The news is awash with stories of well-known, well-respected companies falling victim to data security breaches that expose thousands or even millions of customers’ private information. The statistics are staggering. According to the Identity Theft Resource Center, in just the first 10 months of 2017 there were 1,120 reported breaches affecting more than 171 million records. These are just the breaches that were discovered and reported. The true number of breaches is likely far greater. When faced with a potential breach, every company must weigh the costs and risks of reporting the breach or not.

 

Consider the well-publicized breach suffered by Sabre Corp.’s reservation processing unit. This breach affected customers of more than 36,000 hotel properties. There was also the payment card breach at IHG that affected customers of more than 1,200 properties. These are just two of the larger breaches that affected the hospitality industry. This industry is a prime target of bad actors. According to the 2017 Verizon Data Breach Investigations Report, 15 percent of all studied breaches were in the retail and accommodation industries. 

 

While organizations are improving their response, the costs of data breaches are still astronomical. A 2017 study conducted by the Ponemon Institute and sponsored by IBM reviewed breaches at 419 companies in 13 countries. It estimated the average cost of a breach at $3.62 million. The study further estimated an average cost of $141 per record. Extrapolating these costs out to the total number of known breaches, the costs grow into the billions of dollars. Costs include investigative costs, remediation costs, reporting costs, the value of lost data, legal and vendor fees, civil penalties, credit monitoring and lost customer good will. Harder to quantify is the institutional embarrassment. This amount also does not fully encapsulate the costs of class action lawsuits like those faced by both Sabre Corp. and IHG.

 

In light of the massive cost it is unsurprising that organizations are reticent to make suspected or known breaches public or report them to government agencies. Many times, businesses may only suspect that there has been a breach or may not know the severity. It may be hard to justify incurring huge costs when there is only a possibility of a breach, but there are legal, ethical and commercial interests that must be considered. 

 

When It’s The Law

The easiest cases are those clear breaches that implicate breach notification laws. There are nearly as many breach notification laws as there are political subdivisions. In the United States alone, nearly every state has its own breach notification law, and while there are some similarities between them, every one is different. Many even purport to apply to companies outside the state’s borders. On top of that mass are industry-specific federal laws that also require breach notification. To add further complexity, many countries have their own breach notification laws. The most well known example is the European Union’s General Data Protection Regulation (GDPR), which goes into effect on May 25, 2018, and among many other mandates, requires that organizations should notify authorities of a breach within 72 hours.

 

There is no easy answer as to what breach notification laws may apply. This is especially true in the hospitality industry where a company often has multiple locations and serves customers from many different states and countries. A full analysis of every breach notification law is beyond the scope of any single article, but in the event of a breach or even suspected breach, a good rule of thumb is to look at the laws of three different types of jurisdictions: 1.) where the company is located, 2.) where the affected data is located, and 3.) where the persons affected by the breach are located. These are the three most likely locations whose laws will apply.

 

In situations where notification is mandated by law, the calculus is easy. The cost of not complying is far too great to risk. Failing to comply with breach notification laws risks both civil and criminal penalties. The GDPR likely has the most onerous penalty provisions, but it is a good example of possible penalties. Violating the GDPR can result in penalties of up to €20 mil or 4 percent of an organization’s global turnover, whichever is greater. For some organizations such penalties could easily reach into the billions.

 

Most of these laws are written broadly and are intended to ensure consumers are notified. However, there will always be gray areas – areas where a breach may or may not have occurred or areas where the law just does not reach. In those edge cases the high cost and obvious headache of disclosing a breach or potential breach is a temptation to avoid going public. 

 

Ethical Obligations and Customer Trust

Customer trust is critical in the hospitality industry. Discretion and safeguarding guest privacy has long been a hallmark of the most successful hospitality companies. For many customers the hospitality industry offers a home away from home, and customers have a heightened need for trust in their providers. Trust is a fleeting thing that can easily evaporate if abused. There is a strong argument that companies have an ethical duty to live up to the trust placed in them by their customers, but that ethical duty aligns strongly with the commercial value of customer trust.

 

The costs of a breach are without question high, but the constant stream of breaches has desensitized much of the public. Recently companies suffering major breaches have received far greater criticism for their seemingly clumsy response than for the breach itself. Consider the Equifax breach, which is believed to have affected more than 145 million consumers. Equifax waited at least 6 weeks after the breach was first suspected before it notified consumers. During the delay, there were reports that executives divested Equifax stock. Compounding the delay, even after the public was notified, Equifax delayed offering credit monitoring and appeared to require affected individuals to waive certain rights in exchange for credit monitoring. Equifax's response led to a huge public outcry, congressional hearings and massive class-action lawsuits.

 

We should learn from these examples. An attempt to avoid breach notification may make the ultimate situation much worse and the cost much greater. The 2017 Ponemon study referenced in the introduction bears this out. It found that having senior-level executives leading the breach, focusing on maintaining customer trust, and offering identity theft protection services significantly reduced the loss of customers after a breach.

 

Conclusion

Much can be done to guard against security breaches, but some things will be inevitable. When a breach occurs, there will be an initial temptation to avoid publicity and the associated costs, but that may be a very short-sighted response. Regardless of whether it is mandated by law or not, failing to consider the ethical obligations to customers and the trust they have risks much greater consequences.