Protecting Personal Information from Data Breaches Through Joint Cyber-Defense
By Marc Stephen Shuster, Partner, Berger Singerman
Co-authored by Steven D. Weber, Member of Berger Singerman's Dispute Resolution Team
Hotel affiliates hold a myriad amount of customer personal information and a data breach suffered by an affiliate may impact the hotel's entire brand. One way to mitigate the risk of a data breach is to enter into a joint cyber security defense agreement.
Hotels and their affiliates are attractive targets for data breaches because they receive and store their customers' personal information. That personal information may take the form of, among others, names, addresses, credit card information, and passport information. It may be used for booking hotel reservations, in paying for wireless service, in registering for loyalty programs, for marketing programs, or for numerous other purposes connected to the hotel industry. The personal information associated with a certain hotel brand or property may belong to customers of a certain economic status (such as a travel executive or high net worth individual), making such information especially tempting. Due the value of the personal information stored by hotels, significant hotel brands experienced data breaches in 2014 where the personal information of thousands of customers was compromised.
One reason that the hotel industry is susceptible to data breaches is the large number of channels by which a hotel obtains its customers' personal information. For example, many hotels rely on front desk employees or other customer service representatives to receive their customers' personal information. Each has the opportunity to misappropriate that personal information, and even the most well-meaning employee may inadvertently disclose personal information or cause a security breach by, for example, opening a malicious e-mail attachment. In addition, many hotels partner with numerous affiliates who obtain personal information from their customers. Those affiliates may receive that information as the result of, for example, a customer booking hotel reservations or registering for a loyalty program. In some cases, a customer may provide their personal information to an affiliate without even knowing they are doing so. That personal information may then be transmitted to a central booking website or stored by an affiliate as part of a marketing program. Ultimately, all the personal information gathered by hotels and their affiliates may be entered into still more databases that are susceptible to a data breach.
Not all channels receiving personal information operate with the same level of computer security. The weakest channel may cause vulnerabilities in or otherwise impact the most secure channel. In today's world, where hotel affiliates receive personal information through mobile phone applications, the number of affiliates involved in collecting customer's personal information is greater than ever. This means the threat of potential data breaches has also intensified because those affiliates may not have uniform budgets devoted to computer security. As a result, they may not use the best available encryption, digital certificates, or have access to security teams that can audit their systems for weaknesses. All of which may lead to a data breach that impacts not only the affiliate, but also the hotel brand.
One way to mitigate the risk that an affiliate experiences a data breach is by entering into a joint defense computer security agreement. The joint defense computer security agreement is an agreement by which a hotel brand agrees with all or certain affiliates to cooperate in defending customer personal information. Numerous facts must be considered when entering into such an agreement, only some of which will be addressed here.
In negotiating such an agreement, the parties must first determine the relevant level of computer security to maintain. Among other factors, the relevant level of computer security should be determined by looking at what the applicable law requires. The vast majority of states in the United States have enacted data breach laws and other cyber security regulations. Other laws and regulations may apply internationally. Some of those laws and regulations may impose computer security standards. Based on where the parties to the agreement reside and operate, those standards may differ, and the parties should agree to maintain a standard of security that meets all applicable obligations. Identifying the applicable standards will not only aid in constructing the agreement, but may also protect the parties against future liability should a data breach occur.
Along those same lines, the joint agreement must take into account where the parties are located and operate for the purpose of deciding what information they should protect. While most states in the United States have enacted data breach laws, the personal information protected by those laws is not uniform. Some regulations and laws require that only certain types of personal information should be protected or that data breach laws only apply when certain types of personal information are compromised. International laws and regulations may apply as well. Accordingly, when drafting the agreement, the parties must take into account all applicable data breach laws to determine what level of protection, if any, to provide to personal information and what personal information to protect.
A decision must be made as to what affiliates will be party to the agreement. The sophistication and size of the affiliates working with a hotel may vary greatly. Those affiliates may generate revenues in the millions of dollars, billions of dollars, or substantially less. A hotel may wish to limit the agreement to affiliates that do not have the financial means to provide an adequate level of security on their own. However, the size of an affiliate does not necessarily correlate with increased cyber security or resistance to a data breach. In 2014, some of the largest data breaches in history occurred to Fortune 500 companies. Such companies may be more tempting targets for data breaches than smaller companies because they have access to more personal information.
The parties to the agreement must decide who should pay the fees and costs involved in maintaining the level of security imposed by the agreement. As the level of security maintained among affiliates and hotels is not likely uniform, prior to entering the agreement, the parties may need to substantially upgrade their computer hardware, software, training, and other practices, each of which may carry significant costs. Additionally, the parties may decide to consult with a dedicated vendor to provide uniform security services to all. The parties will also likely incur additional costs in the event of a data breach. Any joint defense agreement should take into account the cost of making sure that all computers subject to the agreement are kept up to date, who pays for those improvements, and who pays for the costs of any future data breach.
One issue that may arise is the confidentiality of any data that is being stored by the parties. If a vendor or third party is hired to maintain the security of the computer networks and thus gain access to the parties' networks, it would be important to insure that that they maintain the confidentiality of the data in possession of those parties. Affiliates may use proprietary software or practices to take reservations and to store personal information for marketing purposes. Any agreement between the parties and a vendor or other third party may require that information is protected from disclosure to the other parties to the agreement.
Parties to a joint agreement should also consider obtaining cyber insurance as part of the agreement, and the agreement should state which party or parties will bear the cost of insurance. In the wake of a data breach, there may be many costs associated with the data breach that are not immediately foreseeable. For example, after a data breach, a hotel chain may be required to offer complementary credit protection to its customers, pay for attorneys, pay for security experts, pay for public relations specialists, and prepare reports to government organizations on the severity and scope of the data breach. Moreover, a hotel brand may find itself subject to damages even though a breach occurred at one of its affiliates. In addition to damages, there will likely be reputational loss because that affiliate is using the brand's name and many individuals may associate that breach with the brand. For example, in February 2014, a hotel operator under various significant brands was the target of a data breach that affected properties in over 7 states. As a result of that breach, the brands of the hotels may have suffered reputational damage. Obtaining cyber insurance will help mitigate the costs associated with those damages.
The joint defense cyber security agreement cannot absolutely prevent data breaches but it will mitigate the risk of them. Before entering into any such agreement, a hotel should identify all their relevant affiliates and assess the extent to which a data breach by one of those affiliates will impact them. Shockingly, many hotels do not have accurate information on which affiliates are receiving personal information of their consumers. Accurately and completely understanding the extent to which affiliates are doing so will lead to better results in drafting the agreement. Hotels would be well served to determine whether a joint computer security agreement is right for them and, if so, who they should enter into it with and under what terms.
Steven D. Weber, a member of Berger Singerman's Dispute Resolution Team co-auyhered this article. His practice in commercial litigation includes representing corporations and individuals in connection with matters involving, among other things, business disputes, data breaches, construction law, securities litigation, contract disputes, fraud, non-compete agreements, tortious interference with business relationships, and the misappropriation of trade secrets. Steve is a published author on issues related to cyber security. Immediately prior to joining Berger Singerman LLP, Steve practiced with a law firm in New York City where he represented clients involved in complex commercial litigation matters. Steve began his career as an attorney representing the Mayor of the City of New York, the City of New York, other elected officials, and the various City agencies. During his career, Steve has served as counsel in high-profile litigation actions, including actions that were the subject of both local and national media attention.
Marc Stephen Shuster is a partner in the Miami office of Berger Singerman, Florida’s business law firm. Mr. Shuster is a business attorney with extensive experience in commercial real estate transactions, both healthy and distressed, and corporate M&A deal work, with an emphasis on the hotel and hospitality industry. He advises both traditional hospitality conglomerates and Internet advertising sites serving the industry. Mr. Shuster he has served as counsel to a Florida-based emergency management/services conglomerate in negotiating for disaster relief work throughout the Caribbean. Mr. Shuster speaks and writes on novel issues affecting the hotel and hospitality space, serves on various community boards, and has been recognized with numerous awards and accolades. Mr. Shuster can be contacted at 305-982-4080 or email@example.com Extended Bio...
HotelExecutive.com retains the copyright to the articles published in the Hotel Business Review. Articles cannot be republished without prior written consent by HotelExecutive.com.