What will you do when a computer hacker breaks into your network? It is likely to happen sooner rather than later. The Verizon Business 2011 Data Breach Investigations Report ranks the hospitality sector at the top in data beaches in 2010. Hotels, resorts and restaurants eclipsed other contenders, like financial institutions, the study surmised, because cyber-criminals likely view these businesses as smaller, softer, and less reactive targets. Yet they house a wealth of alluring data on employees, customers, and guests.
Data breaches come at the hands of well-meaning hotel employees as well. A human resources manager inadvertently sends an email containing the names, contact information, and Social Security numbers of hundreds of employees. A concierge mislays a laptop containing the personal information of thousands of guests.
However a sensitive data breach, it can be costly. One luxury property chain experienced a series of computer network attacks over several months. More than 700 credit card numbers were compromised. According to The New York Times, losses tallied hundreds of thousands of dollars. Events like this can also irreparably damage a hotel's reputation.
How can you protect against this omnipresent threat? Secure your cyber-borders with state-of-the-art physical computer security and procedures. But know that hackers can and will find ways to circumvent even the most sophisticated technical security. Consequently, in addition to installing high level network security, envision the worst—and plan for it. Before an event catapults your enterprise into crisis mode, be prepared to respond swiftly and strategically to mitigate the financial damages and protect your business's good name in the face of an incident.
Comfortably Navigating a Breach
Whether data is compromised by a cunning hacker a world away or by a distracted assistant inadvertently tossing sensitive information into the trash, some key steps are critical to an effective incident response.
1. Get to the root of the problem. When a breach occurs, you need to be able to assess an incident quickly to understand exactly what happened and how "bad" it is. Third-party forensic and technical experts are often needed to help determine the cause and the extent of an electronic data breach. The tab for these experts can run $3,500 to $5,000 per day.
2. Assess notification needs. Nearly every state now has a statute outlining steps a company must take in the event of a data breach, including specific requirements for notifying those impacted by the incident. (Check current notification laws by state at www.beazley.com/databreachmap.) Notification costs stack up. Thousands—even tens of thousands—of guests may need to be alerted. The estimated cost of this is $1 to $2 per notification. Plus, legal counsel may be needed to help assess your particular notification requirements (and any other applicable regulatory mandates). And be aware that the regulatory landscape in this area is changing fast.
3. Be proactive in mitigating damages. When individuals realize their data has been lost or stolen, they are understandably concerned. The incident can cast your hotel in a bad light and deflate customer confidence. Indeed, a recent study cites customer turnover in direct response to breaches as the main driver of data breach costs. In 2010, hospitality churn rates increased a point to 5 percent, according to the Ponemon Institute's 2010 Annual Study: U.S. Cost of a Data Breach. Dissatisfied customers who suffer damages may also sue.
That is why, it has become common for businesses to offer services to support victims in stemming damages and recovering from an incident. These services, including credit monitoring and other recovery assistance, can be expensive too. Studies by the Ponemon Institute show ex-post response costs—costs of credit monitoring, legal defense, identity restoration, and other assistance for victims—have increased at double-digit pace in the past five years, reaching $51 per record in 2010.
4. Don't go it alone. Insurance has been available for some time to safeguard hotels against legal liability arising from data breaches. An arguably even greater risk for hotels right now, however, lies in the response to a breach. If that falls short, damages and potential liabilities will mount. Consequently, hotels are wise to shop for insurance products that not only address the liabilities associated with data breach events, but also the numerous costs entailed to respond properly to an incident. Recognizing this need, insurers at the forefront of the cyber insurance market, including Beazley, are arming hotels with a comprehensive package of services that can make a sound breach response turnkey. With that, hotel management can sleep easy...even with hackers at the door.
Nick Economidis is an underwriter, professional liability, at Beazley Group; www.beazley.com.