The Aftermath of the Pandemic and the Ethical (Legal) Implications of Data Deletion and Sanitization

An exclusive Hospitality Upgrade article series on securing customer and employee data - Part 3

Part 2 -
Part 1 -

So, the unthinkable has happened. You have to close the hotel perhaps for good. Making some of the most difficult decisions of your career, you part ways with co-workers and friends, get rid of the food from the coolers and freezers and turn off the lights one last time. After agonizing days and nights of hard work, it is finally over and you can rest. Not so fast, there is still important work left to do. Strewn about your hotel customer data lies in plain view and hidden on hard drives, cloud share accounts and third-party applications. You protected your staff and business but who will protect your customers? Well, that task falls to you.

In the last articles, we learned that data can be stored in different forms and places each with different levels of security and accessibility. Once outside the property’s control, use of data for identity theft and credit card fraud is possible. The options as a responsible custodian of the data are to either secure it or destroy it. The owner’s plans and those of the potential creditors will largely drive what happens next. Should you safely store the data? Is it legal to transfer the data to a new owner? Destroying data relieves the burden and obligation of possession; however, the potential use goes away for good as well. You just do not know, and THAT is the root of the problem! Will the current owners close the property with plans to reopen again in the future or sell it outright to a new owner with no plans for the asset to become a hotel again?

At some point, the property or business collected data. How it was accomplished and under what terms has enormous implications. Greg Duff, principal of Foster Garvey PC, brings to focus some critical aspects of data collection and use. “From many regulators’ perspective, the owner of data is the individual guest. That data may be in temporary possession of an entity that has certain rights with regard to how others may access, use and hold it.” 

At the time the information is collected, the customer had been made aware of, and in some circumstances acknowledged, a privacy policy. Most of us simply check the box or skip over the text at the bottom of the form. That attached privacy statement carries significant information in how customer data is used in the present and future. “Whatever guest databases that may become part of the transaction, your due diligence checklist should include an examination of the privacy policy and practices at the time the information was acquired and if the successor will have any use of those assets,” Duff said.  Privacy policies can change over time and those changes do not infer new rights on previously collected data. Without proper segmentation of the database and the corresponding documentation of policy rights, a new property owner may have no legal right to use any of the data on the systems they have just acquired without first obtaining a consent. As Duff puts it, “You can use and store that data; but ultimate ownership of that data likely belongs to the individual.”

Two significant types of relevant data may have been collected and are present on property. The most obvious was the credit card data. Credit card data covered under the PCI DSS (Data Security Standard) requirement created and maintained by the Payment Card Industry Security Standards Council, which consists of the major credit card brands. Among other things, it provides the required framework for processing and storing credit card data on behalf of these brands. Maintaining PCI DSS Standard is part a business agreement between the credit card providers and merchants that process charges of the customers. Failure to maintain PCI DSS compliance is not considered a legally pursuable offense for the merchant (the business, hotel, e-business, etc). Merchants instead were faced with several ominous outcomes including hefty fines, higher processing fees or even the loss of processing privileges until compliance was achieved. The impact for some businesses would certainly be devastating. Some industries and businesses could continue to work via mix of cash, payment terms or alternate payment methods. Hotels would never be able to operate that way. The disclosure of the credit card data itself could fall under the scrutiny of state or federal agencies such as the Secret Service who in addition to protecting the President is also tasked with Investigating & Prosecuting Financial Crimes.

Properties also collected Personally Identifiable Information, abbreviated as PII. This includes of long list of data types obtained from multiple sources and includes not just our customers but our employee information as well. Loss of this information triggers numerous reactions from local, state and federal agencies as well as some foreign states. Every U.S. State has security breach laws in place. The operable word here is ‘law’, which means that prosecution can occur from numerous sources. The definitions regarding PII data vary from state to state and country to country; it is not inconceivable that legally a hotel has gathered and harbors enough of it to constitute a ‘data breach’ if it falls into the wrong hands. Examples of this data might be employee benefit or payroll files, customer payment information forms even sales programs. You thought that making a note of a bride's birthday and pet’s name was a great personal touch. In some states that combined with other information might cross the line from customer data to personally identifiable data. There is a chance that printed employee payroll reports with social security numbers might still be on property as well. Our system doesn’t do that, you might say. Ready to bet on that?
Given the circumstances, the best bet is to sanitize the property of all onsite data. However, that data was expensive to acquire and has value to the new owner, right? Not so sometimes. Consider the electronic devices housing data are not fixed assets of the building, and as such might not even be considered in the purchase agreement. That is certainly true of the paper and storage media scattered about. Simply put there is no way to have calculated the value of that data by the new owner.

When it comes to the current economic situation, Turnbull Capital Group is uniquely positioned as major source of experience and funding for the hospitality industry. With 36 years of hospitality real estate investment banking, Turnbull has been involved in nearly $19.5 billion of hospitality workouts, restructurings, bankruptcies, receiver controlled, and lender owned real estate. At the center of it all is Turnbull’s legendary co-founder and Senior Managing Director, Dr. Donald W. Wise. This time around, he sees the path a bit more differently than in the past. While downturns and asset repositioning has always been part of a cycle, the last 8 months have been unique. Dr. Wise said, “The market is coming to us. The opportunities coming our way are requests to shepherd properties that have been shut down or are seeking cash liquidity via one of our preferred equity business models. Some owners have requested that we sell their hotels, while other hotels need to be repositioned. Regardless, they are being marked to market and will be a great opportunity for a new hospitality custodian.”

As many are finding out the hospitality industry, has been hard hit and there is little certainty left in regard to an asset's future. “The situation in whole is just unprecedented and is appearing to mostly resemble our engagements during the RTC debacle in the early 1990s,” Dr. Wise said. “As an example, we were invited to replace a construction loan that was funded for in excess of $80 Million in December; construction began; concrete foundations were laid and then the developer received a letter reading, ‘We’re only kidding – we are not going to fund any future construction on your project.’ Again, exceedingly bizarre behavior reminiscent of our RTC days engagements.”

This sort of uncertainty and instability that is fueling some of the activity in the hospitality investment market. In some geographic markets new construction has been put on hold while in others it continues on unabated. The determining factor would lie with the investors or funding institutions who assess the risk and reward of the project and the market. For existing properties, the outlook might be far grimmer, and the choices limited. Previous waves of new construction, renovation and redevelopment have left some hotel properties with some unfavorable choices. Dr. Wise said, “There are lots of assets that were functionally obsolete hotels before, and many will be converted to student housing, some form of residential, or some alternative commercial use.”  

This repositioning clearly negates the value of the previously collected data. “What you are talking about is the fiduciary obligation of the previous owner in regard to that data,” Dr. Wise said.  Repositioning takes considerable time to change the zoning use from one to another often taking several years. In the meantime, the data sits in electronic and physical form unused, unprotected and vulnerable to theft and misuse.
Does a new owner even have the rights to use the data from the customer is it transferable? New legislation from California under the CCPA give a glimpse to the future. At the very least CCPA prohibits “Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” That could spell trouble for both the owner and former owner of the data. Most states have similar versions of CCPA already in process. The likelihood is that we will need to have much better understanding of the type of data acquired and where that data is located.

Much of the recent wave of property closures leave owners in doubt regarding the position of the asset itself. Some may choose to have the property remain as a hotel while others may look to utilize the space in an entirely different manner. A transition from hotel to assisted living, condominium or rental units is not out of the question. Should the old or new owner decide to pursue either of those transition paths there would be no value to the data whatsoever. At that point there is no financial sense in protecting the data. However, there hopefully is a strong ethical need. Proper disposal of the paper and electronic media found onsite is not a significant expense. The main issue is that few consider the idea and fail to include data disposal as a budget line in a renovation plan.

Frank Milia of IT Asset Management Group might have the final answer; if customers with at-risk data are lucky, it comes to him. Milia is a NAID Certified Secure Destruction Specialist and IT Asset Management Group is the final resting place for data assets. Things have been busy as people return to work. “Large customers are reopening their offices with a reduced workforce and are eliminating unneeded hardware,” Milia said. These are customers with data sanitization policies in place who are now sadly responding to the events of the pandemic. “We often serve as a redundancy check for organizations that also have internal teams and policies in place but are required to ensure nothing is overlooked,” he added.

Milia was expecting a boom in liquidations for smaller businesses, which yet has not come. “The last thing on a mom-and-pop business mind is what to do with the data on their computers.” That is exactly the point. IT asset management specializes in sanitizing the digital assets such as hard drives, optical disks and magnet tape.

As discussed in a previous article there are two methods to destroy data. One method relies on software overwriting the data using a series of zeros and ones, over and over again to erase all trace of the previous contents. This method leaves the user with essentially a blank hard drive that is both sterile and able to be utilized again. When this is not practical, a physical process utilizing a shredder leaves the user with no physical assets to reuse. “Encryption is generally an acceptable means for protecting unauthorized access to protected data and is essential when transporting data containing devices for data destruction at a secondary location such as at a disposal vendor,” Milia said. “When drive encryption or other logical and physical security methods are unavailable, I suggest the data controller contracts support to perform erasure or physical media destruction at a controlled site prior to disposal or transfer of the assets.”  

So far, we have discussed on premise assets such as hardware and paper documentation. Cloud or services-based solutions also present a liability. We had discussed in earlier articles that data systems can seamlessly store information in multiple locations. The hotel staff is blissfully unaware of the fact that data flow chart stretches at length from local PCs and servers to multiple offsite data centers and cloud-based applications. The pandemic has pushed people to work remotely more than ever with little supervision. The remote machines that access that data and the local security processes uncomfortably stretch the protocols organizations had created. Organizations need to address the issue of saving customer data in any format particularly on non-company owned machines. This would need to be the focus of another article though it is significant enough for our discussion merely to illustrate that valuable data is very portable at times, too.

Hopefully, everyone is familiar with cloud storage principles just by our everyday personal use. Programs by Dropbox, Google, Microsoft, and host of others create a local directory that continuously synchronizes with a storage cloud. The user can access data either locally on the machine or via a portal and the stored cloud file. There are enterprise specific applications as well as in-house developed implementations, which fulfill individual needs.

As we have all be told the unwelcome news, nothing ever dies on the Internet it is there forever. Happy to report, that is not the case here! All businesses are obviously driven by the bottom line and focus on reducing cost. Each byte of stored data on a cloud-based storage solution has some minute cost that is borne by the operator and passed along in some form to the consumer. It is in the cloud company’s interest to eliminate as much abandoned data as possible to increase profitability. The contract with the end user probably contained some limitations as to how long data is retained at the end of the contract. Once the consumer stops paying for the service, the data becomes freed and deleted. The space used again by the next customer. Microsoft for instance states that data deletion or in its term ‘deprovisioned’ occurs 90 days after a subscription expires. I can confirm that occurs even with customers in good standing that have deleted individual former employee accounts. Once your data hits 91 days it is gone forever.

Many businesses use nearly ubiquitous cloud-based applications to run business functions. These functions move from client-side processing using servers stuffed in a closet, to huge data centers hosted off site relative to the customer. These Software as a Service providers (SaaS) are rapidly replacing the need to maintain onsite equipment. In hospitality, we see healthy vendor lists of SaaS that include former onsite applications such as property management systems, point of sale, customer relationship management and accounting suites. SaaS providers are well versed in the processing, storage and security of data on an international scale. The General Data Privacy Regulation (GDPR) is certainly a component of their business plans and operations. GDPR is a fascinating subject but beyond the scope of our discussion here. The key thought though is that all cloud service providers have certain potentially financially damaging obligations being even a data processor of their customer’s data.

As previously discussed in relation to the cloud-based storage solution, data has at least a minimal cost to retain. However, the financial impact of dealing with data loss is exponential and significant especially for archived data that would have no active customer value. The mantra in terms of data storage is always “keep only what you legally need to.” The benefits of that wisdom in the event of data breach will become more than evident very quickly. 

There is no hard and fast rule that govern SaaS data retention. You should check with your customer service representatives and review your contracts for more detail. Familiarize yourself now with how data is being stored and when it will be deprovisioned. This information is important not only in terms of deleting but also for archival purposes. Better to know now than scramble to find an answer later.

Unfortunately, the likelihood of needing to know, and having a plan in place, becomes more important every day. Even healthy businesses are feeling the weight of downsizing their data environments. Frank Milia is happy about how busy he has been with his large customers, which would be predictable given the cycle. He explains, “Data sanitization is normal as part of a CAPEX and replacement cycle.” He is still concerned and said, “Mom and pops just don’t have the focus.”

It is easy to empathize with them after spending likely years of work building and maintaining only to watch it rapidly come to a halt. Given the murky legal cloud of data possession, Greg Duff thinks future tests will be ongoing for some time. “I could reasonably see a regulator determining that as part of a business wind down, data acquired and maintained with reasonable security cannot be simply thrown out.” The results of such actions would damage the reputations of both the former owner and last custodian.

Dr. Wise feels that data has an even more important role for new and existing businesses. “Really what we describe is an ongoing fiduciary role in securing customer data.” While Turnbull Capital Group does extensive preparatory and due diligence work for every aspect of funding opportunity, the role of data will certainly factor in more and more. “One could almost see it as an environmental responsibility that could go back several owners.”

The rate and scale of business closures will likely add to that risk to customer data exposure. To summarize a feeling that most of our experts share, Dr. Wise delivers this chilling portent of things to come. “I am busier now 6 days a week, than at any time in my career. There is in incoming tsunami out there, and it hasn’t even reached the beach yet.”
Our next series we will deal with things you can do to minimize data loss and secure the data you have. If you are part of that tsunami, brace yourself and consider the upcoming recommendations to help you ride out the storm.