Protecting Personal Information from Data Breaches Through Joint Cyber-Defense
By Marc Stephen Shuster Partner, Berger Singerman | January 18, 2015
Co-authored by Steven D. Weber, Member of Berger Singerman's Dispute Resolution Team
Hotel affiliates hold a myriad amount of customer personal information and a data breach suffered by an affiliate may impact the hotel's entire brand. One way to mitigate the risk of a data breach is to enter into a joint cyber security defense agreement.
Hotels and their affiliates are attractive targets for data breaches because they receive and store their customers' personal information. That personal information may take the form of, among others, names, addresses, credit card information, and passport information. It may be used for booking hotel reservations, in paying for wireless service, in registering for loyalty programs, for marketing programs, or for numerous other purposes connected to the hotel industry. The personal information associated with a certain hotel brand or property may belong to customers of a certain economic status (such as a travel executive or high net worth individual), making such information especially tempting. Due the value of the personal information stored by hotels, significant hotel brands experienced data breaches in 2014 where the personal information of thousands of customers was compromised.
One reason that the hotel industry is susceptible to data breaches is the large number of channels by which a hotel obtains its customers' personal information. For example, many hotels rely on front desk employees or other customer service representatives to receive their customers' personal information. Each has the opportunity to misappropriate that personal information, and even the most well-meaning employee may inadvertently disclose personal information or cause a security breach by, for example, opening a malicious e-mail attachment. In addition, many hotels partner with numerous affiliates who obtain personal information from their customers. Those affiliates may receive that information as the result of, for example, a customer booking hotel reservations or registering for a loyalty program. In some cases, a customer may provide their personal information to an affiliate without even knowing they are doing so. That personal information may then be transmitted to a central booking website or stored by an affiliate as part of a marketing program. Ultimately, all the personal information gathered by hotels and their affiliates may be entered into still more databases that are susceptible to a data breach.
Not all channels receiving personal information operate with the same level of computer security. The weakest channel may cause vulnerabilities in or otherwise impact the most secure channel. In today's world, where hotel affiliates receive personal information through mobile phone applications, the number of affiliates involved in collecting customer's personal information is greater than ever. This means the threat of potential data breaches has also intensified because those affiliates may not have uniform budgets devoted to computer security. As a result, they may not use the best available encryption, digital certificates, or have access to security teams that can audit their systems for weaknesses. All of which may lead to a data breach that impacts not only the affiliate, but also the hotel brand.
One way to mitigate the risk that an affiliate experiences a data breach is by entering into a joint defense computer security agreement. The joint defense computer security agreement is an agreement by which a hotel brand agrees with all or certain affiliates to cooperate in defending customer personal information. Numerous facts must be considered when entering into such an agreement, only some of which will be addressed here.