Guest Data: An Asset or a Liability in the Age of Cybersecurity?
By Tara K. Gorman Partner, Perkins Coie LLP | June 18, 2017
When guests check into a hotel, there are plenty of mechanisms to protect their physical "stuff", but how can they be so sure that their personal information is protected? This is the question that hotel owners and operators alike are keenly focused on in the aftermath of cybersecurity breaches in the hospitality industry - and in other industries as well. One of the key negotiating points between owners and operators during the initial negotiation of the hotel licensing and management agreements is "which party owns the guest data?" - each party fighting to win the battle and have the right to walk away with the guest data when the relationship ends.
This article will explore whether guest data is an asset or a liability in the age of cybersecurity by exploring the rules and regulations that govern privacy and security, steps that hotel operators and owners can take to ensure that they are in compliance with privacy and security requirements for guest data, and privacy considerations. For ease, we will use the term "hotel operations" when discussing the obligations of the hotel owner and hotel operator in connection with guest data.
What is Guest Data?
The bell hop takes the suitcases and places them in the guestroom, or in a locked and guarded closet. The guest has the option to park her car in a protected garage. And there is a safe deposit box in the guest room to protect the guest's valuables. But what is the first thing that the guest is asked at check in - "may I see your driver's license and credit card, please?" And this question is often asked after the guest has registered online or through the hotel's registration procedures, at which time even more personal information was obtained by the "hotel". That personal information is called guest data.
Name, address, email address, phone number, credit card number, driver's license number, make/model and license plate number of vehicle (if parking at the hotel), and in some cases even social security number. In an effort to make the guest's stay more pleasurable and to give personalized service, boutique hotels and even some of the larger hotel brands keep track of even more intimate personal information, such as food and beverage preferences, which newspapers or periodicals the guest reads, types of activities that the guest enjoys when staying at the hotel and the like. Thanks - that's a nice touch, but a bit creepy too.
So now that the hotel operations have collected all this guest data, what are they going to do with it? And is all that information an asset or a liability? Fred Fedynyshyn, a privacy and security compliance attorney at Perkins Coie, marveled at how times have changed: "For years, companies collected as much data as they possibly could, thinking that they could worry about how to monetize it later. Now, they are beginning to realize that this information is a liability, not an asset, unless they are collecting, storing, and using it properly."
The Hotel Business Review articles are free to read on a weekly basis, but you must purchase a subscription to access
our library archives. We have more than 5000 best practice articles on hotel management and operations, so our
knowledge bank is an excellent investment! Subscribe today and access the articles in our archives.