Privacy and security are hot issues these days, fueled by significant data breaches affecting companies like Target and, closer to home for hotel operators, Wyndham Worldwide. According to Hospitality Technology’s 2014 Lodging Technology Study, 42% of hoteliers identified “creating a secure framework for all guest data” a top technology goal for 2014. Hotels can’t escape the threat of breaches, but there are some things they can do to minimize concerns, and risks, for guests.
Tatiana Melnik is a lawyer with Melnik Legal PLLC (www.melniklegal.com) in Tampa. In addition to being a practicing attorney, Melnik has a degree in information technology. What’s unique about the Wyndham case, says Melnik, is that “in the number of years that the FTC has litigated or taken action against companies that have these types of security incidents, nobody has challenged the FTC before so this is the first case of its kind.” Wyndham’s motion to dismiss the case was denied by the New Jersey federal district court and the Parsippany, N.J.-based hotel company has already filed a motion for appeal. “If ever a case warranted ... appellate review, this is it,” Wyndham says in a petition filed late in July with the 3rd Circuit Court of Appeals.
The dismissal, according to Melnik, was “a huge win for the FTC — it’s really reaffirmed the FTC’s authority to enforce data privacy and security requirements.” The landscape remains murky for hotel operators and other organizations, she says, in large part because there is still a great deal of gray area in terms of “what it really means to take commercially reasonable efforts to protect consumer information.”
Security is a complex issue that requires hotel operators to ensure that they are covering all the bases to protect guests and themselves. Those bases generally involve three components: technology, staff training and communication, and communication with guests. Of these, the experts say, technology is just a part — and arguably not the most important part — of the answer.
Mark Ozawa is GM of Windjammer Landing (www.windjammer-landing.com), a resort in St. Lucia. He is fortunate, he says, that despite the fact that he operates an independent resort, that resort is owned by the second largest construction firm in Canada, EllisDon Corporation (www.ellisdon.com) based in Toronto. That relationship means that, among other things, Ozawa has access to experts on IT infrastructure and technology.
“Guest and staff privacy and security are clearly at the forefront of the things we do,” says Ozawa. At Windjammer Landing data and access control are segregated. There are three different networks in place: one for the security infrastructure, one for staff and administrative use, and one for guests.
Guest data is protected through a PMS provided by Agilisys (www.agilysys.com). The PMS is isolated from other systems and is backed up and restored daily, both on and off-property. Access controls are monitored and any need for applications to access the system are vetted through the corporate security team. “Our corporate team monitors our access log-in through audit logging and they also monitor the network traffic flows for abnormalities,” says Ozawa.
It is work, he says, that is beyond the competencies of most hoteliers, including himself. Although his background includes work with technology solutions he says, “Frankly it goes against most hoteliers’ natural tendencies. So, when people say ‘oh, you have to secure your network,’ we don’t even know where to start.”
One of the challenges for hotel operators is that guests often interact with the property through multiple channels. Control Scan Security Consulting (www.controlscan.com) recently conducted an audit with a Florida-based real estate developer that owns various resort and club properties. During that, the team discovered multiple previously unrecognized payment card data touch points within a single-location hospitality venue.
Technology is evolving to help with these and offer added payment and data securities. FreedomPay (www.freedompay.com), a commerce platform company based in Radnor, Pennsylvania, recently teamed with Microsoft to offer a joint Payments Platform, combining its Commerce Platform with Microsoft big data tools like Windows Azure.
Despite concerns about the security of data out in “the cloud,” Michael P. Bennett, a partner with legal firm Edwards Wildman Palmer, LLP (www.edwardswildman.com), in Chicago specializing in big data and privacy law, says the greater risk revolves around whether the correct people internally have the right types of permissions.
“Even if you have very good security, if you don’t properly follow through all the way down to the individual employee that’s accessing the information, all of the security that’s at the back end can be for naught,” Bennett states.
For instance, Bennett says the biggest vulnerability for credit cards is not that a customer went online and bought something from an online vendor, but rather it’s that the credit card was used at a restaurant and somebody copied it before running a bill through.
Hotels need to consider security in terms of how customer information traverses the entire network. “You’re looking at what technology and security standards are in place at the actual hotel, but you’re also looking at the administrative requirements. It’s a combination of administrative control, physical control and technical control,” says Melnik.
Internal systems, policies, communication governance, and monitoring who has access to what information are key, agrees Bennett. “These types of permissioning systems — where you’re really looking at who is authorized to look at what and for what usage — are becoming more important.” This approach is preferable, he says, to a model that depends on the consumer giving consent and then having to disclose to them what their data may be used for. Bennett predicts a rise in these types of systems, although he adds that whether or not this will be acceptable from a regulatory perspective remains open. “The regulatory perspective still is squarely within the camp of ‘you’ve got to disclose how you’re going to use the information, use it only for that disclosed purpose, get rid of it when you’re done with it, and have a lot of transparency with the consumer,” Bennett says.
Guest communication is another integral part of the security mix. However, there’s a difference between simply providing information and actually communicating with the guest.
For instance, says Tendell, it’s fairly common for hotels to put security information about WiFi access in a long page of instructions that pops up when guests sign in for access. “But most people don’t read those things,” he says.
Bennett agrees, stating, “One of the big issues there is you could transparently say ‘we’re going to use the data, and how we use it is on the back of your bill,’ but if it’s in fine print and it goes on for 10 pages and basically says ‘we can use it for whatever we want,’ that’s not really disclosing in a meaningful way.”
Sometimes, it’s not just the use of the data a guest has provided that can become problematic, but the use of that data combined with other data. For instance, a hotel might be able to combine payment data with information about eating or leisure preferences.
This big data drift occurs when companies hope to extract value from their existing databases by looking to identify other informational relationships that didn’t previously exist. It’s a murky area that regulators have yet to fully weigh in on, Bennett says.