The hospitality industry inherits significant amounts of information about the consumer; the obvious being financial details to pay for services and also personally identifiable information (PII), such as name, address, phone number, and place of employment during the check-in process. However, in tandem to financial information and PII, hotels may also know highly personal things.  For instance, many consumers staying in a hotel, or using hotel amenities, will likely use the extended offerings. This may be to watch a movie in the room, take a drink or two in the hotel bar, let the kids play in the kids club, use the free Wi-Fi,  park in the garage or order room service. In international hotels, the consumer will also have to provide passport information. Aggregated, now hotels manage and maintain a significant amount of personal information, from watching trends, eating habits, healthcare data, children’s information and even IP addresses.

And there’s more.

As well as the personal details mentioned above, there are the hidden, metadata about a consumer's stay. For example, door entry systems in hotels are fully auditable; some even use fingerprint biometrics or a personal phone for accessing not only the room but also other hotel services such as spas and towel rentals. This allows a hotel to have a record of a person’s movements through the facility.

And this doesn't even cover the extended hospitality industry. The new vogue of the sharing economy has opened up new channels for hospitality. Providers, like Uber and Airbnb, require the consumer to release a plethora of personal information (driver’s license, family information), as well as personal financial data (salary, credit card information) that is housed in the application to use and reuse the service.
Yes, the hospitality industry knows a lot about us.

WELCOME TO THE HOTEL CALIFORNIA
With this personal information under the guardianship of the hospitality industry, the consumers need to trust the industry to safeguard information and protect it from cybercriminals, and misuse. 

Hyatt Hotels had a recent breach affecting 250 of the hotels. This breach was aimed at stealing financial data, specifically credit card information. The breach was a point of sale attack. It was discovered mid-last year and publically disclosed on Dec. 23, 2015. Hotels are becoming a target for cybercriminals because of the significant amount of personal data they hold. Most of the major chain hotels have been targeted in the last few years, including Trump Hotel Collection, Starwood Hotels and Hilton.

It’s not just hotels that are feeling the pressure of losing consumer information – but it extends to the rest of the hospitality industry. Airbnb has revolutionized the industry by connecting people to rooms in a simple and cost efficient way. Consumers simply sign into the Airbnb app, find a room, and book it. Almost anyone can place a room for rent using the app, and almost anyone can submit to rent it. The problem with this model is that Airbnb has to balance individual safety with the privacy of PII – which is difficult to get right. However, some of Airbnb’s privacy policy clauses leave much to be desired. For example, they state: “If Airbnb undertakes or is involved in any merger, acquisition, reorganization, sale of assets or bankruptcy or insolvency event, then we may sell, transfer or share some or all of our assets, including your personal information. … and becomes subject to a different privacy policy.”

With regard to protecting private information, they state that: “…we cannot guarantee the absolute security of your transmissions to us and of your personal information that we store.”

The arrival of the Airbnb Verified ID system has also thrown spanners into the privacy works of Airbnb. This system was introduced as a way to enhance the safety of the users of Airbnb, by validating they are who they say they are. The system requires offline documentation, such as a passport, or other photo ID, to be uploaded directly to the system. Several people find this an excessive amount of identification to hand over to book a room. The fact this is performed across the Web and with privacy policies, which expressly state that your data may well, fall under the remit of a privacy policy you didn’t originally sign up for, is just too risky for some consumers.

Now, add in that the individuals who rent their rooms could install hidden cameras to record your entire stay, listen in on your conversations, and log, as well as monitor, traffic across the Wi-Fi they provide. How much of your privacy, both digital and physical, is at risk in the personal residences of others?

IT’S ALL ABOUT TRUST
Good hospitality must be based on trust. Consumers of hospitality services, need to provide personal details, financial data, and biometrics within a secure environment that respects privacy. The hospitality industry is in quite a unique position. It holds a wide-angle view of information about the consumer – from financial to personal, to biometric and beyond. Some of the information may be a snapshot in time, but none the less, it could have repercussions on personal and corporate privacy that could be far reaching. The hospitality industry must not only ensure that cybercriminals are prevented from stealing our information, but they also need to respect the, often very personal, information they have about their guests.

Consumers and good corporate citizens, need to take notice of both good and bad practices when staying at hotels, ask questions about how data is handled, and assess risk as best to help ensure the safety and security of personal and company information, as well as overall well-being.  Consumers must be diligent and pay close attention to what’s happening. While the likelihood is low that a hospitality professional would compromise consumer safety and security, just like in every other industry, bad apples exist. Yes, it’s certainly about trust, yet with trust, comes verification.  Consumers can be the front lines of defense against the misuse of information.  Staying vigilant may mean the difference between a wonderful business trip or vacation and a nightmare of paperwork and clean-up on one’s credit or the company’s reputation.

AVANI DESAI is a principal and the executive vice president at Schellman & Company, Inc. She has more than 14 years of experience in IT attestation, risk management, compliance and privacy. DAN LOPRESTO is a director of information protection and privacy, adjunct professor, as well as founder and principal of a technology solutions and security company. In his full-time role, Dan oversees data protection Aand privacy-related projects, business continuity, and is heavily involved with regulatory compliance and vendor contract reviews/negotiations for a large, publically-traded hospitality company.