29 December 2021
See how JMBM’s Global Hospitality Group® can help you.
Click here for the latest articles on Data Technology, Privacy & Security.
As hotels find new ways to use technology to attract guests and enhance their properties, they need to remain aware of the security challenges these technologies present.
Bob Braun, senior member of JMBM’s Global Hospitality Group® and Co-Chair of the Firm’s Cybersecurity & Privacy Group, explains three basic issues for 2022 that all hotel owners need to be aware of to ensure their business and guest information remains secure.
Security Challenges in the Hotel Industry
by
Bob Braun, Hotel Lawyer
Like virtually all industries, the hotel industry continues to be challenged by cybersecurity concerns. As we approach 2022, hotel owners and operators need to address some basic issues that impact the security of their systems and their guests.
- Wi-Fi. Providing wireless internet to guests has become a “must-do” for hotels – it’s not too much of an overstatement to say that a potential guest won’t stay at a hotel that doesn’t provide free Wi-Fi. But hotel Wi-Fi systems, particularly those in public areas, have long been a soft underbelly of cybersecurity. In the past 10 days, TechCrunch+ reported that “an internet gateway used by hundreds of hotels to offer and manage their guest Wi-Fi networks has vulnerabilities that could put the personal information of their guests at risk.” The system uses hardcoded passwords that are easy to guess and allow an attacker to gain remote access to the gateway’s settings and databases; they can then use that knowledge to access and exfiltrate guest records, or reconfigure the gateway’s networking settings to unwittingly redirect guests to malicious webpages.
- Social Media. Hotel brands and operators increasingly use social media to promote their properties and attract guests. But social media depends on the collection and use of personal information, and that information makes hotel companies one of the prime targets of bad actors. Their goal isn’t limited to credit card numbers; these threat actors are looking for personal information that allows them to obtain credentials and infiltrate networks. When a threat actor gains access to a network – which could be yours – they can pose an existential threat to a business through ransomware, extortion, denial of service, and other attacks.
- Vendors. Hotels depend on a multitude of vendors and third parties to operate. These range from point-of-sale systems to HVAC operators to property management systems. Every vendor that has access to hotel systems – and it’s surprising how many do – presents a threat. When they have access to a hotel system, it creates an opening for a bad actor. Even more, each vendor relies on a variety of vendors themselves, which means that every vendor’s vendor that has access to the vendor’s system may also have access to the hotel’s network. And as we’ve discovered from the breaches caused by the highly publicized Solar Winds software and the more recently discovered log4j API vulnerabilities, even the most reliable of vendors cannot be blindly trusted.
These are not the only security risks that hotel companies face, but they demonstrate the conundrum that hotel owners and their operators face – the very things that create security challenges are also essential for operations. Hotels cannot stop offering Wi-Fi at the risk of alienating guests. Social media is a key part of marketing for hotels, giving hotels the ability to target potential guests at a relatively low cost, which is especially important during the current economic challenges. And vendors cannot be eliminated; there are too many functions that require special skills and experience that hotel companies cannot effectively bring in-house, at least at a reasonable cost.
But this does not mean that hotel companies can simply throw up their hands. If hotel companies create reasonable security efforts, they can control their risks and reduce the likelihood of a breach and the damage that brings. Resources, like the National Institute of Standards and Technology, have created frameworks to help hotel companies evaluate and address their risks.
The Jeffer Mangels Butler & Mitchell Global Hospitality Group, in conjunction with the Jeffer Mangels Butler & Mitchell Cybersecurity and Privacy Group, works with hotel companies to understand and address their security and privacy needs, and we are ready to help you. For more information, contact Bob Braun (rbraun@jmbm.com) or Jim Butler (jbutler@jmbm.com)
Further information about cybersecurity issues
If this article was of interest, you may also wish to read other articles by Bob Braun on “Data Technology, Privacy & Security,” which include the following:
New Challenges for Hotels: The New California Privacy Rights and Enforcement Act of 2020
Hotel Managers and Owners Be Warned – You are Responsible for Your Hotel’s Data Security
The California Consumer Privacy Act – What Hoteliers Need to Know Now
California Adopts the California Consumer Privacy Act of 2018
GDPR: What you need to know about the EEU’s new data privacy rules
Cyberattacks on Hotels — What Should Hotel Owners and Operators Do?
Hotel Cybersecurity: Protecting your guests and your property from vendor data breaches
Bob Braun is a Senior Member of JMBM’s Global Hospitality Group® and is Co-Chair of the Firm’s Cybersecurity & Privacy Group. Bob has more than 20 years of experience in representing hotel owners and developers in their contracts, relationships and disputes with hotel managers, licensors, franchisors and brands, and has negotiated hundreds of hotel management and franchise agreements. His practice includes experience with virtually every significant hotel brand and manager. Bob also advises clients on condo hotel securities issues and many transactional matters, including entity formation, financing, and joint ventures, and works with companies on their data technology, privacy and security matters. These include software licensing, cloud computing, e-commerce, data processing and outsourcing agreements for the hospitality industry.
In addition, Bob is a frequent lecturer as an expert in technology, privacy and data security issues, and is one of only two attorneys in the 2015 listing of SuperLawyers to be recognized for expertise in Information Technology. Bob is on the Advisory Board of the Information Systems Security Association, Los Angeles chapter, and a member of the International Association of Privacy Professionals. Contact Bob Braun at 310.785.5331 or rbraun@jmbm.com.
This is Jim Butler, author of www.HotelLawBlog.com and founding partner of JMBM and JMBM’s Global Hospitality Group®. We provide business and legal advice to hotel owners, developers, independent operators and investors. This advice covers critical hotel issues such as hotel purchase, sale, development, financing, franchise, management, ADA, and IP matters. We also have compelling experience in hotel litigation, union avoidance and union negotiations, and cybersecurity & data privacy.
JMBM’s Global Hospitality Group® has been involved in more than $125 billion of hotel transactions and more than 4,700 hotel properties located around the globe. Contact me at +1-310-201-3526 or jbutler@jmbm.com to discuss how we can help.