In a Hotel Data Breach, Immediate Response is the New Normal
By Kurt Meister Senior Vice President , Distinguished Programs | April 01, 2018
If you haven’t heard about the latest data breach to hit a major hotel chain, just do a quick internet search. In 2017, the number of U.S. data breaches hit an all-time high of 1,579, up 45 percent from 2016, according to the Identity Theft Resource Center. And hotels are a prime target. Verizon’s 2017 Data Breach Investigations Report ranks accommodations (hotels and restaurants) as the top industry for point-of-sale (POS) intrusions.
Each data breach creates its own unique set of headaches. One is financial cost. From 2014-17, the average costs of POS-related investigations averaged $735,000 and grew larger (as high as $17 million) based on the size of the organization, according to NetDiligence.
Reputation damage is equally concerning. Consumers expect hotels – and all businesses – to protect their data no matter what. And when a data breach occurs, they expect immediate action, often faster than the six-to-eight weeks allowed under most U.S. laws.
For many hotels, the question is no longer if a data breach will occur, but when. That’s why hotel owners, operators and franchises must be protected and prepared.
Evaluate Your Risks
Because the U.S. hospitality industry attracts millions of guests each night – and because those customers pay for almost everything with a credit card – cybercriminals see hotels as a potential windfall.
Data show breaches are an equal opportunity crime. According to NetDiligence, nearly half (47 percent) of all cyber claims filed in 2017 were done so by companies with less than $50 million in revenue.
Because hackers and other cybercriminals typically seek credit card information, POS terminals provide the highest risks for hotels. Smaller hotels may have only a few POS exposures, perhaps at the front desk or the snack bar. But resort hotels – those with separate restaurants, lounges, spas, boutiques and swim-up bars – will have far more. In addition, resorts tend to attract guests with a higher net worth, making them more attractive to cybercriminals.
Hotel reservation systems also carry risks. Even though many hotels use third-party systems, guests affected by a data breach will typically turn to the hotel, restaurant or spa where they used their credit card to find a resolution. In addition, the hotel owner or management company who contracted with that third-party service will likely be held liable in the event of a breach.
While POS terminals and online reservation systems give cybercriminals prime opportunity to steal data, some data breaches involve those closest to your business – your employees. It’s your responsibility to properly safeguard the vast amount of employee data you maintain, whether it’s stored in a database or a filing cabinet.
You also must ensure all your devices – including cell phones, laptops or tablets you may provide to your employees – securely store personal information. And those devices can’t go “missing.” It takes just one rogue employee to destroy or disable a program, disrupt services, steal valuable information or unwittingly disclose personal information.
Other risks for hotels include phishing schemes, where a hacker sends a phony email asking for personal information, and negligence, which may include sharing of passwords, improper disposal of personal information, or information stolen from unattended devices. A misstep in any of these areas may cause a data breach to occur.
Prepare Your Hotel to Respond Immediately
When a data breach happens, you may first wonder who will be held accountable. But long before liability is determined, your hotel must respond. This can be an expensive process (NetDiligence reports the expense for cyber event recovery reached as high as $475,000 in 2017. ). But it can’t linger.
Here are the first three things you need to do:
1. Investigate the breach
You’ll need someone with forensic expertise in information technology (IT) to identify the source of the breach, detect how your system was breached, collect evidence, determine which data was stolen, and figure out how many people it affected. As part of their investigation, forensic IT experts will need to build a timeline to determine how long data was compromised.
2. Manage the PR problem
According to Cisco’s 2017 Annual Cybersecurity report, 49 percent of organizations had to manage public scrutiny after a data breach, and 38 percent of businesses saw substantial loss of revenue as a result. That’s why you’ll need public relations experts on your side who can handle media inquiries, create a plan to protect your hotel’s reputation, and help to minimize reputation damage to your hotel and brand.
3. Notify customers quickly
This is harder than it sounds. Notification laws vary by state, and they’re based on the location of the individual whose information was breached, not on the location of the hotel. Because most hotels serve guests from throughout the U.S. – and even international guests – you’ll need expertise in making sure you notify the right people in the right place at the right time.
Get the Right Cyber Liability Coverage
Given the prevalence of data breaches today, many in the hospitality industry may benefit from cyber liability coverage. Before you look at options, review your current coverage. Some businesses mistakenly believe their Commercial General Liability policy offers cyber coverage. This belief is often wrong.
Next, consider the many liabilities you may face in the event of a breach, and make sure you’re covered for all cases. Here’s an example: Let’s say you’re a hotel owner. You hire a management company to run your hotel. And your hotel is using your franchise’s reservation system. A breach occurs in that system. The franchise could be held liable and may hold its own cyber liability policy. But as the owner, have you checked the current state of the franchise’s policy? What if the franchise has already reached its policy limits?
In addition, the management company could be held liable, because they are the users who interact with the reservation system. Do you know the status of their coverage? And, of course, as the owner, you could be brought into a suit, too, because you hired the management company that worked with the breached system.
That’s why all parties – owners, operators and franchises – should have standalone cyber liability coverage. Hotel owners should verify their coverage meets their brand or lenders’ standards. Even if your brand has its own cyber liability coverage, you should consider contingent insurance in case that policy is exhausted.
When we advise hospitality clients on purchasing cyber liability, we tell them to look for these four features of a quality policy:
1. Loss control – Look for insurers who will provide you with risk management practices specific to hoteliers that will help you protect yourself – and your guests – at no charge.
2. Actual coverage – Seek policies offering coverage for both liability and customer notification costs. We suggest organizations with under $25 million in revenue consider up to $5 million limits and at least 250,000 notifications (not a capped dollar amount). You’ll also want a policy that covers Payment Card Industry (PCI) fines and regulatory defense/penalties resulting from breaches, and one that offers first-party coverage for losses from network security breaches.
3. Crisis response services – Quality policies will provide forensic IT experts, legal help to navigate the maze of state-driven notification requirements, and crisis management or public relations services. Then you’ll need the company to actually send the notifications to the affected parties for you.
4. Post-crisis services – Look for a policy that will provide ongoing credit monitoring after a breach for those affected. And when the calls come back from the affected parties, you’ll need the company to handle those – so you can focus on managing and growing your business.
Close Any Cybersecurity Loopholes
While the right cyber liability coverage will provide you with multiple resources if a data breach happens, keeping all your guest’s (and employee’s) information secure is a never-ending process. Reduce your risks with these tips:
- Thoroughly vet vendors – Review your agreements carefully and require your vendors to meet PCI Data Security Standards (PCI-DSS) at all places where credit card information is accepted, processed, stored and submitted.
- Establish a written IT policy – Make sure it’s followed by all employees – front desk, maintenance, management – and not just by the IT department.
- Use best practices for cyber security – Is your hotel (or its vendor) using proper firewalls? Do you have antivirus protection on all devices, including laptops, smartphones or tablets? Do you use filters that root out spam and malware to avoid hacking or phishing inquiries? Maintain standard data encryption processes, and ensure they’re applied across all devices.
- Limit employee access – Only allow an employee to access personal data if it’s a requirement of his or her specific job or role. When employees leave your organization, terminate their access to your IT systems during the exit interview.
- Watch what’s on your website – Have management review all content before it’s posted. This will help prevent a lone employee from “going rogue.”
Respond to guest comments with care – Create a written policy regarding how your hotel will respond to negative reviews and guest comments, whether it’s on their own social media pages or a third-party travel site. This will mitigate potential libel or defamation risks and will help manage your brand’s reputation.
The fear of the unknown makes data breaches scary. But you can take charge. Know your risks. Gather the appropriate resources. And take the proper steps to protect your data. That way, when a crisis occurs, you’ll limit any financial or reputation damage to your brand, and you’ll get back to doing what you do best – growing your revenue.
HotelExecutive.com retains the copyright to the articles published in the Hotel Business Review. Articles cannot be republished without prior written consent by HotelExecutive.com.