Cybersecurity: A Hospitality Industry Reality

There is quite a bit of news about cyber concerns and breach of security from both the business community as well as individuals. We continue to hear stories about people having their identities or credit-card information stolen and used by thieves. Technology has become a convenience that hotel and restaurant guests have come to expect. In addition, technologies and applications continue to be developed at lightning speed because business owners want to provide their guests with ultra-convenience. The bad news is that cyber crime is pervasive. Cyber thieves are crafty and persistent in finding ways to breach security to gain access to personal information. The hospitality industry, hoteliers, restaurants and other such businesses that rely on the use of personal information to provide service to their customers are particularly at risk. Here are but just a few of the areas to consider when limiting exposures and liability. Initial steps in the risk-management process Hospitality companies should first focus on developing a robust internal risk-management program, including the establishment of strong policies and procedures; training and insurance can reduce the chances of a data breach and mitigate the damages if a breach occurs. In general, an organization should review the following areas to begin developing a well-rounded risk-management program:

• Corporate security policy
• Asset classification and control
• Personnel security
• Computer-network and management protocols for vulnerability
• System access controls
• Privacy and regulatory compliance

Then, ask yourself, “What does our company have in place to mitigate our exposures?”

• Do we have an effective privacy policy? A policy that your company does not follow is worse than not having a policy at all; therefore, ensure your policies are distributed among, and followed by, employees.
• Do we have an effective privacy-breach response plan? Review your incident-response plan regularly and ensure team members are prepared to jump in when an incident occurs.
• Do we continuously test our disaster-response and business-continuity plans? Work closely with your business partners to ensure they are properly handling your confidential data. Vendors are the cause of at least a third of all data-security incidents.

Risk assessment and insurance coverage An annual security-risk assessment might be as simple as asking the following questions: 1. What are our risks/exposures? These can be broken down into two parts, first-party claims and third-party claims:

• First-party claims would include forensic examination expenses; PCI/PFI audit costs; privacy notification costs; privacy counsel fees; mailing notification costs; credit-monitoring and call-center services; business interruption (loss of income); intellectual property loss; public relations; and extortion.
• Third-party claims include claims by private litigants, consumers or other businesses; claims by state attorney generals; claims by the FTC; regulatory fines and penalties; PCI fines and penalties; loss of business; and damage to reputation.

2. What are the threats? 3. Where are we exposed? 4. What is our insurance coverage? What are the gaps in existing coverage? 5. What’s covered and what’s not — how will our policy respond if there is a cyber-security event? 6. How can insurance gaps be addressed? Franchise concerns Franchise agreements should address several important data-security concerns, cyber-insurance, breach notification and PCI (payment card industry) compliance. Franchise agreements should require franchisees to purchase a specified amount of cyber insurance coverage in the event of a data breach. Recently the cost to an organization has been placed at upwards of US$190 per individual. In addition, the franchisee should be required to promptly notify the franchisor of all breaches in security and immediately notify the franchisor of all breaches of sensitive information. The franchisor must be able to control the response to the security breach, including the decision as to whether public disclosure is required. The franchisor may also want to consider being notified of any impermissible uses or disclosures, not just those that rise to the level of a breach. First, this allows the franchisor to monitor the practices of the franchisee to determine if it wants to continue the relationship. It also provides the franchisor with control over what it considers to be a breach. This is important since it is the franchisor's reputation that is typically on the line regardless of who actually caused the breach. Every U.S. business that accepts credit or debit cards must comply with the PCI's Data Security Standard (PCI DSS). Potentially devastating financial repercussions include fines of up to US$50,000 per incident, liability for losses relating to the compromised account information and re-issuance of cards and possible suspension of merchant accounts. Therefore, the franchise agreement should specifically address data security and require franchisees to comply with the PCI DSS, even though the PCI mandates compliance with its DSS. Additionally, any third-party vendors should be contractually obligated to comply with those same requirements, and contractual indemnity should be considered. Cyber attack realities The ramifications of a cyber breach could be both financially and operationally catastrophic to any hospitality company. Losses could include costs associated with litigation expenses and fines as well as defense. The cost of business interruption and loss of income could be debilitating. The bottom line is that cyber-related risks are the real deal and can be very costly. We live in a cyber world, and we all must learn to deal with the associated risks from both a business and an individual perspective. Nota bene: This article has been co-authored by Keith Kefgen and R. Scott Wolff, Premier Risk Management, the risk-management arm of Aethos Consulting Group