Not Just Heads In Beds – Cybersecurity for Hotel Owners
By Jim Butler, Partner, Chairman, Global Hospitality Group®
What part do hotel owners play in preventing a cyberattack and the resulting data breach?
In the article below, my partner, Bob Braun reminds hotel owners that because they are generally required to indemnify brands and managers for costs the managers and brands incur – which could include a costly data breach – it is in the owners' best interests to have a comprehensive plan in place. This article first appeared in Hotel Business Review in December 2015, and is reprinted with permission from www.hotelexecutive.com.
Not Just Heads in Beds – Cybersecurity for Hotel Owners | by
Bob Braun, Hotel Lawyer and Data Security Advisor
The basics of the hotel business have traditionally been simple: good location, fair prices, appropriate amenities and good service were the keys to success. While those factors are important today, hotels are no longer simply a "heads in beds" business; hotels are increasingly brand-oriented. Brands focus not only on the services and products they sell, but on developing the perception and recognition of the brand associated with those goods and services. That means that hotels, like all brands, need to focus more and more on understanding their customers and how to reach them, whether through loyalty programs, advertising, social media or otherwise.
The upshot of the focus on branding in the hospitality business is that hotels gather lots of information about their guests, ranging from credit card data to addresses, phone numbers, travel plans and preferences, birthdays, and more – all of which are valuable not just to the hotel brands and operators, but to cyberthieves. While hotel companies have understood this for years, they are, along with other customer-intensive industries, learning that collecting that information comes with responsibilities and, possibly, liability.
Cybercrime is big business. In 2014, there were 42.8 million detected security incidents (and, most likely, many more that were never discovered). Estimates of annual cost of cybercrime to the global economy ranges from $375 billion to as much as $575 billion as companies face increased vulnerability, ranging from greater technology available to cybercriminals and new types of cybercrime, like crypto-ransom. Cybercriminals began targeting hotels years ago. In a 2010, a Forbes magazine article quoted Nicholas Percoco, who said that "The hospitality industry was the flavor of the year for cybercrime. These companies have a lot of data, there are easy ways in and the intrusions can take a very long time to detect." The lesson for hotel owners is that they cannot stand idly by – hotel owners must be proactive by instituting best practices in their own operations, requiring the same from managers, and obtaining insurance coverage to fund the inevitable costs of a breach.
The Wyndham Case
The threat to the hospitality industry became particularly evident in the recent federal court case brought by the Federal Trade Commission (the FTC) against Wyndham Hotels. On August 24, 2015, the Third Circuit United States Court of Appeals issued its ruling in the case FTC v. Wyndham Worldwide Corporation. The case was highly anticipated by the data security community generally for its expected ruling on the authority of the Federal Trade Commission to regulate data security standards, but nowhere was the anticipation more keen than in the hospitality industry. After all, this decision didn't deal with retailers, banks or dating sites – it addressed a major hotel player and, by implication, all operators, brands and owners in the industry. The decision should be a wake-up call to hotel owners because, as described below, hotel owners may ultimately bear the cost of data breaches involving their hotels. Owners should look at the Wyndham decision as an opportunity to consider whether their brands and managers have taken the steps necessary to protect guests and, ultimately, the hotel owner.
The case arose out of a suit brought by the FTC against Wyndham, a global hotel company, for failing to adequately safeguard its computer network, allowing hackers to access customer information, resulting in the compromise of more than 600,000 credit card records and financial losses in excess of $10 million. Wyndham argued that, among other things, the FTC lacks authority to regulate data security standards of commercial entities. The lower court ruled in the FTC's favor, and Wyndham appealed to the U.S. Court of Appeals for the Third Circuit. On August 24, 2015, the Third Circuit affirmed the district court, upholding the FTC's data protection authority. The result is that for the first time, the United States has what amounts to a data security regulator.
What Went Wrong
The FTC claimed that Wyndham made some mistakes. First, Wyndham's privacy statement on its website claimed that Wyndham had made claims that it knew were untrue – that it maintained systems that were safe, while Wyndham already was aware that it had been hacked multiple times. The FTC has brought claims against website operators – and by website operators, we mean businesses – for the same thing as a violation of Section 5 of the FTC Act, which prohibits unfair and deceptive trade practices. Essentially, the FTC took the position that Wyndham had engaged in false advertising.
But the Wyndham decision is particularly helpful because it identifies clearly what Wyndham did – or did not do – that violates the FTC's standards for data security, and not just for advertising. Specifically, the FTC claimed that Wyndham:
- failed to use readily available security measures, such as firewalls
- stored credit card information in clear text
- failed to implement reasonable information security procedures prior to connecting local computer networks to corporate-level networks
- failed to address known security vulnerabilities on servers
- used default user names and passwords for access to servers
- failed to require employees to use complex user IDs and passwords to access company servers
- failed to inventory computers to appropriately manage the network
- failed to maintain reasonable security measures to monitor unauthorized computer access
- failed to conduct security investigations
- failed to reasonably limit third-party access to company networks and computers
Security professionals recognize that this list is a fair representation of minimum security requirements for any information system. Any company that does not address these requirements is likely to experience a breach. While this list does not identify every possible shortcoming, it makes it clear that any firm that collects and maintains data and is guilty of these failures will be seen as engaging in unfair or deceptive trade practices, and can expect that they, too, will be subject to action by the FTC, as well as private plaintiffs.
What Should Hotel Owners Do?
Many hotel owners don't consider the impact of data security because they don't directly collect, store or utilize personal information; they engage managers and brands to do that through reservation systems, loyalty programs and marketing. But hotel owners should be concerned, because they are generally required to indemnify brands and managers for costs the managers and brands incur. To put it simply, if there is a breach, and if the brand or manager has to pay money to manage the breach, the owner will likely have to pay the bill, or at least have a significant struggle over the issue. To be clear, most hotel franchise agreements provide that the hotel will be responsible for defending the franchisor and holding them harmless, even where the data breach came from within the franchisor's reservation system. And independent properties that use third party reservations systems will almost always hold the user – the owner – responsible for a breach.
The cost of a data breach can be high, and not just in the direct costs of notifying guests, remediating a system and dealing with regulatory reactions – all of which are likely to be a direct or indirect cost to hotel owners. The lasting cost is the damage to the reputation of the company that suffered the breach. And while that might seem to be the hotel brand and not the hotel owner, a brand that is known to be insecure will inevitably lose clientele, and the resulting drop in business will be borne, in the end, by the owner.
The list also has a potential benefit to hotel owners, because it allows owners to express their expectations of hotel brands and managers. Owners can, and should require their managers and licensors to follow the standards set by the FTC as part of their duties, and bear the cost if they do not.
At the same time, hotel owners should be aware that they, too, are subject to this regime. Hotel owners have to consider that they own, hold and maintain sensitive personal information, such as employment records, health information, financial data and business secrets. As a result, they have a legal obligation to protect that information. Hotel owners must both protect their information, and require their business associates to do the same.
Owners should also consider one additional factor that isn't addressed in the Wyndham decision, but permeates almost every data breach: The human factor. At least 95% of reported data breaches can be traced to an intentional or unintentional act by a person within or associated with the affected organization. The fact is that a company can comply with all of the deficiencies noted by the FTC and still be subject to a breach, because an individual employee or contractor can, effectively, bypass all technological protections, simply by responding to the wrong email or clicking on the wrong website. Hotel companies are, as we know, focused on individuals, whether it is serving guests or cultivating employees and associates. Hotel owners should demand of their brands and a manager that they focus on the importance of individuals in thwarting these attacks and creating an industry that engenders the public's trust.
Hotel owners should take steps to plan for a data breach. Like other businesses, they should have a comprehensive plan in place, ready to be implemented, when there is a data breach involving one of their hotels. This means having a protocol for addressing the breach, and most importantly, identifying, by name, a response team, including attorneys, security experts, C-level executives, public relations professionals and others who can act immediately to identify the scope of a breach, the proper response and make executive decisions to limit damage.
In particular, cybersecurity insurance should be a special emphasis for hotel owners. First, owners should realize that many, if not most, general liability insurance policies exclude claims based on a data breach – while, in the past these claims might have been covered under existing insurance, they are now generally excluded. Instead, owners need to obtain a special endorsement covering cyberclaims.
Insurers offer both first- and third-party insurance for cyber losses. First-party coverage insures for losses to the hotel's data or lost income or for other harm to the business resulting from a cyberattack. Third-party coverage insures for the liability to third parties, both guests and governmental or regulatory agencies that arise from a data breach or cyberattack.
First-party coverage can include:
- Coverage for loss of data;
- Legal and technical services to assess whether a breach has occurred, and to analyze the impact of the attack;
- Business interruption coverage where the hotel might not be able to conduct business due to a cyberattack or data loss.
- Coverage for investigating threats to commit attacks against the hotel systems and payments to extortionists who threaten to disclose sensitive information, or to hold it ransom – an increasingly common practice among cybercriminals; and
- Data loss and restoration, including the retrieving and restoring data, hardware, software or other information destroyed or damaged as the result of a cyberattack. Third-party coverages address:
- Legal, technical and forensic services necessary to respond to governmental inquiries and fines, penalties, investigations or other regulatory actions;
- Costs to notify customers, employees or other victims affected by a breach (although care should be taken to ensure that both "voluntary" notices and notices required by law are covered);
- Crisis management and public relations expenses;
- Credit and fraud monitoring services to the guests and others affected by a breach; and
- Costs associated with lawsuits, judgments, settlements or penalties resulting from a breach.
Owners should be aware that there are wide differences, both in the coverage and costs, of policies. As a result, owners should take care in evaluating and comparing different policies and, consider engaging an expert to evaluate the scope and cost of coverage. Finally, hotel owners should consider requiring their brands and managers to maintain this coverage and to apply it to a claim before seeking indemnification or reimbursement from an owner.
No business is safe from privacy breaches and cyberattacks, and hackers grow more sophisticated each day. This issue is particularly important in the hospitality industry, which relies heavily on its reputation for confidence, something that can be shattered when guests learn that their private information has been compromised. The answer is not, however, just a shifting of liability or allocation or risk; it requires an effort by all involved – ownership, branding and management – to reduce the risk, and hotel owners play a key role in that effort.