The Three Pillars of Privacy

Order a reprint of this story
Close (X)

ORDER A REPRINT

To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.

SEND EMAIL

October 01, 2012
Security
Mark G. Haley, CHTP, ISHC

View Magazine Version of This Article

When you page through this magazine or look around the show floor at HITEC and other events, you will no doubt find articles, headlines, advertisements, booths and flyers proclaiming something about PCI compliance.  PCI and complying with the standards is certainly front and center for every hotel company and indeed, any merchant who accepts credit cards.


However, a laser-like focus on PCI may accomplish the laudable goal of meeting the standards of payment card industry self-regulation, but it misses the broader need to paint a complete picture of data privacy within your hotel company. In order to have a holistic view of data privacy, the hotel enterprise must build effective strategies to address three pillars that together represent an effective model of data privacy for the guest, the company and the associate. 

The three pillars are: data privacy regulation, data security technology and practices, and creating a culture of privacy.

Embracing one or two of these pillars will certainly help the enterprise improve fulfillment of the hotelier’s age-old commitment to guest privacy. However, failing to address all three will inevitably leave a gap that can expose the hotel company to undesired outcomes and less-than-complete satisfaction of that commitment.  The optimal approach for a hotel company is to systematically address each pillar with a multidisciplinary team committed to changing the organization with the budget and seniority to make it stick. Looking at data privacy broadly, with regulation, security technology and culture as the three primary components, is the only way to envelope the subject and ensure a company meets and exceeds guest expectations.

Data Privacy Regulation
Clearly, the tall pillar holding up the roof of privacy compliance is regulation. Regulation comes in various forms and flavors around the world. Most notably, the Payment Card Industry Data Security Standards (PCI DSS, generally elided to as PCI) are not legal regulation, but rather industry self-regulation. This self-regulation is imposed by the issuing card brands (Visa, MasterCard, American Express and Japan Credit Bureau). The brands give self-regulation meaning by requiring merchants to agree to comply as a clause in the merchant agreement to the effect, if you want to accept credit cards, you must agree to comply with the full range of the standards. The brands give the contract teeth by seizing the ability to fine noncompliant merchants.

Domestically in the United States, other forms of regulation are federal and state laws enforced by statutory fines and vulnerability to lawsuits. These regulations include the Fair and Accurate Credit Transaction Act (FACTA), Sarbanes-Oxley (SOX) and more.  

At the state level, there are a number of laws, often contradictory, including the spectacularly bad Massachusetts legislation known as MA 201 CMR 17. This problematic law goes so far as to legislate encryption methodologies among other low levels of detail. It also extends privacy regulation beyond customers to employee data, not in itself a bad thing. Note that most state laws apply to state’s residents rather than where the data is captured or stored, so a hotel in California is theoretically subject to MA 201 CMR 17 if it has guests from Massachusetts.

However, hospitality is a global business. Many hotel companies are global enterprises, and for all hotels guests can come from anywhere and go anywhere. Guests from other parts of the world will expect the same consideration of privacy to which they are accustomed. Therefore, privacy regulations in other regions are important to a hotel company operating in any region.

Privacy regulation in the European Union (EU) is among the strictest and most-defined such body of rules in the world. Without going into too much detail for the space available, the European Union Privacy Directive 95/46/EC enumerates a number of principles providing a framework for privacy regulation, with each member nation interpreting the principles locally. These different interpretations certainly can lead to a variation in rules and enforcement, but the principles (including notice, choice, onward transfer and more) remain consistent.

In a flat world, it is inevitable that the strictest regulatory approach becomes the de facto standard. Therefore a hotel company with any international pretensions or expectations of satisfying the privacy concerns of European guests will do well to keep one eye firmly on EU privacy regulation and understand the Safe Harbor program negotiated between the U.S. State Department and the EU.

These trends should deepen and demand broader compliance. Notably, the focus of privacy regulation today is not on traditional merchants such as hotels, but on the massive social networking services like Facebook and search mega-glomerate Google. That focus doesn’t give hotel companies a free pass, but rather buys time to get the house in order while regulators are looking elsewhere.

Data Security Technology and Practices
For many hospitality technology professionals, the nuts and bolts of data security are where the privacy discussion starts and ends. These topics include the obvious ones of changing default passwords on all systems and appliances, eliminating the use of shared passwords, closely controlling remote access and investing in state-of-the-art firewalls, routers and gateways. These areas alone will keep the network managers busy, but if implemented will limit practical exposure to a breach.

An often overlooked component of data security technology involves log files, audit trails and file integrity monitoring (flagging of unapproved changes to crucial configuration and executable files). While it may seem like arcane minutia to many, these tasks and monitoring them can often be automated so that one manages the exceptions rather than the norm.

Often lumped in with data security technology under the imperative to validate PCI compliance, most hoteliers find that they spend as much time defining and controlling paper cardholder data processes as they do the much higher-risk electronic data. A risk-based approach suggests prioritizing the electronic data and focusing on access, the perimeter and audit trails.

Culture of Privacy
By far the most difficult to define and execute pillar is the cultural and educational component. How does one create a culture and awareness of privacy in the enterprise? The answers vary immensely across companies according to the size, scale and complexity of the enterprise. Some of the relevant principles that are proven to work include:

Assign an owner. Perhaps with a title like chief information security officer, the individual or department responsible for data privacy and security must be senior enough to get the job done, have a budget and resources to work with, and have the uncompromised support of the rest of the top management team. Organizational independence from both the IT shop and the marketing department is highly recommended, and may in fact be required by EU regulations under consideration.

Make awareness training apply to all associates. Data privacy training and education is not just for IT personnel and database marketers, although they certainly need a lot of it. The successful deployment of privacy awareness must include doormen and room attendants as well as front desk, reservations and accounting. The sales department is typically the worst offender and needs the most reinforcement. A logical corollary of this requirement: Awareness training must be repeatable, adaptable documented and delivered according to the needs of the audience. An acceptable use policy is a necessary component of an awareness program, but not sufficient. A room attendant doesn’t care about acceptable use. A property needs to adapt the materials over time and to each audience, so a static handbook or PowerPoint deck quickly becomes useless. Different audiences require different delivery methods.

It’s not just about data. The awareness curriculum must include components or privacy awareness unique to the hotel industry, not normally considered by privacy professionals. This includes tactics like writing a room number down at check-in rather than saying it, checking IDs to issue duplicate keys, training line staff how to respond to press inquiries about guests, including celebrities and others.

Embrace the technology of change management. Bringing cultural change into an organization requires multiple specific steps to get the individuals in the enterprise to buy into it. One useful change management model is known as ADKAR, an acronym for processes to bring the organization through successive phases of awareness, desire, knowledge, acquisition and reinforcement.

The systematic use of these three pillars will create a sustainable and holistic approach to data privacy compliance that will serve an organization, its guests and associates well. 

Mark G. Haley, CHTP, ISHC is managing partner of The Prism Partnership, LLC, a Boston-based consultancy serving the global hospitality industry in strategy, technology and marketing. For more information see http://theprismpartnership.com.  

©2012 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent. For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.

http://theprismpartnership.com


want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.