Mr. Harvey


What Hotels Need to Know to Protect Against Inevitable Data Breaches

By Philip J Harvey, President, Venture Insurance Programs

Data breaches are happening at hotels with increasing frequency, from small boutique properties to some of the largest international brands. Hilton, Starwood, Mandarin Oriental, Hyatt and the Trump Collection were all prominent victims in 2015.

Hyatt discovered malware designed to steal credit card data on computers that operate payment processing systems. At Evans Hotels, back-up card readers used to encrypt payment card data were breached. The front desk system at Peppermill Resort Spa & Casino was breached, compromising guest payment card information.

In a growing trend of criminals exploiting weaknesses in point-of-sale (POS) security, hackers used a malware intrusion of Starwood's POS system to expose credit/debit card information used at retail shops, gift shops and restaurants at its W., Sheraton and Westin brands. Hackers compromised POS registers in gift shops and restaurants at a large number of Hilton hotel and franchise properties across the country. Hackers also accessed POS systems at most Mandarin Oriental properties in the U.S.

Not only are hotels susceptible to data breaches, but they also present complex risk management and insurance challenges, with systems stretching across multiple properties, brands and franchises.

Yet, despite the frequency and severity of these attacks, many hotels are not prepared for the inevitable breach. They do not have data breach response plans, solid risk management strategies or insurance to cover the costs involved when there is a breach. These costs run into the millions and include myriad expenses like computer forensic investigations, guest notifications, legal defense of potentially costly lawsuits and public relations costs to protect and restore a tarnished image.

Vulnerable, But Unprepared

Insurers recognize when a hotel lacks preparation during the underwriting process while evaluating a hotel's risks. I am constantly surprised by how many hotels do not have solid risk management and data security strategies or a data breach response plan.

These plans are comprehensive documents that take into account all the factors involved in breach response. These include the computer forensic team needed to determine the cause and extent of the breach, the legal and compliance team to satisfy statutory and regulatory requirements, specialists to provide guest notification, and public relations to manage media relations and social media. Backing these plans should be training that can range from live simulations to tabletop exercises. Some employers are also using software designed to test the "phishing" awareness of their employees.

This planning process can help assure that guests are notified quickly and with accurate information - a challenge in many data breach cases. During the Hyatt breach in November 2015, it took more than three weeks for the company to notify guests. The delay earned them some angry backlash.

Data breach response is complicated by an array of laws and regulations. State laws govern this response, but not the laws of the state in which the hotel is located. Rather, the state law that applies varies according to where each guest lives. A small breach will affect guests in multiple states, each subject to different regulations.

Another area where hotels often are not prepared is insurance. Even if they carry data breach coverage, they may not have high enough limits to cover their expenses or may not be covered for every contingency. This is particularly true when there are third parties involved, such as vendors or business partners, and contractual relationships expose them to liability over which they may have little control. Many hotels do not understand the contracts they have with third party vendors such as payment card processors and data hosting providers.

For example, a recent data breach at a hotel group left more than 5,000 credit cards exposed. The hotel group used a large technology and consulting corporation to handle its card processing and believed the vendor would handle breach response. Unfortunately, the contract with the technology company had a "hold harmless" clause that left the hotel liable for all costs related to guest notification, forensic investigation and other costs.

Complicating Issues

Liability and insurance coverage is more complicated when there is a franchise agreement. On one hand, franchisees may lose some control over cyber security when they are required to use the franchisor's system. On the other, in the event of a consumer lawsuit, the franchisor - who is perceived as having "deep pockets" - will likely be sued along with the franchisee, especially if it exercised control over the way that the franchisee collected or used the data.

This was the case with Wyndham Hotel Group, which just settled a data breach case with the Federal Trade Commission (FTC) in December. The FTC charged that the hotelier itself was liable for data breaches at its franchise locations because the franchisor had made representations on its own website about data security and "allowed" franchisees to use improper software and lax security practices. In addition, the franchisor's data systems did not encrypt consumer information.

When franchisors are evaluating data breach liability coverage, they should consider the cyber security requirements that they impose on franchisees. They should also evaluate whether to require their franchisees to carry data breach insurance and whether those insurance policies can provide protection to the franchisor.

Hotel management companies should also consider their exposure, which may be on a larger scale because they manage many properties. If they use one central payment system and it is breached, it can affect many properties. But if different payment systems are managed at each hotel location, they have multiple systems to manage and protect.

Covering the Risk

Insurance is an essential part of preparing for and responding to a breach, helping you avoid assuming full financial liability for a data breach. So it's important that hotels involve their insurance broker to discuss the risk.

Coverage is available for hotels, including policies for first-party costs (the hotel) and third-party liability (guests and others affected). These policies should cover expenses related to response, including forensic computer investigations and costs to draft and deliver notifications to individuals, the payment card industry or a regulator. These policies also cover costs to set up a call center, deploy credit or identity protection services for affected individuals and hiring crisis management and public relations specialists to help mitigate the potential fallout.

In addition, privacy protection is necessary to cover the costs to defend claims, including negligent network security resulting from events such as the transmission of malicious software or a denial of service attack (when the hotel's systems or website are not available to guests or other intended users). Privacy protection also covers violations of privacy or consumer data protection laws, negligence or breach of contract and regulatory actions. The Wyndham case illustrates the reach of regulatory action, as the FTC and the hotel agreed to a stipulated injunction requiring Wyndham over the next 20 years to improve cybersecurity practices. These included establishing a comprehensive written information security program, obtaining an annual assessment by an independent third party of its compliance with data security standards and obtaining a forensic investigation within 180 days of a breach involving more than 10,000 payment card numbers. It also required the company to obtain an independent assessor's approval of any "significant change" in its data protection policies.

Hotels can add other insurance coverage, as well, including cyber extortion, hacker damage to your physical assets (also called "network asset damage") and cyber business interruption to compensate you for loss of revenue due to a data breach. In addition, cyber crime coverage protects against funds transfer fraud and computer fraud after a malicious system attack allows the attacker to use the banking information to transfer funds. It's different than cyber deception coverage, which is when a deceptive attacker fools an insured into voluntarily surrendering such information. Talk to your broker to find out if these risks are covered in your crime policy or you need them in your cyber policy.

In working with your insurance partners, carefully determine your policy limits (the amount the insurance company will pay for covered losses). It's important to make sure you have sufficient limits to cover each of the costs and liabilities you potentially face. Some breaches have taken up to two years to discover, accruing two years of associated costs.

Finally, most data breach insurance policies come with risk management features designed to mitigate the risk of a breach, as well as with post-breach response services to help manage an incident as it unfolds. The surge in breaches at hotels nationwide shows no sign of letting up. It's time every hotel acknowledges the risk and takes the necessary steps to protect itself.

Philip J. Harvey is president of Venture Insurance Programs, a national program administrator for select industries, including hotels, resorts and golf and country clubs. Through Venture, Mr. Harvey created a leading all-lines insurance program for hotels and resorts called SUITELIFE. Mr. Harvey has more than 35 years of insurance experience in all facets of property and casualty insurance. The hallmark of Venture is an entrepreneurial spirit that identifies market needs and works to develop unique solutions. Mr.Harvey values employees and business partners who share this same entrepreneurial approach. Mr. Harvey can be contacted at 800-282-6247 or Please visit pharvey@ventureprograms.com for more information. Extended Bio...

HotelExecutive.com retains the copyright to the articles published in the Hotel Business Review. Articles cannot be republished without prior written consent by HotelExecutive.com.

Receive our daily newsletter with the latest breaking news and hotel management best practices.
Hotel Business Review on Facebook
General Search:

NOVEMBER: Architecture & Design: Authentic, Interactive and Immersive

Brian Obie

When people arrive at a hotel they have usually traveled a long distance. They are typically tired and stressed to some degree or another depending on how easy or difficult the journey. When they finally come into our driveway and understand this is where they should be – with the valet right there ready to greet them – they get the sense that they can finally relax. There’s a huge sense of relief. They now can begin their business trip or holiday with the family knowing they will be rested and renewed. READ MORE

Rob Uhrin

When you think of the word resort, what comes to mind? Upscale amenities such as white sandy beaches, luxury pools, first class dining and entertainment and the ultimate spa experience to name a few. The word “resort” probably does not conjure up images of urban cityscapes, or streets filled with busy pedestrians in business suits. There is a new class of resorts coming to the fore in the hospitality industry right now called urban resorts. This article will explore this new type of transformational city design and how to achieve it. READ MORE

Vince  Stroop

In a time when experiences are moments-long and shared over Instagram by many users, it is hard to top the surprise factor when it comes to creating a new destination. Nor should we, as hotel designers, try. With the pace of changing trends that is being communicated to us by branding agencies, designing the next new thing can be tempting. But I am not sure that’s what guests genuinely seek. And judging from the rise of Airbnb, I may be right on my guess that guests want memorable, meaningful experiences, not more selfies. READ MORE

Michael Tall

An urban resort is a property that connects guests to the unique and vibrant elements within a city and outside the hotel. The hotel itself acts as a concierge service, forming a direct link between the local community and those guests who crave localized and authentic excursions. With no signs of slowing down, the urban resort trend is here to stay, and hoteliers can successfully capitalize on this growing segment by keeping the guest experience in mind. At its core, an urban resort is a respite from daily life, offering guests the freedom to choose between relaxed disconnection or active participation within the local community. READ MORE

Coming Up In The December Online Hotel Business Review

Feature Focus
Hotel Law: Issues & Events
There is not a single area of a hotel’s operation that isn’t touched by some aspect of the law. Hotels and management companies employ an army of lawyers to advise and, if necessary, litigate issues which arise in the course of conducting their business. These lawyers typically specialize in specific areas of the law – real estate, construction, development, leasing, liability, franchising, food & beverage, human resources, environmental, insurance, taxes and more. In addition, issues and events can occur within the industry that have a major impact on the whole, and can spur further legal activity. One event which is certain to cause repercussions is Marriott International’s acquisition of Starwood Hotels and Resorts Worldwide. This newly combined company is now the largest hotel company in the world, encompassing 30 hotel brands, 5,500 hotels under management, and 1.1 million hotel rooms worldwide. In the hospitality industry, scale is particularly important – the most profitable companies are those with the most rooms in the most locations. As a result, this mega- transaction is likely to provoke an increase in Mergers & Acquisitions industry-wide. Many experts believe other larger hotel companies will now join forces with smaller operators to avoid being outpaced in the market. Companies that had not previously considered consolidation are now more likely to do so. Another legal issue facing the industry is the regulation of alternative lodging companies such as Airbnb and other firms that offer private, short-term rentals. Cities like San Francisco, Los Angeles and Santa Monica are at the forefront of efforts to legalize and control short-term rentals. However, those cities are finding it’s much easier to adopt regulations on short-term rentals than it is to actually enforce them. The December issue of Hotel Business Review will examine these and other critical issues pertaining to hotel law and how some companies are adapting to them.