In response, Senators Arlen Specter (R-Pa.) and Patrick Leahy (D-Vt.) introduced the “Personal Data Privacy and Security Act” in late 2005.  This legislation is intended to assist consumers to better protect the privacy of their personal information in the face of recurrent data security breaches across the country.  It is still in Committee right now (S.1789), but when this legislation is eventually brought before Congress for a vote, it is expected to pass into law.  Once that occurs, it will have a profound impact on the way that customer data will be handled going forward–especially in the hospitality industry.

When the pending legislation was first announced, Senator Leahy, the Chairman of the Senate Judiciary Committee, said, “Our laws need to keep pace with technology.  Insecure databases have become low-hanging fruit for hackers looking to steal identities and commit fraud during a time when we are seeing a troubling rise in organized rings that target personal data to sell in online, virtual bazaars.”

The Specter-Leahy legislation is largely based on similar laws that have been passed in the State of California, which is generally thought to be the most proactive state when it comes to consumer protection. One of the key features of the legislation is a requirement that any business engaging in interstate commerce that involves collecting, accessing, transmitting, using, storing or disposing of “personally identifiable” information in electronic or digital form on 10,000 or more U.S. persons to apply rigorous data privacy and security safeguards. This is a big change from the past when bona-fide data brokers such as ChoicePoint were the only companies held to such a high standard.

Companies that knowingly or unknowingly violate the data privacy and security program requirements, or those that cannot produce supporting evidence to the contrary, are subject to civil penalties of up to $5,000 per violation per day while such violations persist.  In addition, the U.S. Attorney General can bring civil action in U.S. district court on behalf of the residents of that state.  Recently, the Federal Trade Commission forced ChoicePoint to pay a $10 million fine, the largest civil penalty ever levied, as part of the settlement of an investigation into their security practices.
This legislation will impact virtually all hotel chains and most large independent operators because they conduct interstate commerce, and store personally identifiable information (e.g., credit card numbers) on at least 10,000 customers.  At a minimum, hospitality companies will be held accountable for documenting and maintaining all data security procedures that are in place to protect guest information from identity thieves.
You may think that since your property management system vendor handles all of your customer data, you can’t be held accountable for whether they safeguard it or not.  However, provision No. 5 above clearly states that you are in fact responsible for the actions of your service providers as well.

Beside the legal dimension, there are two other significant exposures.  First, individual consumers can initiate civil lawsuits with large potential penalties if lost or stolen customer data ultimately results in the theft of their identity.  Second, the national media has been quick to seize upon any customer data loss news.  Consequently, you might find yourself on the front page of the Wall Street Journal–and not in a good way.  The bad publicity alone could be very costly.

Hackers are everywhere, and they are constantly looking for new and creative ways to access customer data.  Yours has probably already been attacked multiple times without your knowledge.  To make matters worse, if any security weaknesses are eventually found and exploited, word of this will spread, and you will become an on-going target for other hackers–perhaps even more dangerous than the ones who came before.

The bottom line is this: if it is unclear as to whether the proper controls and procedures currently exist at your company, a complete review of the way your guest data is handled is highly advisable before it is too late.  There are a number of relatively simple things that can be done to not only lessen the likelihood that you will be attacked in the first place, but also demonstrate good-faith efforts to mitigate risk.  This becomes important if an incident does occur, and auditors later ask, “What did you do to prevent this?”

Your first step should be to conduct a compliance assessment, which is effectively a gap analysis intended to ascertain and document where your organization stands today relative to the “Interagency Guidelines Establishing Standards for Safeguarding Customer Information,” the benchmark the federal government is using to measure compliance.  The assessment is not a formal audit where the results are shared with any outside entities. The findings are yours to keep and act upon as you see fit.  Once this has been done, a custom program can be developed intended to address all seven of the key areas of focus set forth in the legislation. Considering what’s at stake, this is relatively inexpensive insurance.