14 January 2014
Hotel Lawyer: The growing problem of security breaches with sensitive customer information.
The recent headlines about the Target and Neiman Marcus security breach with customer credit cards highlights a growing crisis that concerns owners and operator of hotels as well as retailers. In this article, Bob Braun, one of the senior members of our Global Hospitality Group® who focuses on data security — when he is not working on hotel management or franchise agreements — gives us some thoughts on what to do about this problem.
The Target and Neiman Marcus breaches:
What hoteliers need to know
Robert E. Braun | Senior Member, Global Hospitality Group®
The Target and Neiman Marcus problem. The massive security breach of Target’s customer data may affect more than 110 million Americans — potentially about 1 in 3 persons living in the United States. Followed in quick succession by another 40 million customers of Neiman Marcus (and more disclosures expected soon from other retailers), it is time for us in the hotel industry to look at our own policies and procedures, and to think about how we should respond to these malicious attacks.
Hoteliers beware. Hotels are obvious targets for identity and financial theft for many reasons. Hotels transact business through credit cards, and those credit cards are kept on file and can be accessed multiple times during a guest’s stay. The possibility that a credit card charge will be recorded occurs with each night’s room charge, room service, bar or restaurant bill, spa charge, and so on. Every charge is another opportunity for an identity thief to access the information using sophisticated computer hacks and other malicious software, generally without the hotel’s knowledge.
The need to respond to guest demands is another source of insecurity. The Identity Theft Resource Center noted, “The ability to connect to the Internet is an integral part of many individual’s daily life. This has led to the increased demand for public WiFi.” As a result, hotels find themselves compelled to offer wireless internet, and that service is almost always unsecured. But an unsecured wireless network is “just as dangerous as leaving files of your most important personal documents on a street curb for all to see. Hackers can easily get into an unsecured wireless network and get financial information, business records or sensitive e-mails.” (PC World, “Got Wireless Security”). At the same time, hotels have little say in the matter. Guests demand wireless internet service.
Finally, hotels have employees — lots of employees — and many of them have access to the credit card and other personal information of guests. No matter how well trained and supervised, more personnel correlates to greater risk. The fact that low-level employees typically have access to key guest information, and that there is, historically, a high turnover in hotel employees, exacerbates the problem.
What happened to Target? While investigations are continuing, sources have reported that investigators believe the attackers used similar techniques and pieces of malicious software to steal data from retailers. One of the pieces of malware is a RAM scraper, or memory-parsing software, which allows cyber criminals to grab encrypted data by capturing it when it travels through the live memory of a computer, where it appears in plain text, the sources said. While the technology has been around for many years, its use has increased in recent years as retailers have improved their security, making it more difficult for hackers to obtain credit card data using other approaches.
The lesson? Even as merchants become more vigilant and focus on the security of their systems, criminals have become more sophisticated and are investing more time and effort in crafting their own systems.
What should I do? The fact that Target, and others, have been victimized might not seem, at first, to impact other businesses. Securing guest and corporate information is a key task, and the steps necessary to implement a secure environment are unique to each organization. However, there are some general considerations that all firms should be aware of that are essential to securing information:
- Inventory and Identify Information. Hotels operators should inventory potentially sensitive information and document on which computers, servers and laptops it’s stored.
- Restrict Access and Collection of Data. Operators and owners should keep sensitive information on the fewest number of computers or servers, and be sure to segregate it — the fewer copies of data you have, the easier it is to protect.
- Use Technology. Hotels should utilize encryption and other means for storing, and secure connections for receiving or transmitting, credit card information and other sensitive data.
- Passwords and Access. For internal communications and information, protect sensitive data with strong passwords and change passwords on a regular basis.
- Deal with Vendors. Much, if not most, of computer systems and services are handled by vendors — check their security practices. Hotels should review their agreements with vendors to ensure that they are implementing best practices, that they are responsible for the security of the information they handle, and that they work with and at the direction of the client in case of a breach.
- Review your Insurance. Cybersecurity insurance has gone through tremendous changes in just the past year; review your policies to ensure that they are effective and provide meaningful coverage.
Most of all, hotel companies need to make a commitment to secure the sensitive information of their companies and their guests, and to seek out informed consultants and advisors. Information security is a relatively new and rapidly changing area, and requires specialized knowledge; the investment today can protect a hotel from being front page news — for the wrong reasons — later.
Here are some of the ways JMBM helps clients with data security matters
The JMBM Global Hospitality Group® and the JMBM Cybersecurity & Privacy Group work with clients to establish and enforce data security policies, and assists clients when there are breaches. We have helped a variety of clients, including hospitality companies, in developing compliance programs, addressing data breach issues, and negotiating contracts with vendors and providers.
Here are some of the ways we help clients with data security matters:
- Respond to data breaches, including selecting appropriate technology and forensics experts
- Develop and implement data breach response plans and procedures, and related privacy, information security and data retention policies and procedures
- Address statutory and regulatory issues
- Develop effective solutions for protecting and managing information assets and complying with legal requirements, using an approach that will contain costs and maintain operational efficiency
- Advise clients on international privacy laws and rules on their businesses, including the U.S.–E.U. Safe Harbor Program
- Address legal challenges posed by social media and mobile applications
- Negotiate agreements for technologies and services to implement information management systems
- Conduct internal investigations, particularly those involving sensitive electronically stored information
- Assist companies in developing appropriate governance tools to the board of directors and executive management levels to address cyber risk
Click here for more information, including specific examples of projects undertaken for representative clients.
Other information about cybersecurity issues
If this article was of interest, you may also wish to read other articles on “Data Technology, Privacy & Security,” which include the following articles:
Bob Braun is a Senior Member of JMBM’s Global Hospitality Group® and is Co-Chair of the Firm’s Cybersecurity & Privacy Group. Bob has more than 20 years experience in representing hotel owners and developers in their contracts, relationships and disputes with hotel managers, licensors, franchisors and brands, and has negotiated hundreds of hotel management and franchise agreements. His practice includes experience with virtually every significant hotel brand and manager.
Bob also advises clients on condo hotel securities issues and many transactional matters, including entity formation, financing, and joint ventures, and works with companies on their data technology, privacy and security matters. These include software licensing, cloud computing, e-commerce, data processing and outsourcing agreements for the hospitality industry.
In addition, Bob is a frequent lecturer as an expert in technology, privacy and data security issues, and is one of only two attorneys in the 2015 listing of SuperLawyers to be recognized for expertise in Information Technology. Bob is on the Advisory Board of the Information Systems Security Association, Los Angeles chapter, and a member of the International Association of Privacy Professionals. Contact Bob Braun at 310.785.5331 or email@example.com.
This is Jim Butler, author of www.HotelLawBlog.com and hotel lawyer, signing off. Why don’t you give us a call (or send an email) and let us know what you working on. We would like to see if our experience might help you create value or avoid unnecessary pitfalls. Who’s your hotel lawyer?
Our Perspective. We represent hotel owners, developers and investors. We have helped our clients find business and legal solutions for more than $71 billion of hotel transactions, involving more than 3,800 properties all over the world. We bring this experience to any hotel project — big or small. Let’s explore how it might work for you. For more information, please contact Jim Butler at firstname.lastname@example.org or +1 (310) 201-3526.
Jim Butler is a founding partner of JMBM, and Chairman of its Global Hospitality Group® and Chinese Investment Group™. Jim is one of the top hospitality attorneys in the world. GOOGLE “hotel lawyer” and you will see why. Jim and his team are more than “just” great hotel lawyers. They are also hospitality consultants and business advisors. They are deal makers. They can help find the right operator or capital provider. They know who to call and how to reach them.