Imagine that you are hosting a child’s slumber party. Everything is going along fine, if chaotic, and then suddenly you hear a piercing shriek from the backyard. A child has fallen from your playscape and broken his arm. Who’s accountable? You could make an argument that the makers of the playscape should pay the child’s medical expenses since the company made the tool on which the injury occurred. But we all know that’s not the way it works, and that, instead, homeowners are expected to carry homeowner’s insurance, which will hopefully cover the child’s medical expenses should it come to this.
In a similar vein, some in the hotel industry are experiencing a rude awakening when it comes to data accountability. Last July, Sabre Hospitality Solutions reported a data breach in their reservations systems. The breach affected Four Seasons Hotels and Resorts, Trump Hotels, Loews Hotels, Kimpton Hotels, and more. Though it was Sabre’s responsibility to report the breach to the hotels with compromised data, at the end of the day when it came to paying the fines for their guests’ mishandled information, hotels were the ones on the hook.
With the introduction of PCI regulations, the burden of responsibility has shifted from the payment card companies to the merchant, namely hotels. This is also true when the breach is at the fault of a technology vendor that the hotel works with. Therefore, hotels must make every possible effort to ensure that each one of their vendors that handles customer data is compliant with national payment card industry data security measures—also known as PCI Compliance. The PCI Security Standards Council is the governing body (made up of the payment card industry businesses, ex: Visa, Mastercard) and has developed the PCI Data Security Standards that hoteliers must follow.
The Actual Cost
IBM’s 2017 Ponemon Cost of Data Breach Study showed that the average cost of a data breach is $3.62 million. That is $141 for each lost or stolen record. And the report notes that the average size of data breaches has increased to more than 24,000 records.[i]
For small hotel groups and independents, the financial liability can have devastating consequences. Rosen Hotels & Resorts, a seven-property hotel company in Central Florida, experienced a data breach in 2016. According to a lawsuit filed against Rosen by their insurance company, the hotel group saw “a $1 million fine each from Visa and MasterCard; a $128,830 fine from American Express; $50,000 in attorneys’ fees; $40,000 in costs to send notifications to clients; $15,000 in fees to a crisis-management firm; and a bill for $150,000 to a data-forensics team that identified the breach. The costs could continue to grow if Rosen faces additional legal claims from customers, according to the lawsuit.”[ii]
Our country and our industry are still, in the big scheme of things, fairly inexperienced in dealing with security breaches. There is little standardization when it comes to recourse. So companies like Rosen see fine after fine and are challenged by their insurance companies and, still, they face possible lawsuits from the affected guests. It’s a recipe for disaster, one that’s not going anywhere. As industry insider Tim Critchley notes, “Hotels are high-value targets for cybercriminals because they not only hold payment card information on guests, but also a wealth of other sensitive personal data that can be used to steal their identity.”[iii]
Complicating matters is what lawyer Robert Braun calls “cross-contamination.”[iv] Frequently, data security breaches in the hospitality world are at the point-of-sale, which is almost always a third-party system. Because so many of a hotel’s data systems are interconnected, this means that all of the systems become a target, not just the one point-of-sale technology.
Hotels must take extreme precaution not only with their on-site security processes but also with their third-party systems. Especially those point-of-sale systems where guests are giving their credit card information via call center or booking engine. PCI Compliance is one of the few standards hotels can use to gauge the safety of their third-party point of sale providers.
“Level One PCI Compliance is extraordinarily challenging to obtain, and any technology provider that does so is demonstrating their dedication to the security of their hotels,” says Amber Mayer, NAVIS VP of Product.
The Hidden Cost
While the financial repercussions of a data breach can take a toll—and for some will be devastating—the hidden cost of a security failure comes in the form of a degraded brand and a decline in customer loyalty.
A survey by Ponemon showed that 31% of consumers said they discontinued their relationship with a company that had a data breach, while 65% said they lost trust in the breached organization.[v]
For hotels, the impact can be worse than other industries due to the nature of the relationship. Matt Rizzetta, CEO of brand communication firm North 6th Agency tells Hotel Management, “The brand crisis is exacerbated in the hospitality industry when a data breach happens due to the intimate connection between the customer and the hotel brand… The communication strategy needs to reflect the intimate nature of the guest/brand relationship.”[vi]
Make Security a Part of Your Brand
There is only so much you can control, and data breaches can happen no matter how careful you are. It’s a fact of modern life. Hotels must rely on multiple vendors to serve guests in an increasingly technologically savvy and complicated world. There are many ways to head off data breaches at the pass, however.
1). First is a comprehensive review not only of internal security measures—with priority given to the reservations department.
2). Equally important is assessing call centers and booking engines for compliance.
3). Then review all platforms/providers that integrate with point-of-sale technology to ensure their PCI Compliance.
Here’s the big one: Once you have invested in security and compliance, make it a part of your brand.
According to Ponemon, companies that report a data breach experience, on average, a 5% decline in stock prices. However, “companies that self-reported their security posture as superior and quickly responded to the breach event recovered their stock value after an average of 7 days.” Companies that had what was identified as a poor security posture had a stock decline that lasted more than 90 days.[vii] The takeaway: take security seriously and integrate it into all aspects of your hotel business so that, even in the event of a breach, brand trust is recoverable.
In an ideal world, though, you avoid a security breach altogether with proactive security measures applied to your internal and third-party systems. Though the steps to securing your data systems may seem overwhelming, doing nothing is far more costly. It’s not if a breach will happen, but when. Ensure you are partnering with vendors that take security seriously to minimize the chances of a breach and to control the reach (i.e., how much data is breached).