⚠ We would appreciate if you would disable your ad blocker when visiting our site! ⚠

Protect Yourself. Financial Hardships of a Security Breach

Order a reprint of this story
Close (X)


To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.


October 01, 2013
Data Security Insurance
Marion H. Roger

Federal Trade Commission v. Wyndham Worldwide Corporation combined with the recent focus on the topic of what real privacy we have anymore, means the hospitality space should focus with laser intensity on protecting the personally identifiable information (PII) of its guests and employees as well as reviewing how suppliers and vendors protect their data. However, beyond looking to protect the data and training employees to safeguard information, few hotels are actually prepared for the cost of a breach.

Systems flaws, malicious attacks and untrained or dishonest employees contribute to the vulnerability of businesses that handle private data about their clientele. Companies and governmental agencies of all types and sizes are targets. While the healthcare and the financial industries are subject to sector-specific regulation, the travel and hospitality space is the Wild West in comparison.  Not only is the industry unregulated, but it is also less prepared for and less protected from the risk than it should be.

Not that anyone is slacking off with efforts to prevent breaches. Frequent security compliance assessments ascertain whether systems and procedures comply with current laws and regulations and generally accepted security standards. In addition, specialist firms like Halock Security Labs offer penetration testing to see if the IT infrastructure can withstand attacks.

However, beyond determining or avoiding vulerabilities, hoteliers should evaluate the monetary impact of a security breach and be prepared should one occur. Breaches occur outside the protective parameter of your IT team’s remit; firewalls and malware protection protocols are actually no match for today’s  criminal. Stolen company laptops can reveal private details on thousands of customers. An executive’s hand-held device left on a plane may do likewise. Even something as simple as a disgruntled employee armed with a USB data storage device can walk hundreds of thousands of guest records out the door.

Another risk comes from third-party relationships. A company hired to pay travel agents’ booking commissions has the very information relating to bookings needed by criminals for fraud or identity theft. Criminals can also mount social engineering attacks on each individual whose information was compromised. Have contractors been audited for vulnerabilities and have you insisted on an SLA in your contract specifically related to data safety? If so, when is the last time you reviewed the verbiage?

The IT department believes it is doing its best to ensure data is protected and uses the latest technology to keep it safe. But if (or more likely when) there is a breach, the expense means a very costly item on the bottom line. Data security should not be exclusively an IT issue, and cyber-liability insurance is becoming a standard part of any risk management strategy.

According to a 2012 Verizon Communications report, the accommodation and foodservice industries accounted for half of all breaches. According to the Verizon report, a common misconception is that only large companies have to worry about protecting against data breaches. In reality, two-thirds of the 855 investigated incidents in the report occurred at businesses with 11 to 100 employees, a typical size of many hospitality enterprises.

Two years ago, Hospitality Upgrade broached the subject of cyber insurance with an excellent introduction to the matter by Scott Godes and Kenneth Trotter of Dickstein Shapiro LLP.  A key point made was that most are focused on undertaking steps to reduce the likelihood of cyberattacks and putting policies and procedures in place to protect data or confidential information but overlook the “understanding of what insurance policies companies have, or could purchase, to cover loss or liability associated with a data breach or other cyberattack.”

Cyber liability or data breach coverage provides the coverage a business needs to address the multiple facets of a possible data breach incident. The cost to notify customers of the breach, offer free credit monitoring for a year, forensics to determine the size and scope of a breach, public relations and crisis management expenses, coverage for PCI fines and costs as well as the legal liability issues in the event the insured is sued for the breach are all covered.

Potential class action suits that result from data breaches mean costs escalate further. Almost as disturbing, and potentially as financially devastating as class actions, is the potential for litigation from businesses you work with. For example, that award-winning digital marketing agency who handles your loyalty club mailers and has access to and stores your guest data as a routine course of providing you a service may end up on the other end of a lawsuit. And any lawsuits your marketing partner might have to contend with from your former guests means your digital agency may end up resorting to litigation against you as a defensive measure. How well covered are you if you had to pay liability due to any settlements or judgments arising out of such claims?

Financial consequences are damaging to the bottom line and often more expensive than anticipated. Yet, hoteliers tend to rely almost exclusively on technological solutions to manage this risk and either ignore data breach insurance or are unaware it even exists.
Hoteliers should not assume their current insurance companies will agree that breach coverage is provided by crime and CGL policies. “Owners and management companies concerned about having the right coverage in place for loss arising out of a data breach can purchase insurance marketed expressly for cyber-related loss in the hotel industry,” said Christine Marciano, president and CEO of Cyber Data Risk Managers, in Princeton, N.J., a leader in writing such stand-alone policies. “Data breach insurance is like automobile insurance … the minute you get in an accident you call them… they step in and deal with the various expenses and steps.”

The World Travel and Tourism Council predicts travel industry revenues in excess of $15 trillion by 2017. More than 50 percent of all travel reservations are now made online, including hotel reservations. The reams of guest data collected and stored outside PCI DSS parameters (names, addresses, personal email addresses, passport information), and with no real regulatory oversight, need protection. Given the fact that the emerging market for data security insurance is offering increasingly sophisticated products and higher policy limits, more hoteliers should be purchasing this valuable service.

Marion H. Roger, VP Hospitality Evolution Resources, is a specialist in the various technologies that support the supply chain landscape in hospitality and is currently leading an industry initiative to support guest data security.
©2013 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.


There are three types of data breach coverage.

1. Third-party coverage is a security and privacy liability policy that covers: regulatory proceedings defense costs, Internet media liability coverage, credit monitoring and employee training. This also covers wrongful disclosure of personally identifiable information (PII), or confidential corporate information the hoteliers' care, custody and control via a computer network or offline (e.g., via laptop, paper records, disks).

2. Privacy breach costs coverage provides protection for both forensic investigation expenses and any legal and public relations expenses.

3. First-party coverage handles any business income loss and dependent business income loss, digital asset replacement expense and cyber extortion threat and reward payments.

want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.