The Hotel Data Security Problem: Bigger Than Many Think
Social security numbers, birth dates, credit card numbers, CVV codes: Every hospitality organization knows these are key pieces of data that must be kept private and secure. Sometimes they’re best not kept at all.
What they may not know is that those pieces of information are just the tip of the iceberg when it comes to sensitive data. In fact, there are some big problems when it comes to the way hotels currently collect and store information about their staff and guests.
1. Combining Guest Identifiers = Rising Privacy Regulations
Hotels insecurely store lots of guest data that is also considered to be personally identifiable information (PII) subject to privacy laws, especially when several identifiers are combined. Under California privacy laws, for example, a user name combined with a password and an email adds up to PII. That combination could be used to, for example, cash in stolen loyalty points. Privacy regulations are on the rise, and typically a hotel must follow the privacy law that applies to where a guest is from, not where the hotel is located. International laws can be even more restrictive.
2. Multiple Data Centers = Multiple Security Risks
Guest data is strewn across a wide and surprising range of data stores — for example, recorded audio in the call center, on which guests share sensitive data, or faxed copies of reservations made when the digital message failed to send. PII is also passed to partners where the brand no longer controls it but may be held responsible for its security, at least in guests’ eyes. Employee data is also pervasive across multiple systems.
3. Doubling Down on Data Use = Privacy Violation
Many hotels collect data for one reason and then use it for another, unwittingly violating privacy laws. One inappropriate use case example: using PII from the VIP room list at a LGBT event held by a group at the hotel to market a Pride weekend promotion to that person.
Helping hotels understand and address these issues is the goal of a newly formed HTNG PII Workgroup. The workgroup’s co-chairs are two of the industry’s leading data privacy and protection advocates, John Bell of Ajontech, LLC (www.ajontech.com) and Marion Roger of HeR Consulting (www.her-consulting.com).
“The hotel industry is very vulnerable,” Roger says. In hospitality, “we have no HIPAA, but we have as much or more information on guests and employees.”
The industry lacks both a common understanding of what constitutes PII and best practices for safeguarding it, she says.
HTNG Workgroups bring together hoteliers and technology companies to collaborate on effective real-world solutions. Since launching in June, the PII Workgroup has already created a definition of PII in hospitality: any representation of information that permits the identification of an individual, either alone or when combined with other elements.
Now the PII Workgroup is working to collect and categorize identifiers and develop a code of conduct — a set of principles to protect owners and brands, as well as guests and staff from becoming victims of crimes resulting from stolen PII. A webinar this fall will also cover PII best practices. New Workgroup members are welcome and encouraged: Contact Joe Gallo at [email protected].
Increasing government attention to privacy issues of the type found at hotels is making such work even more urgent. It’s common for hotel brands to offer data security assurances on their websites, but if the same security is not provided in the call center, in the eye of the Federal Trade Commission, the hotel brand is engaging in deceptive trade practices.
Hotels can’t ignore the growing risk they face by not securing guest and staff data.
“The FTC is looking at privacy promises, and they’re looking at hotels,” Roger says. “If the industry fails to self-regulate, the FTC is prepared to impose its own regulations.”
What they may not know is that those pieces of information are just the tip of the iceberg when it comes to sensitive data. In fact, there are some big problems when it comes to the way hotels currently collect and store information about their staff and guests.
1. Combining Guest Identifiers = Rising Privacy Regulations
Hotels insecurely store lots of guest data that is also considered to be personally identifiable information (PII) subject to privacy laws, especially when several identifiers are combined. Under California privacy laws, for example, a user name combined with a password and an email adds up to PII. That combination could be used to, for example, cash in stolen loyalty points. Privacy regulations are on the rise, and typically a hotel must follow the privacy law that applies to where a guest is from, not where the hotel is located. International laws can be even more restrictive.
2. Multiple Data Centers = Multiple Security Risks
Guest data is strewn across a wide and surprising range of data stores — for example, recorded audio in the call center, on which guests share sensitive data, or faxed copies of reservations made when the digital message failed to send. PII is also passed to partners where the brand no longer controls it but may be held responsible for its security, at least in guests’ eyes. Employee data is also pervasive across multiple systems.
3. Doubling Down on Data Use = Privacy Violation
Many hotels collect data for one reason and then use it for another, unwittingly violating privacy laws. One inappropriate use case example: using PII from the VIP room list at a LGBT event held by a group at the hotel to market a Pride weekend promotion to that person.
Helping hotels understand and address these issues is the goal of a newly formed HTNG PII Workgroup. The workgroup’s co-chairs are two of the industry’s leading data privacy and protection advocates, John Bell of Ajontech, LLC (www.ajontech.com) and Marion Roger of HeR Consulting (www.her-consulting.com).
“The hotel industry is very vulnerable,” Roger says. In hospitality, “we have no HIPAA, but we have as much or more information on guests and employees.”
The industry lacks both a common understanding of what constitutes PII and best practices for safeguarding it, she says.
HTNG Workgroups bring together hoteliers and technology companies to collaborate on effective real-world solutions. Since launching in June, the PII Workgroup has already created a definition of PII in hospitality: any representation of information that permits the identification of an individual, either alone or when combined with other elements.
Now the PII Workgroup is working to collect and categorize identifiers and develop a code of conduct — a set of principles to protect owners and brands, as well as guests and staff from becoming victims of crimes resulting from stolen PII. A webinar this fall will also cover PII best practices. New Workgroup members are welcome and encouraged: Contact Joe Gallo at [email protected].
Increasing government attention to privacy issues of the type found at hotels is making such work even more urgent. It’s common for hotel brands to offer data security assurances on their websites, but if the same security is not provided in the call center, in the eye of the Federal Trade Commission, the hotel brand is engaging in deceptive trade practices.
Hotels can’t ignore the growing risk they face by not securing guest and staff data.
“The FTC is looking at privacy promises, and they’re looking at hotels,” Roger says. “If the industry fails to self-regulate, the FTC is prepared to impose its own regulations.”