In November of last year, ride-sharing service Uber announced that it had suffered a data breach in 2016. (They then made the mistake of paying the hackers $100,000 to delete the information and keep it a secret.) But it wasn’t Uber’s internal system that was hacked; it was actually GitHub, a service that Uber’s software engineers use to collaborate on software code.
In 2015, HomeAway suffered a breach of critical homeowner data via their third-party payment processor Yapstone. Though guest data wasn’t at the heart of this breach, what’s essential to understand in both of these cases is that when it comes to accountability for data security, vacation rental companies are equally, and frequently more, responsible for the breach even if the breach occurs on third-party technology. The costs of breaches such as this come in the way of fines, lawsuits from government entities and consumers, significant brand damage, and the risk of having your ability to process credit cards taken.
Therefore, vacation rental companies must make every possible effort to ensure that every one of their vendors that handles customer data is compliant with national payment card industry data security measures—also known as PCI Compliance.
The Actual Cost
IBM’s 2017 Ponemon Cost of Data Breach Study showed that the average cost of a data breach is $3.62 million. That is $141 for each lost or stolen record. And the report notes that the average size of data breaches has increased to more than 24,000 records.[i]
For vacation rentals, the financial liability can have devastating consequences. To demonstrate the extent of a data breach situation, look at the small Florida hotel group Rosen Hotels & Resorts. The group, which owns seven properties, experienced a data breach in 2016. According to a lawsuit filed against Rosen by their insurance company, the group saw “a $1 million fine each from Visa and MasterCard; a $128,830 fine from American Express; $50,000 in attorneys’ fees; $40,000 in costs to send notifications to clients; $15,000 in fees to a crisis-management firm; and a bill for $150,000 to a data-forensics team that identified the breach. The costs could continue to grow if Rosen faces additional legal claims from customers, according to the lawsuit.”[ii]
Our country and our industry are still, in the big scheme of things, fairly inexperienced in dealing with security breaches. There is little standardization when it comes to recourse. So companies like Rosen see fine after fine and are challenged by their insurance companies and, still, they face possible lawsuits from the affected guests. It’s a recipe for disaster, one that’s not going anywhere. As industry insider Tim Critchley notes, the hospitality industry provides “high-value targets for cybercriminals because they not only hold payment card information on guests, but also a wealth of other sensitive personal data that can be used to steal their identity.”[iii]
Complicating matters is what lawyer Robert Braun calls “cross-contamination.”[iv] Frequently, data security breaches in the hospitality world are at the point-of-sale, which is almost always a third-party system. Because so many of a vacation rental company’s data systems are interconnected, this means that all of the systems become a target, not just the one point-of-sale technology.
Vacation rental companies must take extreme precaution not only with their on-site security processes but also with their third-party systems. Especially those point-of-sale systems where guests are giving their credit card information via call center or booking engine. PCI Compliance is one of the few standards vacation rental managers can use to gauge the safety of their third-party point of sale providers.
“Level One PCI Compliance is extraordinarily challenging to obtain, and any technology provider that does so is demonstrating their dedication to the security of their vacation rental companies,” says Amber Mayer, NAVIS VP of Product. “Vacation rental companies are at even greater risk for a truly damaging impact of a breach than the big hotel companies. Hotel brands tend to have deeper pockets than vacation rental companies when it comes to rolling out crisis campaigns and paying all the hefty fines.”
The Hidden Cost
While the financial repercussions of a data breach can take a toll—and for some will be devastating—the hidden cost of a security failure comes in the form of a degraded brand and a decline in customer loyalty. As the New York Times noted about Uber’s cover up, “the handling of the breach underscores the extent to which Uber executives were willing to go to protect the $70 billion ride-hailing giant’s reputation and business, even at the potential cost of breaking users’ trust and… state and federal laws.”[v]
A survey by Ponemon showed that 31% of consumers said they discontinued their relationship with a company that had a data breach, while 65% said they lost trust in the breached organization.[vi]
For the hospitality industry, the impact can be worse than other industries due to the nature of the relationship. Matt Rizzetta, CEO of brand communication firm North 6th Agency notes, “The brand crisis is exacerbated in the hospitality industry when a data breach happens… the communication strategy needs to reflect the intimate nature of the guest/brand relationship.”[vii]
Make Security a Part of Your Brand
There is only so much you can control, and data breaches can happen no matter how careful you are. It’s a fact of modern life. Vacation rentals must rely on multiple vendors to serve guests in an increasingly technologically savvy and complicated world. There are many ways to head off data breaches at the pass, however.
1). First is a comprehensive review not only of internal security measures—with priority given to the reservations department.
2). Equally important is assessing call centers and booking engines for compliance.
3). Then review all platforms/providers that integrate with point-of-sale technology to ensure their PCI Compliance.
Here’s the big one: Once you have invested in security and compliance, make it a part of your brand.
According to Ponemon, companies that report a data breach experience, on average, a 5% decline in stock prices. However, “companies that self-reported their security posture as superior and quickly responded to the breach event recovered their stock value after an average of 7 days.” Companies that had what was identified as a poor security posture had a stock decline that lasted more than 90 days.[viii] The takeaway: take security seriously and integrate it into all aspects of your vacation rental business so that, even in the event of a breach, brand trust is recoverable.
In an ideal world, though, you avoid a security breach altogether with proactive security measures applied to your internal and third-party systems. Though the steps to securing your data systems may seem overwhelming, doing nothing is far more costly. It’s not if a breach will happen, but when. Ensure you are partnering with vendors that take security seriously to minimize the chances of a breach and to control the reach (i.e., how much data is breached).