Skip to main content

Open for Business, Open for a Data Breach?

The hospitality industry is opening back up, but so are the opportunities for data breaches.
a close up of a computer
Advertisement - article continues below

As more vaccines continue to roll out, people are hopeful to take that summer vacation they have postponed over the past year, and as we approach warmer months, the hospitality industry will begin to ramp up as people conduct their own “staycations.” This may mean increased business activity for the hospitality sector, but it also means an influx of additional personal data to be processed, stored and handled. Below are some of the top compliance concerns your sector should be preparing for now.

Accommodation Providers

Although the California Consumer Privacy Act (CCPA) and Virginia's Consumer Data Protection Act (CDPA) are likely to primarily affect large hotel and resort chains, it is still valuable for smaller hotels, and especially lodging sites like airbnb and Vrbo, to recognize their status with CCPA and CDPA compliance.

Both laws are intended to protect the personal data rights of their residents.

California’s CCPA applies to any company that:

  • Have a gross annual revenue in excess of $25 million.
  • Annually buy, receive, or share for commercial purposes or sell personal information of 50,000 or more Californian consumers, devices, or households.
  • Additional requirements exist if you are in the business of selling personal information.


Virginia’s CDPA applies to companies that:

  • Conduct business in Virginia or produces and sell products that target Virginia residents and does at least one of the following:
  • Control or processes the personal data of 100,000 consumers during a calendar year
  • Control or process the personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

Keep in mind that CCPA will be replaced by the CPRA in 2023, and Virginia’s CDPA is slated to be effective in January 2023, but until then, organizations must still remain compliant with the CCPA. Complying with both laws now will set your organization up for success in the future and with additional compliance legislation mentioned below.



PCI DSS applies to all organizations, regardless of size, if they accept, transmit, or store payment card data issued by the major payment card brands which include Visa, Mastercard, American Express, Diners Club, Discovery or JCB cards. There are four levels of PCI compliance that are aligned across the different payment brands. Visa, being the largest of the brands offers the following reference for determining the level of PCI compliance required:

  • Merchant Level 1: Any merchant processing over 6M Visa transactions per year, and any merchant that Visa determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
  • Merchant Level 2: Any merchant processing 1M to 6M Visa transactions per year.
  • Merchant Level 3: Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
  • Merchant Level 4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year and all other merchants processing up to 1M Visa transactions per year.


With the uptick in passengers flying since 2020’s lockdown, we can expect to see new targeted data breaches for airlines and their processing systems, including third-parties who support the industry. SITA, a multinational aviation industry IT supplier (one of the world’s largest), confirmed it was the victim of a security breach in February. The data of passengers stored on servers located in Georgia were impacted, highlighting the ongoing need for airlines to have a strong awareness and validate data security controls of all of their data they store both in-house and with third-party service providers. Airlines and their third-parties should also validate their PCI DSS compliance given the increased transaction volumes. Conducting ongoing and automated personal data audits and having specialized staff responsible for compliance concerns and vulnerabilities are essential for the industry.


GDPR for All

One compliance law that all hospitality businesses need to comply with is the GDPR. This law applies to any company which offers services and products to EU citizens and thus handles their data. The United States stands as one of the top tourism destinations for EU residents from countries like Great Britain, France and Italy, making this law even more imperative to comply with.

Privacy laws offer a valuable motivation for organizations in the hospitality industry to ensure data security is prioritized. Organizations can face severe financial penalties for violating compliance and even more harmful reputational damage for their brand.

Protecting the data you store is not only good for business long term, it’s good for your customer too and delivers on the trust they placed in you when they provided their personal data with the expectation that it will be protected with the highest standard of care and responsibility.

a man wearing a suit and tie smiling and looking at the camera
Stephen Cavey

About the Author

Stephen Cavey is a co-founder of Ground Labs, a global team empowering its customers to discover, identify and secure sensitive data across their organizations. As the Chief Evangelist, he leads its worldwide product development, sales and marketing and business operations and was instrumental in extending Ground Labs’ presence with enterprise customers. He has deep security domain expertise with a focus on electronic payments and data security compliance.

This ad will auto-close in 10 seconds