Data Security: Drama in Real Life

Order a reprint of this story
Close (X)

ORDER A REPRINT

To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.

SEND EMAIL

October 01, 2014
Data Security
Marion Roger

Like many, Reader’s Digest was a fixture in my childhood home. Inexpensive, readily available and full of heavily edited excerpts and simplified versions of articles from other periodicals of the time; it was the perfect reading companion for a young and curious child.
 

There were several favorite sections: Points to Ponder, Picturesque Speech, Laughter, the Best Medicine, Life in these United States, and one of the most exciting, Drama in Real Life.
 
Drama in Real Life covered horrible plane crashes in the wilderness and those scary stories of three kids in a burning house.  Then there was the perennial favorite: a lone mountain lion attacking joggers in the woods.  It was thrilling reading, (although to be fair, living in suburban North Jersey meant I was more worried about black bears than mountain lions.)
 
Yet my all-time favorite was (and still is), It Pays to Enrich Your Word Power. With a rapacious appetite for reading, a keen admiration for public speaking and major ambition for an eventual career in broadcast journalism, I would skim the plane/fire/mountain lion stories and go right to that amazing section, one that promised to enhance my vocabulary tenfold.
 
Why am I on this nostalgic kick? It’s a pretty simple explanation.  You have been hearing and reading about PII (personally identifiable information) as well as PCI DSS (Payment Card Industry Data Security Standards) now for a long while.  We regularly write about data security, speak about it and create and give training on how to protect it. I think about it 24/7 all on your behalf.
 
Yet, sadly obvious during recent webinars, conferences and industry networking cocktail parties, reality hit home that many are actually quite semantically challenged. Let’s Enrich Your Word Power today…and review some key terms bandied about in daily data protection discussions. Understanding these terms is vital when discussing policies, procedures, vulnerabilities or risks.

Before we take that deep dive, remember that personal information is not limited to guest data. It is collected, used or disclosed in the process of hiring, managing or terminating employees; this includes that information obtained during the prescreening process (credit and driving records, drug testing). Personal information of this nature is obtained and stored in human resources for staff as well as for independent contractors, part timers and even unpaid student interns.  In addition, there are files on those potential hires who were retained along with former employees.  And to make it even more complex, data extends to the family members of employees as well.

Isn’t it the same thing? Not really. While they are kissing cousins there is a difference.  Data privacy is focused on the use and governance of personal data – things like putting policies in place to ensure that guests’ and employees’ personal information is being collected, shared and used only in appropriate ways.  Compare that to the term data security, which is the conversation about protecting the aforementioned data from malicious attacks designed to obtain/steal said data for profit.
 
Data security and all of its wrinkles has dominated tech talk in the last year. However today the data security conversation has changed.  The huge shift we’ve heard in the first half of the year is dealing with the risk of the insider threat.  CIOs and everyone else are waking up to reality: relying on compliance checkmarks and endpoint security won’t cut it when you’re trying to empower employees with the tools to work with more data in more places.  Whether it’s a rogue database administrator or the risk from unprotected files unintentionally shared outside of the company, more and more the industry is grappling with staff incompetence or ignorance or malicious intent.
  
Additionally, the realization is sinking in that while security is necessary for protecting data, it’s not sufficient for addressing privacy.  So I’ll quickly review privacy, which is defined by the International Association of Privacy Professionals (IAPP) as the “appropriate use of personal information.”  What is defined as “appropriate” actually depends on several criteria: context, law and the individual’s expectations. Also, it determines the right of an individual to control the collection, use and disclosure of personal information.

We see and hear the term PII (personally identifiable information) everywhere today. Interestingly, everyone acts as though they have it nailed and glibly defines the components that make up PII as the usual suspects, a.k.a. a given individual‘s identity via his name, social security number, date and place of birth and even his mother‘s maiden name.   The reality is that it is more, much more.
 
First off it includes biometric identifiers which “identify a specific human from a measurement of a physical feature unique to that one individual.” Some examples include one’s hand geometry, a retinal scan, iris scan, fingerprint patterns, facial characteristics, DNA sequence characters or voice prints.  However here is the jolt: biometric identifiers also are defined as a “repeatable action of the individual.”  Translation: someone’s (handwritten) signature is PII.

How about the difference between identifiable and identifying?  Identifiable information is data that can be used either on its own or with other information to not only identify but also, trace, contact or locate a specific individual.  Identifiable information can also be used to identify an individual in context.
 
Context is key! Why? Context is vital in determining whether data is personal as well as identifiable or identifying.  It is context that turns an IP address from a string of numbers into a piece of information that can identify an individual. It is context that turns the geolocation history of a mobile device into a behavioral profile.  It is context that takes personal user preferences tracked on a website via cookies when joined with other data and makes it personally identifiable. In other words, when user preferences can to be linked to personally identifiable information provided by a user online, user preferences also become PII.

IAPP has stated, “Directly Identifiable means any data set about someone in terms of making them directly addressable/contactable.”  For this discussion, a postal address, cellphone and home phone number, work and personal email address all constitutes PII.  But wait, PII does not end there. It includes any information that “is linked or linkable to an individual, such as educational, financial and employment information." Thus rooming lists of conference attendees which show their titles and employers is PII.

Compare the above to another type of data: identifiers about individuals which when viewed on their own may not be very important. In the previous paragraphs, we discussed data that alone pinpoints an individual or allows you to contact or locate an individual. This second set of data is information, that once the data is connected to other data, renders those individuals as directly identified even if that connection is not actually made in a given use case.  Note: Even if the relevant data set is unavailable to a particular organization to make the connection, the crucial element is that a connection is possible and a match would make it possible to pinpoint one unique individual.  For example, loyalty program membership numbers on their own are not PII, but since the number can be connected to another set of data, and once it is connected it identifies someone specifically and makes them reachable or traceable, it falls into the same category.

At HITEC 2014 in Los Angeles, one of the educational sessions on data security was presented by Lynn Goodendorf, director of information security at the Mandarin Oriental Hotel Group and occasional contributor to Hospitality Upgrade. Among several key takeaways was the idea that focusing on protecting guest and employee data solely as a compliance requirement is a mistake. In fact this dovetails with a question we hear a lot lately: Is protecting PII part of PCI DSS compliance?

The Payment Card Industry (PCI) Security Standards Council (SSC) stated, "The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.”  The statement ends with this key clarification:  “This comprehensive standard is intended to help organizations proactively protect customer account data.”

Everyone focuses on cardholder data yet everyone seems to forget that the cardholder is the customer.  And PCI DSS has defined cardholder data as any “personally identifiable data associated with a cardholder.” Hotel room, restaurant, spa and golf facilities are usually paid for by a credit card, thus one can easily deduce that cardholder data is guest data, yet guest data sits unencrypted! So let’s state it again:  according to PCI DSS, any and all “personally identifiable information associated with the cardholder (guest) that is stored, processed, or transmitted is considered cardholder data.”

Sadly, as hacker tactics and data pressures mount, the basis of compliance won’t keep customer data safe and your business protected.  In fact, many of the recent disastrous breaches involved companies who were actually found to be compliant under the PCI DSS standards.  Even the outgoing general manager of the PCI Standards Council, Bob Russo, gave this straightforward summary of compliance along the overall data protection spectrum: “Compliance does not equal security.  Even with the best standards in place, these criminals are persistent in their attacks and the businesses basically have to be defensive in their protections.”

Yet even though the council acknowledges that compliance does not guarantee security as much as it can provide a valuable baseline, it is crystal clear about its position that proactively protecting customer account data is the goal of PCI DSS. 

Taking a defensive stance against insider threats means first and foremost facing the reality that PII is rife in your organization, that it is likely unencrypted, and that protecting it does help you meet PCI compliance standards.  True, compliance is not a panacea and does not come with any guarantees. But to those individuals whose data (PII) your enterprise collects, handles, shares, mines, stores and/or discards and who count on you to protect them, it is the least you can do. We all know there are predators out there hunting PII and that unlike the healthcare industry there is no real legislation protecting it. Staff and guests alike are the ones whose lives will be ruined when their PII falls into the wrong hands.  Just like the mountain lions who pounced on the joggers in Reader’s Digest, victims of identity theft are facing Drama in Real Life.

Marion H Roger, VP Hospitality Evolution Resources, is a specialist in the hospitality supply chain landscape who is currently leading an industry initiative to support guest data security and has developed a hotel-focused training curriculum on PII protection.

©2014 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.



want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.