What hoteliers can do when crises strike
By Robert A. Rauch, CHA, President of RAR Hospitality
The U.S. has been hit with the longest streak of crises—mass shootings, natural disasters and security breaches—in the past decade. Hoteliers need to better prepare and develop plans for not if, but when crises strike.
"Run. Hide. Fight" training and a technology expert at each company is now required. It is paramount to our future liability that we train our staff and have procedures in place for all potential crises.
As to General Data Protection Regulation (GDPR), this has come up quickly and applies to all hotels, especially those that pursue European travelers. Hotels need traveler consent to store any data related to a European traveler, and it is recommended that we start doing that for all guests.
Active shooters and disasters
High school shootings have occurred far too often. The Santa Fe High School shooting could have been far more traumatic and caused the loss of many more lives if the school hadn't had both security and "active shooter" training in place. The training is now required for all hotels. The FBI, your local police department and Homeland Security have comprehensive materials on this subject that will provide as resources for hoteliers. Being prepared for any terror event or natural disaster is critical to both saving lives and minimizing negative impacts.
Rapid hotel evacuation is key to a crisis plan, and all team members must know the evacuation route. Rapid lock down of the hotel or areas of the hotel will limit a shooter's movements. It is vital that hotel staff become acquainted with Homeland Security's detailed guides on this type of training activity. Developing a first-responder pack that includes detailed hotel plans and critical infrastructure would be paramount to a crisis plan as well. Cellphone numbers of all team members must be available to ensure safety and enable crisis communication.
The same protocols regarding evacuation should be established for natural disasters. Just recently, a fast-moving lava flow from Hawaii's Kilauea volcano led local officials to close a highway on short notice. They needed to communicate to all travelers that thin strands of glass fibers carried in the wind could injure eyes and lungs. There must be real training and tangible procedures in place as we must never assume all will be calm tomorrow. I just scheduled our 2018 training with our local police departments for our teams, and I encourage all of you to do the same.
Companies should ensure that the property management system is on a different network than public Wi-Fi and that all networking devices have default account passwords changed. All software and operating systems in use must be up to date with the latest patches and versions, and employees must be trained to recognize harmful forms of cyberattacks to ensure the protection of guests.
All passwords should be reset when an employee leaves the company. Each front-desk employee should have a unique PMS password as well as a secure computer password. Passwords should not be visible to guests. To ensure the security of computer systems, team members should be trained to lock any front-desk operating systems when they step away from the desk, and to never leave portable devices unattended.
Companies need to have internal and external access to IT expert resources 24/7. Protocols should be put in place to prevent hotel staff from using hotel property for personal purposes. Periodic audits of employees and their activities should be enacted to ensure security. This merely touches the basic needs in this area of potential cybercrime.
The GDPR took effect on 25 May. The impact on almost all U.S. businesses is massive. While this is a European regulation, it will significantly impact the global lodging industry. Further, in the event of a cybersecurity attack or data breach, companies only have 72 hours to report the situation or there are financial consequences.
Hotels that actively seek European guests will be required to be compliant with GDPR. This means that hotel guests can insist their data be erased. Sensitive data is personal information about an individual that could be used to discover their identity and gain access to their accounts.
GDPR requires us to designate a data protection officer within our organizations. Companies must gauge whether or not any activity outside of the European Union will require communication with a person in the EU after the initial gathering of information. A risk assessment will review the data gathered and allow EU citizens to make updates to their personal data.
Put your plans together and go out and have a great summer!
Robert A. Rauch, CHAMore from Robert A. Rauch, CHA
Phone: +1 858 720 9500