger Singerman | January 18, 2015

Co-authored by Steven D. Weber, Member of Berger Singerman’s Dispute Resolution Team

Hotel affiliates hold a myriad amount of customer personal information and a data breach suffered by an affiliate may impact the hotel’s entire brand. One way to mitigate the risk of a data breach is to enter into a joint cyber security defense agreement.

Hotels and their affiliates are attractive targets for data breaches because they receive and store their customers’ personal information. That personal information may take the form of, among others, names, addresses, credit card information, and passport information. It may be used for booking hotel reservations, in paying for wireless service, in registering for loyalty programs, for marketing programs, or for numerous other purposes connected to the hotel industry. The personal information associated with a certain hotel brand or property may belong to customers of a certain economic status ( such as a travel executive or high net worth individual ), making such information especially tempting. Due the value of the personal information stored by hotels, significant hotel brands experienced data breaches in 2014 where the personal information of thousands of customers was compromised.

One reason that the hotel industry is susceptible to data breaches is the large number of channels by which a hotel obtains its customers’ personal information. For example, many hotels rely on front desk employees or other customer service representatives to receive their customers’ personal information. Each has the opportunity to misappropriate that personal information, and even the most well-meaning employee may inadvertently disclose personal information or cause a security breach by, for example, opening a malicious e-mail attachment. In addition, many hotels partner with numerous affiliates who obtain personal information from their customers. Those affiliates may receive that information as the result of, for example, a customer booking hotel reservations or registering for a loyalty program. In some cases, a customer may provide their personal information to an affiliate without even knowing they are doing so. That personal information may then be transmitted to a central booking website or stored by an affiliate as part of a marketing program. Ultimately, all the personal information gathered by hotels and their affiliates may be entered into still more databases that are susceptible to a data breach.

Not all channels receiving personal information operate with the same level of computer security. The weakest channel may cause vulnerabilities in or otherwise impact the most secure channel. In today’s world, where hotel affiliates receive personal information through mobile phone applications, the number of affiliates involved in collecting customer’s personal information is greater than ever. This means the threat of potential data breaches has also intensified because those affiliates may not have uniform budgets devoted to computer security. As a result, they may not use the best available encryption, digital certificates, or have access to security teams that can audit their systems for weaknesses. All of which may lead to a data breach that impacts not only the affiliate, but also the hotel brand.

One way to mitigate the risk that an affiliate experiences a data breach is by entering into a joint defense computer security agreement. The joint defense computer security agreement is an agreement by which a hotel brand agrees with all or certain affiliates to cooperate in defending customer personal information. Numerous facts must be considered when entering into such an agreement, only some of which will be addressed here.

Hotel Newswire Headlines Feed  

Joey Yanire
Scott  Watson
Banks Brown
Jerome G. Grzeca
David C. Marr
Coming up in January 2018...

Mobile Technology: Relentless Innovation

Technology has become a crucial component in attracting and retaining hotel guests, and the need to enhance a guest’s technology experience is driving a relentless pace of innovation. To meet and exceed guest expectations, 54% of hotels will spend more on technology in 2018, and mobile solutions in particular will top the list of capital investments. Many hotels are integrating mobile booking, mobile keys, mobile payments and mobile check-in into their operations. Other hotels are emphasizing the in-room experience, boosting bandwidth and upgrading flat screen TVs to more easily interface with guest mobile devices. And though not yet mainstream, there are many exciting technology developments on the near horizon. The Internet of Things (loT) is taking form in some places, and can be found in guest room control systems, voice activation systems, and in wearable sensors that can be used for access and payment options. Virtual reality headsets are available at some hotels so guests can enjoy virtual trips to exotic locations or if off-property, preview conference facilities and guest rooms. How long will it be before a hotel employs a fleet of robots for room service, or utilizes a hologram as a concierge, or installs gesture-controlled walls that feature interactive digital displays? Some hotels are already using augmented reality for translation services, or interactive wall maps, or even virtual décor. This pace of innovation is challenging property owners and brands to stay on top of the latest technology trends while still addressing current projects. The January Hotel Business Review will explore what some hotels are doing to maximize their opportunities in the mobile technology space.