about | contact | advertise | subscribe | rss

News Blogs Multimedia Comings and Goings Past Issues Resources

The Scene

Next Up

'Lodgical' Thoughts

Corporate General Managers Operations Sales & Marketing Food & Beverage

Digital Editions Front Desk Inside AH&LA Governmental Affairs Cover Story Special Reports Design & Construction Food & Beverage Technology Marketing Operations Finance Human Resources

HR + Diversity Summit Hospitality Job Openings Innovation Showcase Calendar of Events Editorial Calendar Marketplace

Hotel Cyber-Security

11/6/2012 | by Etan Mark, Berger Singerman

4Q4: Niklas Moeller, K.R. Moeller Associates Ltd.

A Bright Future

Attracting Muslim Business

Being a Good Neighbor

Booming Brazil

Delivering on Promises

From Scratch

Hotel Cyber-Security

Laurence Geller Steps Down

Making the Connection

Hotel cyber-security is facing increasing scrutiny from federal regulators. Case in point, last June the Federal Trade Commission sued Wyndham Worldwide hotels after apparently unsophisticated hackers allegedly stole the credit card information of more than 600,000 customers leading to a more than $10.6 million fraud loss. Of particular note, the FTC has accused Wyndham of maintaining a “deceptive” privacy policy, which states that Wyndham engages in “commercially reasonable efforts” to protect their customers’ account and credit card information. The FTC has claimed that Wyndham did not maintain appropriate firewalls, did not configure security software to protect credit card information, did not remedy known security vulnerabilities, and failed to use complex passwords allowing hackers to infiltrate through “brute force” – essentially by guessing the password of the administrator.

On October 5, the Chamber of Commerce of the United States of America, the Retail Litigation Center and the American Hotel & Lodging Association filed a brief in support of Wyndham’s motion to dismiss the Complaint (the “Amicus Brief”). The Amicus Brief argues that the FTC is “leveraging its enforcement authority to extract settlements from businesses that themselves have been victimized by data security breaches, and that have no formal notice of the standards that the FTC accuses them of violating.” The Amicus Brief further contends that the FTC “enforcement” is ad hoc, and gives “no advance notice to businesses on what they are required to do to comply with the law in a rapidly changing technological environment,” noting that what comprises a “reasonable” data security measure is ambiguous and ever-changing.

So what are reasonable data security measures? The FTC itself has stated that the data security measures it considers reasonable “will depend on the size and complexity of the business, the nature and scope of its activities, and the sensitivity of the information at issue.” In other words, it is nearly impossible to know if your data security is adequate until the FTC tells you it is inadequate. While data security has been a hallmark of compliance for healthcare providers and banks for more than a decade, the hospitality industry has not been subjected to the same regulatory framework. Nonetheless, there are a number of important guidelines that could be followed to lessen the possibility of a data breach, and lessen the possibility of ending up the target of an FTC investigation:

• Review your privacy policy immediately to insure it is compliant with the most recent standards and that the data security systems in place are actually consistent with the stated policy. For example, the Payment Card Industry Data Security Standard is a protocol designed by a consortium of credit card companies outlining “best practices” with respect to credit card security standards.

• Stay one step ahead. It is worth the up-front investment for IT professionals and attorneys to examine the type of data that is being stored to determine if the access to that data is being appropriately protected.

• Data security work is often outsourced – that doesn’t absolve the hotel owner or operator of liability. Understand the security measures put in place and determine whether they are consistent with the terms of the hotel’s privacy policy.

• If there is a breach, act quickly and decisively. In the Wyndham case, the FTC was particularly disturbed by the fact that there were three significant security breaches in less than two years, and Wyndham allegedly still failed to “remedy known security vulnerabilities.” Moreover, nearly every state has breach notification laws requiring hotel owners or operators to inform those individuals whose data was stolen of the breach.

• Ask your attorney and IT professional to work together to present you with a robust compliance plan, which is both proactive to prevent security breaches and reactive to outline a plan to best deal with those breaches if (or when) they occur.

Etan Mark is an attorney and certified fraud examiner at Berger Singerman. He can be reached at emark@bergersingerman.com or 305-714-4360.

READER COMMENTS