⚠ We would appreciate if you would disable your ad blocker when visiting our site! ⚠

Data Security Part 3: Training Staff to Reduce Risks Associated with Data Breach

Order a reprint of this story
Close (X)


To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.


March 28, 2014
Data Security Legal
Richard Sheinis - rsheinis@hallboothsmith.com

Data breaches at huge companies caused by hackers get the headlines. The fact is that a very substantial number of data breaches at companies of all sizes occur because of employee mistakes and negligence. The “Global Cost of a Data Breach” study by the Ponemon Institute found that 35 percent of data breaches are attributable to negligence or human error.

In addition to the risk of damage to the business because of a data breach caused by employee negligence, such negligence can also lead to legal liability for damages to hotel guests resulting from the data breach. An increasing number of data breach incidents are resulting in lawsuits. When the breach involves personal information, such as credit card information, of hundreds or thousands of people, the result is often a costly class action lawsuit. The law regarding liability for breaches is still developing. Generally, a business entity is not legally liable to another for damages to another, unless the business did something wrong, such as being negligent, to cause the damage.

Since a business is generally liable for the actions of employees, a business can be liable for losses suffered by hotel guests as a result of their personal information being disclosed because of employee negligence.  If it is found that the employee was negligent because he was not properly trained or supervised on data security procedures, this lack of training or supervision can be another basis for the hotel to be held liable. Therefore, the importance of training and supervision is two-fold. It can reduce the likelihood of a data breach occurring in the first place. Second, if a breach does occur, it can reduce the likelihood of the business being liable for damages experienced by hotel guests.

The entire list of training and supervision measures you can take to reduce the risk of an employee caused breach is too lengthy for this article. However, here are five important aspects of training you can implement immediately to address the types of employee negligence that frequently lead to data breaches and business liability.

1. Mobile devices.
Although it might seem silly to train an employee on the self-evident principal of protect your laptop and don’t lose it, many employees are cavalier about the security of mobile devices, especially those that belong to their employer. An important aspect of this training is teaching employees to protect even a small mobile device, such as a USB drive, that might contain confidential information. Many employees think they will find the lost or stolen device, and therefore, delay reporting the loss to their employer. Train employees to immediately report lost or stolen devices. The sooner the loss is reported, the sooner the device can be remotely locked or wiped, thereby reducing the risk that the information on the device will be breached.

Another issue for mobile devices is the use of an unsecure, public Wi-Fi to log in to your network. Accessing your network through a public Wi-Fi allows anyone else on that Wi-Fi to exploit security gaps in your network. Install a virtual private network (VPN). A VPN is a secure connection that allows an employee to access the Internet through a public Wi-Fi, but the connection to your network is then through the secure VPN. Then train your employees to use the VPN only, when remotely accessing your network.

2. Password training.
Sharing of passwords, using simple passwords, and reusing passwords, is frequently a product of employee laziness. Educate employees on the importance of secure passwords. Strong, secure passwords are important not only for internal security among employees. A weak password can provide an easy to breach doorway for outsiders to get into your network. 

3. Using social media and other websites for personal reasons while at work.
Computer use training is a must and is easily enforced. Support your training by installing software to track your employees’ Internet usage while on a computer at the hotel. Then perform random audits to check compliance. The problem with employees going to unapproved websites, is that some websites look legitimate, but are actually bogus. They are specifically set up so that by going to the website, the user actually creates a path for the bad guy to connect to your network.  Even legitimate websites that are not built securely, can allow a hacker to go through the website to get into the network of a person that visits the website.

4. Leaving a computer unattended or not properly shutting down a computer. 

Most people would not leave their wallet or purse unattended, and easily available to others. Why do they leave their computer for others to access? Most likely it is because employees think it is too much trouble to secure or shut down a computer, only to turn it back on a short time later. Over 60 percent of enterprises surveyed for, “The Human Factor in Data Protection” from the Ponemon Institute responded that employees leave their computers unattended.

Unattended computers, including mobile devices, can be a prime target for a hacker. It does not take long for someone to download data to a USB drive, or place malware on a system, when a computer is unattended. Train your staff with the same warning we always hear from airport security, “Never leave your luggage (substitute computer) unattended.”

5. Opening attachments or Web links in Spam
Staff should be trained to identify phishing e-mails. These e-mails are intended to trick the recipient into disclosing personal information. Some of these e-mails are easily identified as being fraudulent. However, some are very cleverly camouflaged to look genuine. It could be an e-mail that looks like it is from your bank, asking you to confirm certain information. It might look like an e-mail from a retailer offering a discount coupon if the user clicks on a link in the e-mail. Opening the e-mail, or clicking on a link in the e-mail, can result in malware or spyware being downloaded onto the computer, which allows for credit card or other information to be stolen. The presence of such malware or spyware can be difficult to detect, resulting in the ongoing theft of information.

These types of e-mails are always changing, and are more cleverly disguised every day. Make sure your staff and coworkers are educated about phishing and what to do anytime they question the veracity of an e-mail.

When it comes to value for your dollar, training on proper data security policies and procedures can pay immediate dividends. It can go a long way to help ensure we do not see the name of your hotel on the news under the headline, “Guest Data Stolen from a Major Hotel!”

Richard Sheinis is a partner in the data security and privacy group of Hall Booth Smith, PC in Atlanta. He is a certified international privacy professional (CIPP-US), and can be reached at (404) 954-6954 or rsheinis@hallboothsmith.com. Follow him on Twitter: @SheinisCyberLaw.

©2014 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.

want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.