Articles Posted in Data Technology, Privacy & Security

Published on:

16 September 2024

See how JMBM’s Global Hospitality Group® can help you.
Click here for the latest articles on Data Technology, Privacy & Security.

Artificial Intelligence is Checking into your Hotel – Are You Ready?

by Robert Braun, Co-Chair, JMBM Cybersecurity and Privacy Group;
Senior Member, JMBM Global Hospitality Group

Even though artificial intelligence has been a part of our lexicon for more than seventy years, artificial intelligence remains the latest bright shiny thing. Businesses large and small feel compelled to incorporate artificial intelligence into their company descriptions even with a limited understanding of what artificial intelligence is, or how it could help their business. Hotels and hotel companies are no different; just take a look at the online newsletters and announcements hitting your mailbox; it’s a rare day that a hotel company doesn’t announce that it is incorporating artificial intelligence into their business, whether to increase guest satisfaction, offer new services, improve reservations, or any of a variety of reasons.

While artificial intelligence can clearly help, jumping on the AI bandwagon can have unintended consequences.

What is Artificial Intelligence?

Most of us have an imperfect concept of artificial intelligence: we think that the title is descriptive of the product. However, artificial intelligence is not necessarily what it sounds like. IBM defines artificial intelligence as “technology that enables computers and machines to simulate human learning, comprehension, problem solving, decision making, creativity and autonomy.” But what most people think of as artificial intelligence is generative AI, technology that can create original text, images, video, and other content without human intervention.

Underlying this is a hard fact: artificial intelligence is highly technical and very difficult. As an expert in the field, Joseph Greenfield of Maryman and Associates told me, “To understand artificial intelligence, you understand neural networks.” I don’t understand neural networks – do you?

What are the risks of Artificial Intelligence?

Some of the risks in artificial intelligence – or, more accurately, AI systems and tools – are well publicized. For example, AI “hallucinations,” occurring when a generative AI tool that creates responses to prompts that have little or no basis in fact, have become legendary. Biased or inaccurate responses are a common issue, and certain AI models have design flaws that can magnify those issues. Additionally, because of the complexity of AI systems, artificial intelligence cannot be treated simply as another form of software – different and more intensive vetting of AI systems are required. CONTINUE READING →

Published on:

3 May 2024

See how JMBM’s Global Hospitality Group® can help you.
Click here for the latest articles on Data Technology, Privacy & Security.

The American Privacy Rights Act – What Does it Mean for Hotel Companies?

by Robert Braun, Co-Chair, JMBM Cybersecurity and Privacy Group;
Senior Member, JMBM Global Hospitality Group

On April 7, 2024, the United States House Committee on Energy and Commerce released the American Privacy Rights Act (APRA). While every Congress for more than a decade has introduced multiple proposals to address privacy rights on a national scale, none have gained traction, and while there’s every reason to suspect that the APRA will meet the same fate – headwinds are coming from the states that have already adopted comprehensive privacy statutes, and it is notoriously difficult to adopt legislation in an election year, and especially now), the APRA is being taken seriously, and might be the basis for a long-awaited, and long-needed, national privacy law.

What Makes the APRA Important?

The most important feature of the APRA is that it would replace the patchwork of individual state privacy statutes — adopted by sixteen (at last count) states, with more on the way. The laws share many common elements, but are not uniform; in a world where state borders mean less and less for consumer transactions, complying with each law is challenging. While there would remain room for states to adopt some unique laws, the APRA could significantly reduce the cost of compliance.

The APRA would also make the United States more consistent with jurisdictions throughout the world. Beyond state laws, there are many privacy laws, like the General Data Protection Regulation in the European Union (and similar laws in the United Kingdom and Switzerland), Canada, and other key trading partners. Citizens in these jurisdictions expect to have the same kind of data protection they have in their home countries, and adopting a comprehensive federal law would facilitate trade. CONTINUE READING →

Published on:

28 July 2023

See how JMBM’s Global Hospitality Group® can help you.
Click here for the latest articles on Data Technology, Privacy & Security.

This month, the Securities and Exchange Commission (SEC) announced new rules requiring companies who experience a cybersecurity attack to publicly disclose the impact of the attack within four days. Hotel companies whose securities are registered with the SEC should take note of these regulations and develop a robust incident response plan.

Bob Braun, senior member of JMBM’s Global Hospitality Group® and Co-Chair of the Firm’s Cybersecurity & Privacy Group, outlines the new regulations below.

Time is Short – Reporting your Data Breach
by Bob Braun, Hotel Lawyer

 

Over the past years, hotel companies – including brands, managers and owners – have increasingly sought the benefit of access to public markets and, in doing so, have become subject to the registration and disclosure requirements of the United States Securities Act and Securities Exchange Act. In doing so, these companies need to comply with a broad variety of detailed regulations addressing their disclosure and reporting obligations. The Securities Exchange Commission recently adopted regulations which will have an impact on publicly traded hotel companies that suffer a data breach.

Breach Notifications for the Past 20 Years. Ever since California became the first state to require companies to notify their customers of data breaches in 2003, the time between the date a breach was discovered and the time the breach was reported has been an issue of contention. Early reporting gives consumers a leg up in protecting their personal information, and lets investors, vendors and customers of companies know if key business information has been compromised. At the same time, companies want as much time as possible to investigate a breach, understand what happened, and provide accurate information – companies that give early notice often have to give multiple notices as more information becomes available, and may even find that the original notice wasn’t necessary. Regardless, lawsuits against companies that have suffered data breaches almost universally point to the gap in time between the discovery and notification of a breach. CONTINUE READING →

Published on:

21 March 2023

See how JMBM’s Global Hospitality Group® can help you.
Click here for the latest articles on Data Technology, Privacy & Security.

Data privacy and security continue to be significant issues for hotel owners, operators, brands, and managers, representing the potential for both financial and reputational impacts. One important piece of the puzzle is which of the many entities involved in a hotel property is responsible for collecting, sharing, using and storing the personal data of guests and employees.  Bob Braun, senior member of JMBM’s Global Hospitality Group® and Co-Chair of the Firm’s Cybersecurity & Privacy Group, gives an overview of current considerations.

 

 

Data Security and Privacy in Hospitality – Who’s Paying the Bill?
by Robert Braun, Co-Chair, JMBM Cybersecurity and Privacy Group;
Senior Member, JMBM Global Hospitality Group

 

One of the most valuable assets of a hotel brand is information – detailed personal information about guests at their hotels, participants in their loyalty programs, and visitors to their websites. This information allows hotel brands to focus on creating guest loyalty, acquiring potential guests, engaging in effective marketing, expanding market share, and creating properties and services that entice and satisfy hotel guests. Because of this, hotel brands have long contended that they “own” hotel guest data and have unencumbered rights to use it, without respect to the interests of hotel owners and even the guests themselves.

While this attitude may have been correct in the past, the world is changing. The EU’s General Data Protection Regulation, the California Consumer Protection Act, the California Privacy Rights Act, and similar laws throughout the United States and the world have turned this idea on its head. Anyone who collects personal data can do so only with the permission of the individual consumer; brands don’t own the personal information of guests, the guests do, and they are the ones who give the operator, brand or owner the right to collect and use it – and they can limit or revoke that right. CONTINUE READING →

Published on:

25 October 2022

See how JMBM’s Global Hospitality Group® can help you.
Click here for the latest articles on Data Technology, Privacy & Security.

In addition to protecting the personal information of guests in compliance with the EU’s General Data Protection Regulation and California’s Consumer Privacy Act, hotel operators and owners need to extend the same protections and rights to their employees and the information collected from them. Bob Braun, a senior member of the Global Hospitality Group and Co-Chair of JMBM’s Cybersecurity & Privacy Group outlines hotel employer obligations in the article below, along with suggested next steps.

 

Hotels, Hotel Owners and Employee Personal Information
by Bob Braun, Hotel Lawyer

 

Hotel operators and owners have long been focused on the privacy of the personal information they collect from guests – because of the global nature of the hospitality business, hotel brands have focused on complying with the European Union’s General Data Protection Regulation (GDPR), and beginning in 2018, the Consumer Privacy Act (CCPA), the first comprehensive law designed to protect the privacy of consumers’ personal information. Businesses that are subject to the GDPR and the CCPA are required, among other things, to respond to consumers who wish to view the personal information collected by the business, delete personal information, and opt-out of the sale of personal information; these obligations expanded in 2020 when California voters approved the California Privacy Rights Act of 2020 (CPRA).

Employee and Business Personal Information

While the CCPA is aimed at protecting consumers’ personal information, the terms of the law extend to the personal information of employees and business contacts. While the California legislature initially exempted employment information and “business to business” (B2B) personal information from many of the provisions of the CCPA until January 1, 2021, which was extended in the CPRA to January 1, 2023.

The Exemption and its Demise

While most observers believed that the California legislature would extend the exemptions of employee and B2B personal information, when the California Legislature adjourned on August 31, 2022, it did so without adopting an extension. As a result, it is a certainty that full consumer rights will apply to personal information obtained from employees or because of a B2B relationship.

Because hotel owners and operators are familiar with the requirements of the CCPA and the GDPR, the expiration of the exemption will be challenging. Owners and operators will need to adapt their policies to employee and B2B personal information. However, there are many hotel owners that have little or no contact with guests and have left compliance to hotel operators. These firms will be particularly impacted by the significant disclosure, policy and procedure issues that need to be addressed by the end of 2022.

This is especially the case for hotel owners that act as the employer of hotel personnel, but will extend to all hotel owners with employees, whether engaged at a hotel or not, since employers are obligated to collect vast amounts of personal information, including sensitive personal details (such as financial, health and intimate personal characteristics) to conduct businesses. These owners will need to address the information they collect, where it is held, who has access to it and how it is used. Moreover, hotel owners and operators will need to determine how consumer rights apply to employee and B2B personal information, and prepare to provide employees and B2B contacts with CCPA rights, including the right to know what personal information is collected, the right to delete personal information, the right to opt out of the sale or sharing of personal information, the right to limit use and disclosure of sensitive personal information, and the protection against retaliation following the exercise of opt-out or other rights. CONTINUE READING →

Published on:

8 March 2022

See how JMBM’s Global Hospitality Group® can help you.
Click here for the latest articles on Data Technology, Privacy & Security.

The rules around data privacy and cybersecurity are constantly evolving. In order to protect themselves from liability, hotel owners should pay attention to ongoing legal developments and learn more about their own data infrastructure.

Bob Braun, senior member of JMBM’s Global Hospitality Group® and Co-Chair of the Firm’s Cybersecurity & Privacy Group, explains why hotels need to understand exactly what data they hold, where it is stored and who has access to it.

Facing the Knowledge Gap: Why Hotels Need “Visibility” to
Avoid Data Privacy Liability

by
Bob Braun, Hotel Lawyer

Addressing privacy compliance and cybersecurity is becoming more and more challenging for companies. At least 26 states are considering various kinds of data privacy laws. At the same time the rate, depth, and impact of ransomware, wiperware and data breaches has become more intense and more expensive, and there is no indication that the trend will end soon.  Hotel companies, as holders of significant amounts of personal information and highly dependent on computer networks for daily operations, are particularly at risk in this environment.

A hotel company that seeks to comply with privacy mandates, and to prepare for and defend against a data breach, requires knowledge – it requires visibility.

What does that mean? To achieve visibility, a hotel brand, manager or owner needs to increase its knowledge of key elements of its data infrastructure:

See Your Network

Most hotel executives, other than chief technology officers and chief financial officers, have little knowledge of their network. But understanding what data is stored on the network, how the various parts of the network interact, and who has access to the network (and what kind) is essential to evaluating risks, complying with privacy laws, and preparing and defending against attacks. This means not only knowing what is supposed to be on the network, but the “silent” nodes as well – things like unused servers and the devices that attach to the network, such as personal laptops, smart phones and tablets.  As hotels become increasingly automated – by relying on smartphones to substitute for keys and allowing touchless registration – being able to see the full scope of the network is challenging but essential. CONTINUE READING →

Published on:

29 December 2021

See how JMBM’s Global Hospitality Group® can help you.
Click here for the latest articles on Data Technology, Privacy & Security.

As hotels find new ways to use technology to attract guests and enhance their properties, they need to remain aware of the security challenges these technologies present.

Bob Braun, senior member of JMBM’s Global Hospitality Group® and Co-Chair of the Firm’s Cybersecurity & Privacy Group, explains three basic issues for 2022 that all hotel owners need to be aware of to ensure their business and guest information remains secure.

Security Challenges in the Hotel Industry
by
Bob Braun, Hotel Lawyer

Like virtually all industries, the hotel industry continues to be challenged by cybersecurity concerns. As we approach 2022, hotel owners and operators need to address some basic issues that impact the security of their systems and their guests.

  • Wi-Fi. Providing wireless internet to guests has become a “must-do” for hotels – it’s not too much of an overstatement to say that a potential guest won’t stay at a hotel that doesn’t provide free Wi-Fi. But hotel Wi-Fi systems, particularly those in public areas, have long been a soft underbelly of cybersecurity. In the past 10 days, TechCrunch+ reported that “an internet gateway used by hundreds of hotels to offer and manage their guest Wi-Fi networks has vulnerabilities that could put the personal information of their guests at risk.” The system uses hardcoded passwords that are easy to guess and allow an attacker to gain remote access to the gateway’s settings and databases; they can then use that knowledge to access and exfiltrate guest records, or reconfigure the gateway’s networking settings to unwittingly redirect guests to malicious webpages.

CONTINUE READING →

Published on:

10 November 2020

See how JMBM’s Global Hospitality Group® can help you.
Click here for the latest articles on Data Technology, Privacy & Security.

On November 3rd, Californians voted to approve Proposition 24 which amends the California Consumer Privacy Act to include expanded consumer rights and greater privacy protections.

The California Privacy Rights and Enforcement Act – which also establishes an enforcement agency to guarantee strict compliance – places additional obligations on businesses to ensure that consumer data is transparent and secure. Given the scope of the Act and the short timeframe for compliance, hotels should immediately start looking at their data profiles and security to avoid running afoul of the new rules.

Bob Braun, senior member of JMBM’s Global Hospitality Group® and Co-Chair of the Firm’s Cybersecurity & Privacy Group, explains the major provisions of the Act and discusses the challenges hotels face as they look to address its requirements.

New Challenges for Hotels:
The New California Privacy Rights and Enforcement Act of 2020
by
Bob Braun, Hotel Lawyer

Many races and initiatives that California voters considered on November 3 are still undecided, but Proposition 24, the California Privacy Rights Act of 2020 (the “CPRA”) isn’t one of them.  The California electorate approved Proposition 24 by a comfortable margin – 56% of Californians voted in favor.

Like its predecessor the California Consumer Privacy Act of 2018 (the “CCPA”), the impact of the CPRA won’t be felt immediately.  It goes into effect on January 1, 2023, and many of its provisions are unclear and will require study.  But hotel companies with a presence in California will need to consider its requirements, and given the scope of the law, addressing its requirements early will be essential.

New Sheriff in Town

Perhaps the most significant development in the CPRA is the establishment of a new agency, the California Privacy Protection Agency, dedicated to handling enforcement and compliance with privacy regulations.  This makes California the first state with an agency focused solely on enforcing privacy laws.  This new agency will replace the California Attorney General in interpreting and enforcing the CCPA.  The ultimate impact of the agency will develop as its members are selected and interpret its mandate, but it is clear from the CPRA that it has broad authority to bring civil and criminal actions.

Select Key Provisions

The CPRA is an extension and modification of the CCPA.  It adds a number of new definitions and provisions that, in some cases, extend the scope of the CCPA and, in other cases, clarify the requirements of the CCPA.  The result is that hotel companies that already comply with the CCPA will need to revisit their policies and procedures to ensure compliance with the CPRA, and any firms that have not yet considered CCPA compliance have a steep learning curve.  Key provisions include: CONTINUE READING →

Published on:

01 July 2020

See how JMBM’s Global Hospitality Group® can help you.

Meet the Money® Online: Hotels and Information Security
Protecting Guests and the Bottom Line

Last week, speakers from Manhattan Hospitality Advisors, Tiered Communication Services Inc. and Willis Towers Watson joined Bob Braun of JMBM’s Global Hospitality Group® for the second in a series of Meet the Money Online webinars.

If you missed “Hotels & Information Security – Protecting Guests and the Bottom Line,” you can watch the full webinar here.

You can also find the presentations made by our expert panelists on the Resource Center page:

Where Technology and Security Meet in Hotels

Jonathan Adam, co-founder and Chief Technology Officer, Tiered Communication Services, Inc., covers the primary elements required for information security, and how a secure hotel network should be designed. Meet the Money® Online June 2020.

Best Practices and Imperatives for Information Security

Bob Braun, co-chair of JMBM’s Cybersecurity and Privacy Group, and senior member of JMBM’s Global Hospitality Group® discusses why information security is so difficult to achieve, the importance of documentation, and why verifying third parties is critical. Meet the Money® Online June 2020.

Cyber Security – A Must in Today’s Viral World

Jack Westergom, Managing Director and Founder of Manhattan Hospitality Advisors explains why hotels are frequent targets of cyber crime, areas in which hotels can be proactive, and why you shouldn’t count on your brand for protection. Meet the Money® Online June 2020.

Cyber Insurance in the Hospitality Industry

Heather Wilkinson, SVP, FINEX E&O/Cyber, Willis Towers Watson, discusses why hotels need to determine their specific exposure, the importance of understanding what your cyber insurance actually covers, and the 5 main cyber threats that hotels are facing today. Meet the Money® Online June 2020.

 

While we weren’t able to gather in person for the 30th year of Meet the Money®, the national hotel investment and finance conference, we are continuing to provide the industry with research analysis and insight through Meet the Money Online. Join us on July 8, 2020 for the next in this series of informative webinars, the CMBS Special Servicing FAQs Virtual Roundtable. CONTINUE READING →

Published on:

22 June 2020

See how JMBM’s Global Hospitality Group® can help you.

Meet the Money® Online: Hotels and Information Security
Protecting Guests and the Bottom Line

Speakers from Manhattan Hospitality Advisors, Tiered Communication Services Inc. and Willis Towers Watson will join Bob Braun of JMBM’s Global Hospitality Group® for this informative online program.

Please join us this week, on Thursday, June 25, 2020, when Meet the Money® Online addresses an issue of critical importance to the hospitality industry: information security.

As privacy laws demand companies do more to protect customer and employee data – and cyber hackers become more sophisticated – making sure your hotel’s information is secure has never been more important.

This free webinar will take place on Thursday, June 25 at 10:30 AM PDT / 1:30 PM EDT. Register Now.

Join our panel of cybersecurity experts and hospitality veterans for a 1-hour webinar to discuss:

  • What personal information hotels collect and how they use it
  • The role of hotel owners, operators and brands in guest information
  • Technology aspects of information collection, use and protection
  • Insurance issues – how to mitigate risk and cost using insurance
  • Legal obligations and compliance

This discussion will be moderated by Robert E. Braun, partner and co-chair of the Cybersecurity and Privacy Group at Jeffer Mangels Butler & Mitchell LLP who works with companies on their data technology, privacy and security matters. Bob is also a senior member of JMBM’s Global Hospitality Group® and has more than 20 years of experience in representing hotel owners and developers in hotel management and franchise agreements, condo hotel securities issues and many transactional matters, including entity formation, financing, and joint ventures.

Our speakers include:

  • Jonathan Adam, Co-Founder and Chief Technology Officer, Tiered Communication Services, Inc.Jonathan Adam is a founding member and CTO of Tiered Communication Services, Inc. With 17 years of hotel experience, he pairs high end development projects with extremely secure advanced technology systems for an unsurpassed guest user experience, driving amazing rates of return to owners. He holds multiple technology patents, and co-founded the ySuite Incubator in Austin and PracTECHal Solutions headquartered in Las Vegas. The ySuite team owns and operates multiple hotels in the Austin area, and utilizing the TCS technology infrastructure, they generate significant amounts of high margin add-on revenue through new hospitality revenue channels.
  • Jack Westergom, Managing Director and Founder, Manhattan Hospitality AdvisorsJack Westergom is Managing Director and Founder of Manhattan Hospitality Advisors. Jack is a veteran hotelier whose background includes asset management, hotel/resort operations, international marketing, investment relations and real estate development including many of the top 25 hotels and resorts in the world. Manhattan Hospitality Advisors has provided oversight on over $18 billion of hospitality assets around the world and has helped hotels to successfully navigate through four real estate downturns.
  • Heather Wilkinson, SVP, FINEX E&O/Cyber, Wills Towers WatsonHeather Wilkinson is SVP in the FINEX Cyber & E&O practice for Willis Towers Watson with over fourteen years of experience in the cyber insurance industry. Heather is a founding member of the Willis Towers Watson E&O and Cyber Broker Team; she joined the organization in 2006 and has been instrumental in placing some of the largest towers of E&O and Cyber insurance placements in the world. She is uniquely qualified to handle Cyber and Professional Liability issues and placements and is based in Los Angeles.

There is no fee for this program.

REGISTER NOW CONTINUE READING →

Contact Information