Marion H. Roger
Large-scale data breaches of sensitive consumer information are top of mind today. During 2013 it seemed like every week there was some news story revolving around personal data and privacy breaches. In fact, over 600 major data breaches occurred in 2013 alone, including the recently disclosed data breaches at Target and Neiman Marcus. Yet, what seems shocking about this news is not that it has happened…it is that no one seems to grasp the underlying issues, three of which should be a huge wake-up call for the travel and hotel industry.
The first of these is that as part of Target’s ongoing forensic investigation, it has been determined that certain guest information - separate from the payment card data previously disclosed - was acquired by the thieves. You read that right… Target’s in-depth forensic investigation found that the stolen information included names, mailing addresses, phone numbers and email addresses for at least 70 million individuals. This is data that is not encrypted typically within the hospitality environment. This is why the hospitality industry should be paying very close attention.
The second thing hoteliers and technology firms should pay attention to is that these recent headline-grabbing stories at familiar retailers and hoteliers (White Lodging breach January 2014 among others) have finally caught the attention of American lawmakers who seem to agree across party lines: it’s time for a federal data security law. And the third is how much PCI compliance can be counted on to protect hotels.
One week after Data Privacy Day (annually on January 28) three different committees of the U.S. Congress held hearings where key expert witnesses were grilled on how the breaches occurred, how the companies reacted and how firms can protect consumers better. All three hearings had one unifying goal: determine whether or not a federal law needs to be enacted in order to protect personally identifiable information, also known as customer data. Given more than 100 million people may have had their data stolen in the very small window of time (between November 2013 and January 2014) advocates say it is overdue and more to the point, it will happen.
During one hearing on Feb. 3, 2014, senators repeated calls for legislation and insisted the government step in to review the vulnerability of the nation’s digital-payment systems. This was the first in a trio of sessions examining the enormous breaches recently uncovered around the country.
Sen. Elizabeth Warren (D-Mass) declared that Congress needed to adopt tighter data-security protections and added that it is high time to heighten the Federal Trade Commission’s authority to police businesses failing to adequately protect consumer data.
“The FTC should have the enforcement authority it needs to protect consumers and it looks to me like it doesn’t have that authority right now,” Warren said during a Senate Banking subcommittee hearing. “Data security problems aren’t going to go away on their own, so Congress seriously needs to consider whether to strengthen the FTC’s hand.”
The Federal Trade Commission (FTC) testified before Congress on Feb. 4, 2014, on the agency’s ongoing efforts to promote data security, reiterating its support of a strong federal data security and breach notification law. Testifying before the Senate Judiciary Committee, FTC Chairwoman Edith Ramirez outlined the agency’s efforts to promote data security through civil law enforcement, education and policy initiatives. According to her testimony, since businesses are collecting more personal information about consumers than ever before, the rising reports of data breaches illustrate that these systems are simply too susceptible.
“Never has the need for legislation been greater,” FTC Chairman Ramirez said. “With reports of data breaches on the rise, and with a significant number of Americans suffering from identity theft, Congress needs to act.”
The experts testifying were unified saying that strong, central legislation is now required. One key goal is that legislation be passed to allow the FTC to seek civil penalties when enforcing data security violations. (Note: this is currently only an option and applies only with “certain data security violation cases,” for instance, those that involve violations where a company failing to protect children’s information.)
U.S. Senators Richard Blumenthal (D-Conn.) and Ed Markey (D-Mass.) introduced the Personal Data Protection and Breach Accountability Act, a bill that would help protect consumers’ by taking a multi-pronged approach to combating the risks associated with data breaches. The bill has several components, one of which the hospitality industry must sit up and take notice of: a section designed to “Deter Preventable Breaches.”
Simply put, in order to help prevent sensitive personal information (PII) from falling into the wrong hands, the bill creates a process for helping companies establish appropriate security plans to “safeguard all consumer information.” Take note: the new law will hold you accountable for failing to comply with these plans.
This begs the question: who really bears the real responsibility for protecting consumers’ personal information outside of the credit card number and information related to the card issuer? And how is the government going to enforce this hospitality?
Witnesses from security firms, including Symantec, argued that any federal standards for data security should be flexible in order to allow for innovation, and that best practices or guidelines should be developed through a stakeholder input process that allows for collaboration between companies, consumers and law enforcement. However, stakeholder collaboration will not be industry specific and that is where the worry sits. It is unlikely the retailer (hotelier or online travel agent) or the third-party technology entity facilitating reservations or the firm handling data collection and storage for your loyalty and promotion activities will ever have a say.
Given the plethora of guest data kept to enhance customer experience, and the amount of duplication of guest data across a myriad of systems (pre arrival, during stay and post departure), can the players who dot the landscape develop integrated systems and technology to encrypt guest data in all the various departments and systems? And if so, can it be done quickly enough once a law is created and passed? And even more to the point, is technology the solution?
Bob Russo, general manager with the PCI Security Standards Council also testified at the hearing, stating that he wanted to make sure lawmakers understood that “data security is about people, process and technology, not just technology.”
The writing on the wall is clear. Protecting personally identifiable information (PII) is no longer entirely on the shoulders of “those guys over in IT.” Nor is PCI compliance sufficient. A common misconception is that PCI was designed to be a catch-all for security. The experts reminded lawmakers that PCI DSS serves as a baseline for security, giving businesses guidelines for basic security control to protect cardholder and personal data.
Clearly without PCI DSS, countless businesses would likely have fewer security controls (if any) than they do today. However, one key point of the testimonies was that companies can improve their security posture by first understanding that the PCI DSS is the floor, not the ceiling, when it comes to security. While the PCI DSS helps businesses deploy some essential security controls, it doesn’t cover security around every attack vector, such as security surrounding targeted malware, mobile devices and cloud technology.
Senior Vice President at Trustwave Security Phillip J. Smith said, “Businesses should regularly provide security awareness training to all employees, including contractors and temporary workers. Executives and business leaders are also prime targets, so training should be required for anyone who has access to private information. Training can help them follow security best practices to reduce the risk of infiltration.”
The way we as an industry move forward is to take a truly holistic approach, bringing HR in to address training employees on the impact and risks of identity theft; bringing legal in to review contracts with companies who handle guest data. The company who developed your new mobile booking engine in 2013 may not have the right security in place -- can you protect your brand if not? The list goes on. And so will the data breaches and the news headlines.
One has to ask: is it already too late? When you consider that the government is going to act and put laws in place that the hospitality technology industry will have not had a voice in drafting, but will quickly be found in violation of and fined heavily, it seems that the bottom line is the saddest of punch lines: staff, guests and owners alike will pay the real price.
Marion H Roger, VP Hospitality Evolution Resources, is a specialist in the hospitality supply chain landscape who is currently leading an industry initiative to support guest data security and has developed a hotel-focused training curriculum on PII protection.
©2014 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.