When retail giants Target and Neiman Marcus experienced security breaches with customer credit cards during the 2013 holiday season, it highlighted a growing crisis that must concern owners and operators of hotels as well. Bob Braun, a senior member of Hospitality Net’s Global Hospitality Group looks at the issue of data privacy, and offers some ways to ensure hacking does not happen to you.
The Target and Neiman Marcus Problem:
Approximately 50 million Americans – more than 15% of the nation’s population – woke up one morning in December to find their credit card information had been compromised while Christmas shopping. We are not talking about local small businesses that may not be completely tech-savvy, and have the wool pulled over their eyes. In total, more than 70 million victims were compromised thanks to a security breach at major retail outlets.
Hotels are obvious targets for identity and financial theft for many reasons. Hotels transact a majority of business through credit cards, and those cards remain on file and are accessed multiple times during a guest’s stay. As items like room service, a spa charge or a restaurant bill are charged to your card, the opportunity for an identity thief to access the information using sophisticated computer hacks, and other malicious software, normally without the hotel’s knowledge, increases substantially.
The recent technology boom across the travel industry has forced many properties to offer wireless internet access. Typically, this service is unsecured, and an unsecured wireless network is “just as dangerous as leaving files of your most important personal documents on a curb for all to see.” (PC World) At the same time, hotels have little say in the matter, as guests are constantly demanding wireless internet service.
Finally, hotels typically have a large number of employees, and many of these individuals have access to the credit card and other personal information of guests. No matter how well trained and supervised, more personnel correlates to greater risk. Factor in that low-level employees typically have access to this key information, and a historically high turnover among hotel employees and the problem becomes exacerbated.
What Should You Do?
There are some general considerations that all firms should be aware of that are essential to securing information. These include:
1) Inventory and Identify Information – Hotel operators should inventory potentially sensitive information and document on which computers, servers and laptops it is stored.
2) Restrict Access and Collection of Data – Operators and owners should keep sensitive information on the fewest number of computers or servers. The fewer copies of data you have, the easier it is to protect.
3) Use Technology – Hotels should utilize encryption and other means for storing, and secure connections for receiving or transmitting, credit card information and other sensitive data.
5) Passwords and Access – For internal communications and information, protect sensitive data with strong passwords, and change these passwords on a regular basis.
6) Deal with Vendors – The growing trend in computer systems and services is having expert vendors, outside the company, handle these matters. Make sure to check their security practices, review agreements with these vendors to ensure they are implementing the best practices and that they are responsible for the security of the information they handle.
7) Review you Insurance – Cybersecurity insurance has gone through tremendous changes in just the past few years. Make sure to review your policies and ensure that they are effective in providing meaningful coverage for your business.
Most importantly, hotel companies need to make a commitment to securing sensitive information. The investment in protecting your hotel today prevents you from being front-page news – for all the wrong reasons – later.