Mr. Harvey

Insurance

What Hotels Need to Know to Protect Against Inevitable Data Breaches

By Philip J Harvey, President, Venture Insurance Programs

Data breaches are happening at hotels with increasing frequency, from small boutique properties to some of the largest international brands. Hilton, Starwood, Mandarin Oriental, Hyatt and the Trump Collection were all prominent victims in 2015.

Hyatt discovered malware designed to steal credit card data on computers that operate payment processing systems. At Evans Hotels, back-up card readers used to encrypt payment card data were breached. The front desk system at Peppermill Resort Spa & Casino was breached, compromising guest payment card information.

In a growing trend of criminals exploiting weaknesses in point-of-sale (POS) security, hackers used a malware intrusion of Starwood's POS system to expose credit/debit card information used at retail shops, gift shops and restaurants at its W., Sheraton and Westin brands. Hackers compromised POS registers in gift shops and restaurants at a large number of Hilton hotel and franchise properties across the country. Hackers also accessed POS systems at most Mandarin Oriental properties in the U.S.

Not only are hotels susceptible to data breaches, but they also present complex risk management and insurance challenges, with systems stretching across multiple properties, brands and franchises.

Yet, despite the frequency and severity of these attacks, many hotels are not prepared for the inevitable breach. They do not have data breach response plans, solid risk management strategies or insurance to cover the costs involved when there is a breach. These costs run into the millions and include myriad expenses like computer forensic investigations, guest notifications, legal defense of potentially costly lawsuits and public relations costs to protect and restore a tarnished image.

Vulnerable, But Unprepared

Insurers recognize when a hotel lacks preparation during the underwriting process while evaluating a hotel's risks. I am constantly surprised by how many hotels do not have solid risk management and data security strategies or a data breach response plan.

These plans are comprehensive documents that take into account all the factors involved in breach response. These include the computer forensic team needed to determine the cause and extent of the breach, the legal and compliance team to satisfy statutory and regulatory requirements, specialists to provide guest notification, and public relations to manage media relations and social media. Backing these plans should be training that can range from live simulations to tabletop exercises. Some employers are also using software designed to test the "phishing" awareness of their employees.

This planning process can help assure that guests are notified quickly and with accurate information - a challenge in many data breach cases. During the Hyatt breach in November 2015, it took more than three weeks for the company to notify guests. The delay earned them some angry backlash.

Data breach response is complicated by an array of laws and regulations. State laws govern this response, but not the laws of the state in which the hotel is located. Rather, the state law that applies varies according to where each guest lives. A small breach will affect guests in multiple states, each subject to different regulations.

Another area where hotels often are not prepared is insurance. Even if they carry data breach coverage, they may not have high enough limits to cover their expenses or may not be covered for every contingency. This is particularly true when there are third parties involved, such as vendors or business partners, and contractual relationships expose them to liability over which they may have little control. Many hotels do not understand the contracts they have with third party vendors such as payment card processors and data hosting providers.

For example, a recent data breach at a hotel group left more than 5,000 credit cards exposed. The hotel group used a large technology and consulting corporation to handle its card processing and believed the vendor would handle breach response. Unfortunately, the contract with the technology company had a "hold harmless" clause that left the hotel liable for all costs related to guest notification, forensic investigation and other costs.

Complicating Issues

Liability and insurance coverage is more complicated when there is a franchise agreement. On one hand, franchisees may lose some control over cyber security when they are required to use the franchisor's system. On the other, in the event of a consumer lawsuit, the franchisor - who is perceived as having "deep pockets" - will likely be sued along with the franchisee, especially if it exercised control over the way that the franchisee collected or used the data.

This was the case with Wyndham Hotel Group, which just settled a data breach case with the Federal Trade Commission (FTC) in December. The FTC charged that the hotelier itself was liable for data breaches at its franchise locations because the franchisor had made representations on its own website about data security and "allowed" franchisees to use improper software and lax security practices. In addition, the franchisor's data systems did not encrypt consumer information.

When franchisors are evaluating data breach liability coverage, they should consider the cyber security requirements that they impose on franchisees. They should also evaluate whether to require their franchisees to carry data breach insurance and whether those insurance policies can provide protection to the franchisor.

Hotel management companies should also consider their exposure, which may be on a larger scale because they manage many properties. If they use one central payment system and it is breached, it can affect many properties. But if different payment systems are managed at each hotel location, they have multiple systems to manage and protect.

Covering the Risk

Insurance is an essential part of preparing for and responding to a breach, helping you avoid assuming full financial liability for a data breach. So it's important that hotels involve their insurance broker to discuss the risk.

Coverage is available for hotels, including policies for first-party costs (the hotel) and third-party liability (guests and others affected). These policies should cover expenses related to response, including forensic computer investigations and costs to draft and deliver notifications to individuals, the payment card industry or a regulator. These policies also cover costs to set up a call center, deploy credit or identity protection services for affected individuals and hiring crisis management and public relations specialists to help mitigate the potential fallout.

In addition, privacy protection is necessary to cover the costs to defend claims, including negligent network security resulting from events such as the transmission of malicious software or a denial of service attack (when the hotel's systems or website are not available to guests or other intended users). Privacy protection also covers violations of privacy or consumer data protection laws, negligence or breach of contract and regulatory actions. The Wyndham case illustrates the reach of regulatory action, as the FTC and the hotel agreed to a stipulated injunction requiring Wyndham over the next 20 years to improve cybersecurity practices. These included establishing a comprehensive written information security program, obtaining an annual assessment by an independent third party of its compliance with data security standards and obtaining a forensic investigation within 180 days of a breach involving more than 10,000 payment card numbers. It also required the company to obtain an independent assessor's approval of any "significant change" in its data protection policies.

Hotels can add other insurance coverage, as well, including cyber extortion, hacker damage to your physical assets (also called "network asset damage") and cyber business interruption to compensate you for loss of revenue due to a data breach. In addition, cyber crime coverage protects against funds transfer fraud and computer fraud after a malicious system attack allows the attacker to use the banking information to transfer funds. It's different than cyber deception coverage, which is when a deceptive attacker fools an insured into voluntarily surrendering such information. Talk to your broker to find out if these risks are covered in your crime policy or you need them in your cyber policy.

In working with your insurance partners, carefully determine your policy limits (the amount the insurance company will pay for covered losses). It's important to make sure you have sufficient limits to cover each of the costs and liabilities you potentially face. Some breaches have taken up to two years to discover, accruing two years of associated costs.

Finally, most data breach insurance policies come with risk management features designed to mitigate the risk of a breach, as well as with post-breach response services to help manage an incident as it unfolds. The surge in breaches at hotels nationwide shows no sign of letting up. It's time every hotel acknowledges the risk and takes the necessary steps to protect itself.

Philip J. Harvey is president of Venture Insurance Programs, a national program administrator for select industries, including hotels, resorts and golf and country clubs. Through Venture, Mr. Harvey created a leading all-lines insurance program for hotels and resorts called SUITELIFE. Mr. Harvey has more than 35 years of insurance experience in all facets of property and casualty insurance. The hallmark of Venture is an entrepreneurial spirit that identifies market needs and works to develop unique solutions. Mr.Harvey values employees and business partners who share this same entrepreneurial approach. Mr. Harvey can be contacted at 800-282-6247 or Please visit pharvey@ventureprograms.com for more information. Extended Bio...

HotelExecutive.com retains the copyright to the articles published in the Hotel Business Review. Articles cannot be republished without prior written consent by HotelExecutive.com.

Receive our daily newsletter with the latest breaking news and hotel management best practices.
Hotel Business Review on Facebook
RESOURCE CENTER - SEARCH ARCHIVES
General Search:

SEPTEMBER: Hotel Group Meetings: Blue Skies Ahead

Jay Spurr

Meeting planners have more than enough to think about when it comes to searching for the perfect venue – and eco-consciousness is increasingly making its way top of mind for many. It is currently estimated that the average hotel guest generates 2.2 pounds of waste each night of their stay. And, with the meetings and event industry recently being deemed as the second most wasteful sector in the United States by the EPA, we at JW Marriott Austin knew we had to go above and beyond to deliver more efficient meetings and events with the lowest possible carbon footprint. READ MORE

Del Robinette

Engagement and commitment are at the core of our professional lives in a 24 hour a day, 7 day a week operation. No matter the size or complexity of the box, engagement and our commitments should be a core fundamental that not only surfaces in our every interaction, but guides and directs our proactive decision making and our strategies and executions. Hospitality 101 teaches us as hospitality professionals, to engage with our guests, to make eye contact at 10 feet, to speak within 5, to escort when possible and to use our guests name in conversation. READ MORE

Katie  Davis

I had a bit of an “out of body” experience recently. I was attending a corporate meeting, which was held in a hotel meeting room. As usual, I was multi-tasking for most of the meeting. Doing my best to remain engaged with the meeting content, while simultaneously managing an ever-growing email inbox and “To Do” list. During a break, I was pacing outside the meeting room, on the phone with my office, when I noticed some snacks and beverages set-up adjacent to the meeting room entrance. READ MORE

Deirdre Martin Yack

Meeting planning in today’s world is more complex than ever. Whether you’re a planner or a supplier, our jobs are now 24/7. We are dealing with shorter lead times than ever, tighter budgets (on both sides), and expectations based on the perfection projected by social media and reality TV. Our job is no longer simply about dates, space, rate – we now need to compete at a world-class level on a daily basis. As a supplier, it takes extreme creativity at the venue level. Starting with the initial design, event space must be as flexible, innovative and as Instagram-worthy as possible. READ MORE

Coming Up In The October Online Hotel Business Review




{300x250.media}
Feature Focus
Revenue Management: Technology and Big Data
Like most businesses, hotels are relying on technology and data to drive almost every area of their operations, but perhaps this is especially true for hotel Revenue Managers. There has been an explosion of technology tools which generate a mountain of data – all in an effort to generate profitable pricing strategies. It falls to Revenue Managers to determine which tools best support their operations and then to integrate them efficiently into their existing systems. Customer Relationship Management, Enterprise Resource Planning, and Online Reputation Management software are basic tools; others include channel managers, benchmark reports, rate shopping tools and review systems, to name a few. The benefits of technology tools which automate large segments of a Revenue Manager’s business are enormous. Freed from the time-consuming process of manual data entry, and having more accurate data available, allows Revenue Managers to focus on analysis, strategies and longer-term decision-making. Still, for most hotels, the amount of data that these tools generate can be overwhelming and so another challenge is to figure out how to effectively utilize it. Not surprisingly, there are some new tech tools that can help to do exactly that. There are cloud-based analytics tools that provide a comprehensive overview of hotel data on powerful, intuitive dashboards. The goal is to generate a clear picture, at any moment in time, of where your hotel is at in terms of the essentials – from benchmarking to pricing to performance – bringing all the disparate streams of data into one collated dashboard. Another goal is to eliminate any data discrepancies between finance systems, PMS, CRM and forecasting systems. The October issue of the Hotel Business Review will address all these important developments and document how some leading hotels are executing their revenue management strategies.