Security breaches are becoming widespread, with the Ponemon Institute reporting that 73% of corporations experienced the loss or theft of a data-bearing asset in the past 24 months. Many high-profile incidents have involved the public sector and financial services industries but the hotel sector is not immune.
Among the incidents reported in the hotel sector last year was that of a big chain being hacked, with customer data left exposed to security threats. Hackers and thieves have long exploited loopholes and vulnerabilities in IT systems, and many consider these events to be an unavoidable risk when handling data.
Nonetheless breaches of security and data loss can have far-reaching repercussions.
The hotel sector has already been exposed in respect to ensuring the privacy of the data it holds. In 2004 Peter O’Connor conducted research into the privacy policies of the 30 largest international hotel brands and revealed that only 25% fully complied with accepted guidelines.
He further revealed that the associated risks are not fully appreciated by the hotel sector, where large amounts of critical data are used for customer relationship management, reservation and hotel check-in. Hotels spend few financial resources on technology; recent research I conducted indicates that, on average, the hotel sector in Europe spends only 0.92% of revenues on technology, compared to the banking sector, where the figure is about 7%.
This contributes to a low priority for investment in security and data compliance and thus a soft target for data thieves, creating further risk and vulnerability in IT systems.
Customers are also more aware of the vulnerability of their personal data, intensified by incidences reported by the media, most recently on the dangers of identity theft.
Customers are increasingly vigilant with their data assets and are alert to the care and security invested in these assets by all sectors.
Further risk is incurred in the hotel sector due to inadequate IT governance strategies and a lack of visibility across the hotel IT strategic partner network, compounded by the evolution of decentralised systems in hotels, which dramatically increases the risks when compared with the centralised model. This also raises questions about who is responsible for data security: the franchiser, franchisee, management contract company or owner?
This is particularly a problem for the hotel sector, in which some applications and processes are outside the control of the IT department or where the contract between owner and management does not clearly specify where responsibilities for security and data compliance lie.
This can be further exacerbated in terms of outsourcing data storage to third parties where a significant percentage of agreements signed by companies still fail to comply with the basic requirements of data security, and in cases of e-distribution, where client data may be held by third-party distribution partners.
Compliance, standards and legislation
Hotels refer to several recognised standards of data compliance. The Information Technology Infrastructure Library (ITIL) is a set of concepts and policies for managing IT infrastructure, Control Objectives for Information and Related Technology (CobiT) is an IT governance control framework for regulatory compliance and risk management, and ISO27001/2 (ISO/IEC 27001:2005) is the international standard for an information security management system (ISMS).
More recent attention has been paid to payment card industry (PCI) compliance, in which the payment card industries are dictating imminent deadlines for merchant compliance.
Additionally there is legislation that applies to data processing and security for European hotels, the most relevant being the Privacy and Electronic Communications Regulations and the EU Data Protection Directive (also known as Directive 95/46/EC). Each of the member states must enact the rules in national legislation to comply with the directive.
These rules are:
Data must be processed fairly and lawfully.
It must be collected for explicit and legitimate purposes and used accordingly.
Data must be relevant and not excessive in relation to the purpose for which it is processed.
Data must be accurate and, where necessary, kept up to date.
Data controllers are required to provide reasonable measures for data subjects to rectify, erase or block incorrect data about them.
Data that identifies individuals must not be kept longer than necessary.
The directive states that each member state must provide one or more supervisory authorities to monitor the application of the directive. One responsibility of the supervisory authority is to maintain an updated public register so that the general public has access to the names of all data controllers and the type of processing they do.
In principle, all data controllers must notify supervisory authorities when they process data.
Member states may provide for simplification or exemption from notification for specific types of processing that do not entail particular risks. Exception and simplification can also be granted when, in conformity with law, an independent officer in charge of data protection has been appointed by the controller.
Impact on non-compliance
Regardless of which standards of compliance and legislation the hotel sector must adhere to, there are costs beyond the obvious risks of prosecution, fines and penalties, yet hotels do not treat data with the same controls as traditional theft. This way of thinking needs to change quickly.
There are the immediate costs of recovering from the penalties imposed. On average it costs nearly $2m to manage each data security breach.
However costs are hard to predict and some are less quantifiable in the long term. The cost of a data theft far outweighs the cost of a cash theft.
Cash is localised and contained, whereas data affects the brand and all related management and owner entities, which makes data theft as or more important to protect against than cash theft.
If a hotel fails to comply with the EU directives then it may be restricted or prohibited from handling personal data by the supervisory authorities. The prevention of processing electronic data and the subsequent impact on all e-commerce transactions could be catastrophic.
Bad publicity is another potentially dangerous event and could incite customers – who now have rights as data subjects – to demand the details that hotels, as data controllers, hold about them. This may precipitate a flood of requests from customers that hotels are required to respond to and comply with.
The cost incurred in the request process may be significant, as may the compensation or fines if the hotel fails to produce the data in an appropriate format and timely manner. Even the most loyal customers may request the permanent withdrawal of their data assets in the event of injurious publicity.
As hotels increasingly try to forge deeper relationships with clients by collecting data online and offline, the danger that the customer’s data and confidence are violated is increased, with consequent contamination of the hotel brand. A recent study by Ponemon showed that 31% of respondents terminated their relationship with an organisation on receiving notification of a breach of data security.
It can be subsequently expensive to restore the brand values with customers and leverage the brand equity to other stakeholders, for example owners and shareholders. This is particularly critical in cases where brand equity and loyalty form an integral part of the hotel’s value proposition.
Security violations can also cause damage internally in hotel companies, with employees becoming less confident about how they can exploit data, for example in marketing, and their personal liability for data breaches, which may compromise overall performance.
In terms of IT governance there are some agencies, such as Hotel Technology Next Generation (HTNG), that promote and deliver standards to make compliance easier on vendors and hotels. However some basic guidelines are clear.
The first step in the context of compliance is to perform an assessment of risk. For a small, family-run hotel that has no networked IT systems and does not engage in e-commerce, the risk may be minimal.
However for a hotel company that frequently uses credit card payments and transmits, stores and processes most of its data electronically, the risk may be high. No company can have a strong security programme unless it assesses and manages risk, finds a balance between accuracy, privacy and efficiency, and aligns resources appropriately.
The next step is to instil a culture that prioritises compliance and security. This may require a shift in a culture where hotel employees frequently share log-ins, PC screens and storage space, and where several employees may be responsible for handling customer data.
Security and compliance should be viewed as everyone’s responsibility and, in larger companies, a unified programme should be considered from the outset of IT projects. It is also critical to work with approved vendors that are compliant with standards and include compliance in the contract that you negotiate with them via third-party service level agreements that meet compliance objectives.
Next, data surveillance and data encryption should be reviewed or deployed. If this is not within the core competences of the hotel, consider hiring a company that takes care of IT security and compliance needs.
However this may not release you from liability if there is a data compliance breach. If heavily dependent on networks, secure the networks internally and externally, and have a recovery programme in place if disaster strikes.
When compliance fails and security is breached, speed becomes critical. Hotel companies must be geared towards a rapid response to counteract the damaging effects.