Ask when—not if—a security breach will happen at your hotel

NATIONAL REPORT—The recent cyberattack at Marriott International Inc. has many hoteliers wondering: What are the legal and business risks associated with security attacks?

Greg Sparrow,

“The recent breach at Marriott further proves the point that businesses should prepare now or be willing to pay for it later,” said Greg Sparrow, SVP and GM at CompliancePoint, a Duluth, GA-based data privacy and cyber security consultancy. “They have an opportunity to learn from Marriott’s mistakes and implement appropriate security controls to help mitigate this risk.”

In November 2018, the Bethesda, MD-based hotel company revealed there had been unauthorized access to the Starwood guest reservation database, which contained guest information relating to reservations at Starwood properties on or before Sept. 10, 2018.

“Businesses face a multitude of risk when looking at the potential consequences resulting from a cyberattack or breach,” Sparrow said. “As we’ve seen recently with the Marriott breach, there can be significant impact to brand equity in the marketplace. This impact can be far reaching for publicly traded businesses, resulting in material impacts to businesses and business valuation, and long-term impact to user adoption. In addition to the downside risk from the market, businesses must also mount expensive defenses against litigation that increasingly takes the form of class actions. Reputation is important in every trade, but is especially important in the hospitality industry. This, coupled with the fact that consumers are becoming more sensitive to privacy and security related issues, means that businesses in the hospitality industry must manage against these types of risk and allocate appropriate levels of funding toward information security.”

What should hoteliers learn from the Marriott breach? Pay attention. “Marriott was aware that there was a potential issue shortly after it acquired Starwood, but did not, apparently, investigate in detail,” said Robert E. Braun, partner at Jeffer Mangels Butler & Mitchell LLP, a Los Angeles-based law firm. “Marriott may not have created the problem, but it bought the problem and didn’t treat it with the seriousness that was necessary.”

Also, before buying out another company, do your own homework.

“There’s also a general question as to how well Marriott conducted its data security due diligence in the Starwood acquisition,” he said. “Hackers create new vulnerabilities every day, and a business change, like the acquisition of a company, can create vulnerabilities.”

Robert E. Braun
Jeffer Mangels Butler & Mitchell LLP

Hotels are prime targets for hackers, but ultimately, it comes down to data. “Hotels are unique in that they are not regulated but often maintain extremely detailed and sensitive information about their guests,” said Paige Boshell, privacy attorney at Privacy Counsel LLC, a Birmingham, AL-based legal advisor. To personalize stays, properties at all market segments accumulate a vast amount of data on their guests.

“Travel details and preferences can be coupled with other information to produce a fairly accurate portrait of the guest,” she said. “This type of information can be used to tailor attacks against the guest or guest’s employer.”

From a technical standpoint, traditionally, hospitality companies are largely distributed organizations, which makes it challenging for those charged with protecting guest data. “This distributed nature is often represented within the IT and network functions as well,” Sparrow said. “Establishing a consistent security posture around the network layer and IT systems is extremely difficult when dealing with so many disparate environments. Attackers are always looking for multiple ways into a system. The way in which these networks are designed and the fact that many of the environments are highly transactional makes them very attractive to an attacker.”

Even if there’s a breach, the data shouldn’t be so easily accessible to the hackers, especially with regard to sensitive guest information.

“Properties may fail to encrypt sensitive information or to properly classify information as sensitive,” Boshell said. “They usually have fairly broad access to a variety of information, which is intended to afford employees the opportunity to provide tailored, excellent customer service. Access should be controlled and tracked, and suspicious internal network activity should be readily detected.”

The extent of risks are impacted by the types of information compromised and whether the business’ security efforts were reasonable and diligent. “For example, information that cannot be changed by the consumer, like date of birth or biometrics, and information that can be difficult for the consumer to change, like social security or passport number, can expose the consumer to greater risk of loss,” Boshell said.

When it comes to preventing security attacks, properties should prepare ahead of time. “Properties should strive to exceed legal responsibilities, anticipate and address risk, have detailed breach response planning, routinely test security and response capabilities, and assume either that a breach has occurred or is imminent. Complacency undermines all of this,” Boshell said.

Paige Boshell
Privacy Counsel LLC

Additionally, all properties should strive to incorporate cyber and breach risk into their overall enterprise risk-management programs. “These programs can be based on industry standard methodologies like NIST and ISO,” Sparrow said. “Companies can also hedge against the risk by looking to insure against it using some of the newer cyber insurance policies. When looking at insurance, companies should understand this insurance does not alleviate them from implementing proper security controls to protect themselves.”

If a breach occurs, the best thing to have in place is a breach response plan. “When a breach occurs, having the plan in place will allow the company to respond promptly and limit losses,” Braun said. “This is particularly an issue as the need for a quick response is essential (under the GDPR, for example, breaches must be announced with 72 hours). If you haven’t prepared, you’ll need to create a response plan and team on the fly, which is increasingly difficult.” This response plan can’t just sit on a server somewhere; it needs to be tested and updated on a regular basis—at least annually.

If security breaches at publicly traded companies, such as Marriott, happen, they’ll more than likely also occur at smaller organizations, so experts caution hoteliers: Always assume it will happen.

“Attacks on smaller hoteliers could be forthcoming,” Boshell said. “Usually, we see these types of attacks within an industry trend from larger targets to smaller, less well-defended targets on a grand scale, so the gain from each small attack might be less, but the sheer volume of attacks makes them lucrative.” HB

To see content in magazine format, click here.