One of the great breakout sessions at our recent Meet the Money® hotel conference in Los Angeles was organized by my partner Bob Braun and moderated by Jeff Higley of HotelNewsNow. I was particularly impressed by the panel’s evidence of how costly cybersecurity breaches can be, how much can be done to prevent or limit exposure, and how reasonable the cost can be for a pro-active approach.
Here is Bob Braun’s summary of this panel last week in Los Angeles. This is a compelling call for an ounce of prevention. . .
5 Cybersecurity takeaways from Meet the Money®
Bob Braun, Hotel Lawyer and Data Security Advisor
Meet the Money® changes with the times, and the 2016 conference showcased the first panel on Cybersecurity in the hospitality industry – “Who’s Knocking at Your Digital Door,” featuring Bob Braun, from JMBM’s Global Hospitality Group and Co-Chair of the Firm’s Cybersecurity and Privacy Group; Bob Justus, of Optiv Security; Brad Maryman, from Maryman & Associates; Christian Ryan, from MARSH; and Kevin Shamoun, from Zeamster. Jeff Higley, of STR/HotelNewsNow.com moderated the panel.
The panelists, representing technical, legal law, law enforcement, insurance and payment systems, identified key cybersecurity challenges for the hospitality industry. Five key takeaways were:
- Compliance does not equal security. Each of the panelists agreed that while meeting legal and business requirements is essential, compliance does not necessarily achieve real cybersecurity — completing checkboxes on a task list or questionnaire is only a first step. The panelists noted that each of the major hotel breaches in the last year, which involved every major hotel chain, implicated point of service credit card systems that complied with industry standards. Hotels and hotel companies need to look beyond complying with standardized requirements and has to evaluate their own risk profile and apply meaningful security plans.
- Informed response is better than instant response. Too many organizations make the mistake of reacting before they think, especially when reporting a breach. Data breaches can be complicated matters, and it is essential to understand the scope of the breach, the data and individuals involved, and how a firm can remediate the source of the problem before disclosure. There is no question that speed is important, but some breaches do not require notification, while acting without ascertaining the facts can require multiple notifications, which is damaging to reputation and sends the wrong message.
- Credit cards are not the only risk. While much focus is placed on the theft of credit card numbers, hotels must consider other risks. Hotels and hotel companies hold massive amounts of sensitive personal information that can be used to steal a guest’s identity. Moreover, hotels need to consider more than data; the interconnection of systems means that breaking into a financial structure can give a hacker access to door locks, heating and air conditioning systems, electrical, plumbing and other key structural and physical parts of the hotel. What would happen if a hacker flooded a hotel, or opened the doors? This damage can far exceed the damage from lost credit cards, and cause untold damage to the hotel, its brand and owners.