The media is filled with daily accounts of companies experiencing data breaches and theft. While credit card and other financial data is a common target, hotels and motels also have a wide range of other personal data that are increasingly targeted by cyber criminals. Trustwave’s 2013 Global Security Report found that nine percent of all data breaches were in hospitality, making it the third most vulnerable industry.
The importance of data security in the hospitality industry has increased in recent years with the rise of online bookings and the additional data collection avenues available, such as social media, mobile applications and website booking engines. Data attacks can be costly for hotels; both in the cost of trying to recover data along with lost revenue from future customers choosing a competitor because of the breach. According the 2013 Symantec Corp. and the Ponemon Institute Cost of Data Breach Study, data breaches cost an average of $136 per record.
While representing hospitality clients to both prevent a data breach and after an incident, JMBM Data Security Group (www.jmbm.com) has found that the industry is challenged by the amount and variety of data it collects. In addition to the obvious credit card data, hotels also collect personal information such as addresses, phone numbers, spending patterns, children’s names and ages along with travel plans. The JMBM Law firm also points to confusion as a significant challenge in this industry; there’s a lack of agreement over who owns the data, and therefore who is liable if a breach occurs.
Tap specialized consultants and tools
Because security is a highly specialized area, many hotels and management groups opt to purchase products and services from a company specializing in the security area instead of assigning data protection to their in-house IT department. “Being a log-monitor would not be an efficient use of our time, I simply don’t have the staff to do that,” says Jeff Parker, vice president of technology at Magnolia Hotels (www.magnoliahotels.com). The hotel management group uses Trustwave’s (www.trustwave.com) security products on the data center as well as every computer at each property. Magnolia Hotels has not experienced any hacking incidents or data breaches.
When purchasing software, Voltage Security (www.voltage.com), recommends hotels use a product that protects guest information at the point of entry, such as its SecureMail or SecureMobile Plus. Both solutions protect information when it is entered onto the screen. Ask potential vendors if data is protected in this way, or if instead the data container is only protected by SLA certificate after submission. Attacks now come in a variety of ways that differ from traditional theft, so it is also essential to know your exposure and what solutions provide protection. Akamai (www.akamai.com) Kona Security Solutions protects hotels against Denial of Service (DoS) attacks, for example, through its more than 137,000 servers around the world that cache the website near the end user’s location. DoS attacks occur when a hacker floods a website with requests, with the goal of bringing the website down.
Another option is hiring a technology-neutral consultant to evaluate your security, recommend the best product and help you maintain a secure data environment. Consultants should be able to use relevant experience from other hospitality clients and even other industries to provide you with the most up to date protection strategies. Deloitte consultants (www.deloitte.com) have found that many of the lessons learned protecting financial data in the banking industry are applicable to the guest data problem in the hospitality industry, such as the types of technology used for attacks.
Comply with regulations and policies
Consumer privacy has become a highly regulated area, with both national and state entities enacting policy for data under their jurisdictions, and in fact Voltage has found that many of its customers are accountable to regulations from multiple jurisdictions. Since the very nature of the hospitality industry means that most guests are from another area, inquire about and verify that you are satisfying all legal and privacy requirements for areas in which you operate.
Even if you install the most effective products or hire the most experienced consultants, your data will not be secure unless you integrate data security policies into your hotel’s daily processes. Magnolia Hotels makes sure that a firewall is installed on every computer, both at its properties and its data center. The company also installs all software patches from vendors in a timely fashion to fix any data leaks. “One of the most important steps we have found is to change the vendor-provided password on any products that touch guest data,” Parker says.
Educate guests and staff on data security
Guests have a heightened awareness about data security, so it’s important to communicate with them about data privacy policies. Magnolia includes the legal privacy statement on the guest registration card as well as on the website for each hotel it manages. “While it is important to let customers know that you are protecting their information, we keep the information we provide at a basic level because we don’t want to give out information that compromises our data,” Parker says.
The hotel management company also includes data security training in new employee orientation for all positions, from room attendant to front desk. “Every year, each employee—even our owners—take a data security refresher course,” says Parker. “Additionally, we keep copies of all of our security policies on the network so each employee can quickly access the information anytime that they have a question.”