⚠ We would appreciate if you would disable your ad blocker when visiting our site! ⚠

Protecting Guest Data is no Picnic*

Order a reprint of this story
Close (X)

To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.


June 01, 2013
Guest Data Security
Marion H. Roger


According to a variety of experts, consumers are demanding their personally identifiable information (PII) be better protected and savvy businesses are making this a top line priority across all industries. During a panel at the RSA Conference, a top-level security-focused industry gathering in February 2013, Brendon Lynch, chief privacy officer at Microsoft, declared that companies like his had come to appreciate the “market forces at play with privacy. It’s not just privacy advocates and regulators pushing,” Lynch said. “Increasingly, people are concerned more about privacy as technology intersects their life.”

This trend collides with another: companies are eager to maximize information about customers’ preferences. With business intelligence and analysis, big data means one can finally glean and analyze very specific customer data in an effort to increase loyalty and satisfaction, since knowing and responding to guest preferences makes everyone happy, many tout big data as the next big thing.

Big data can mean big trouble when hotels wade into unknown waters. Especially as we rapidly embrace virtualization, the cloud and BYOD for hand-held or tablet devices. Big data means dealing with new threats to sensitive guest data - unknown territory. Learning about the ways in which guest data can be compromised and how best to protect it is no longer the exclusive remit of the CIO or IT department. In too many situations, the real threat to information security is what is known as a PICNIC (problem in chair not in computer.)

It is time to call a spade a spade, as the old saying goes. Guest information is so easily acquired or compromised by a variety of approaches that fall far outside the infrastructure or computer network. Today, hotels really have few if any clear guidelines about how to protect PII and privacy, only that they must.

Despite the fact that PCI DSS compliance is understood and widely adapted, guest PII is still widely vulnerable. This is partially because guest records and loyalty club member data do not have to be encrypted since they are not subject to PCI protection principles. Interestingly, there has not been much attention paid to the abundance of non-encrypted PII, non-anonymized data about hotel guests. Non-anonymized data is data that is not stripped of the individual’s name. Yet PII is actually more valuable to identity thieves than a list of credit cards which are encrypted.

This series will cover the crime of identity theft and how it impacts both victims and the hospitality industry. It will look at the legislation in place and trends toward future regulatory moves that will impact the hospitality industry, and will discuss best practices and examine training as part of a cross-departmental policy initiative.

Storing guests’ information pre-arrival, while they are in house and after they’ve departed, means hotel staff are touching, sharing, deleting or analyzing non-anonymized data. In addition, other departments and outside contractors share, email or store guest information for marketing, accounting and commission processing. In every case, careless or untrained users jeopardize both the guest and the hotel. Companies may have invested in the most superior level of firewalls and anti-intrusion software, but human error is the treasured Achilles heel that makes hotels attractive to criminals.

There are tens of thousands of organized crime rings who are laser focused on obtaining information about individuals for malicious use, such as medical insurance fraud. According to a variety of studies, these criminals target the hospitality and travel industry because it is rich in non-anonymized personally identifiable information or PII. If guests knew how much information is kept about them and how easy it is for the criminal world to acquire it, one could anticipate a revolution of sorts.

According to experts, it may already be hindering e-commerce efforts. In a national survey last year, Forrester Research found that one in three consumers were concerned about companies having access to their behavioral data. More than 40 percent said they had stopped short of completing a transaction on a website because of something they read in a privacy policy.

According to a recent TRUSTe survey, 88 percent of respondents said they would avoid doing business with companies that don’t protect their privacy. “TRUSTe’s findings show that consumer worry and mistrust remain a clear and present danger in the online world,” said Chris Babel, CEO of TRUSTe. “To capitalize on growing online and mobile technologies, businesses must act now to dispel these consumer concerns. By delivering transparency and choice, good privacy management practices have been shown to build customer trust, allowing businesses to strengthen their brand’s reputation while pursuing new online opportunities.”
One would think the hospitality industry would be working hard to stave off government regulation. While there seems to be no movement on broad privacy legislation on Capitol Hill, there is more state legislation than hoteliers realize. For example, more states are adopting clearly written privacy laws to protect their residents’ personal information. The scope of these laws is evolving in significant ways. Today, data breach notification is no longer the key requirement; today’s laws mandate that companies take preventative measures to secure PII.

In March of 2010, Massachusetts passed law MA 201 CMR 17, which was the first in the nation to require specific technologies for the protection of personal information. In addition, the implications of the European Data Protection Directives and Safe Harbor Principles are relatively unknown or hotels have been given misleading counsel about how to comply.

Protecting data across so many platforms and with so many users is a challenge that is best met by requiring awareness training, policies and procedures and strict enforcement. To protect the integrity, confidentiality and availability of guest and employee information in a highly networked environment, every person who touches, sees or works in any way with guest PII must understand how to protect it as well as the consequences of compromise.

According to Gartner, “80 percent of unplanned downtime is due to people and processes.” The Committee of Sponsoring Organizations of the Treadway Commission (COSO), an independent initiative of accounting sector organizations dedicated to developing a framework and guidance on enterprise risk management, internal control and fraud deterrence, makes the point that “internal control is affected by people. It’s not merely policy manuals and forms, but people at every level of an organization.” If companies prioritize privacy concerns as a part of every department’s mandate, the task of dealing with these issues won’t seem as daunting and overwhelming. Plus, in the long run, consumers will flock to companies that value privacy.

Firewalls, antivirus systems and other security technology, are all part of any hotelier’s data security and data protection strategy. And every one of those products was no doubt sold on the basis of its effectiveness, yet as we see in the headlines, severe information security breaches keep happening and the problems are getting worse, not better. What’s going wrong? It’s the picnic problem.

It is almost impossible to be in business and not collect or hold personally identifying information, such as names and addresses, birthdays, family members names and ages about guests and employees. Educating staff about privacy issues will ensure a culture of security throughout the business and increase customer confidence.

The next column will explore the crime of identity theft and discuss approaches in training for all staff members as hoteliers work to see the industry practice the PII protection principle daily.

Marion H Roger, VP Hospitality Evolution Resources, is a specialist in the various technologies that support the supply chain landscape in hospitality who is currently leading an industry initiative to support guest data security.

Source: http://topics.nytimes.com/top/news/business/companies/microsoft_corporation/index.html?inline=nyt-org
TRUSTe: http://www.truste.com/about-TRUSTe/press-room/news_truste_releases_q2_consumer_privacy_index

©2013 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.

want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.