The recent Marriott International data breach affecting about 5.2 million guests and the one just one year before shows how the connection between California Consumer Privacy Act (CCPA) compliance and cybersecurity can profoundly impact businesses in the hospitality sector. Under CCPA, Marriott could face breach-related fines totaling $750 per victim. With the Attorney General (AG) starting enforcement in July 2020, hospitality sector businesses must have solutions implemented and working.
CCPA requires that covered businesses put mechanisms in place for consumers’ right to access, delete, opt-out, and the other requirements of the California privacy law. Civil penalties from the AG can start at $2,500 per violation and go as high as $7,500 if deemed willful intent. It can mean an astronomical collective fine when extrapolated by thousands of customers under the same violation. This creates a complex web of changes for hospitality sector businesses like hotels and restaurants with:
- Data collection/retention development policies and technologies
- Internal and external access polices
- Breach notification policies and audits
- Mobile and website updates
- Cloud strategy integration
- Crucial workflow and systems creation for managing data rights requests
- WIFI networks, application access, guest booking system and records integration
The result is a heavy burden of process, policy and technology implementation to meet CCPA regulations on top of the cybersecurity needs of data privacy and protection. One reason is because hotels and restaurants are often a mix of legacy and new technologies that make updates, data tracking, and security more cumbersome. We can see this in Point of Sale (POS) systems, back-end systems and network integration.
Required changes for CCPA compliance must be transparent to end users in how personally identifiable information (PII) data is routed, stored and accessed for easy removal requests or safeguard auditing. These policies and IT infrastructure changes become even more complicated with hospitality enterprises where individual branches are connected to the organization’s national or international network. This means that guest and patron PII data may be sent to the cloud before ending up in a data center database where other branches have access.
What’s needed is a broader cybersecurity and CCPA compliance data cloud strategy to ensure data safety both locally and beyond the branch’s individual network to the cloud. Data trails may go back years with sensitive payment information, passport data and contact details.
This requires data security and CCPA compliance mechanisms that enable automated requested PII access/retrieval, deletion and customer email verification notice via IT system software and hardware.
Third-party suppliers also present challenges in meeting CCPA requirements where personal data privacy safeguards and CCPA compliance may be unknown. Hospitality businesses must implement protocols and systems for consistent monitoring and audits of a supplier’s security and CCPA compliance measures. The overall task of meeting CCPA requirements may seem large, but a holistic approach can make reaching that goal cost-effective and easier.
Steps to CCPA Compliance for Hospitality Businesses
There are several practical steps that hotels and restaurants should include in their CCPA strategy to meet compliance and guard against violations:
- Understand the CCPA requirements and align them with how they apply to your business. This should form the basis of your attack strategy and execution.
- Establish a cross-functional team with clear, attainable goals that will align with your organization’s budget.
- Make security updates and conduct an assessment of your IT infrastructure.
- Keep a data collection document to gain a robust clarity on how the data is stored and processed for further use and educate the staff on this document.
- Revise the policies and terms and conditions of your website as per the CCPA Regulations (Personal data opt out an opt in links across digital access points).
- Implement user identity verification methodologies for change move or deletion request.
- Develop partners and third-party supplier/vendor CCPA compliance guidelines, monitoring and system checks beyond the opt-in/ opt-out software facilitation.
Staff education and preparation on handling queries and processes for customers asking how their data is used and the process for deletion requests is paramount. This requires development of IT infrastructure through cloud-based applications to make this a seamless process for identifying client records, deleting the specific information and providing the customer with confirmation, which is all required by CCPA.
Reviewing and monitoring the plan is crucial to dealing with CCPA compliance changes and needed evolution. Having a cybersecurity/privacy consulting partner can help in providing end-to-end project progress and effectiveness measurement, which enables:
- Revision corrective actions when warranted
- Avoidance of enforcement actions
- Risk mitigation of private actions (legal actions from individuals)
CCPA Compliance regulations and cybersecurity awareness are linked for hospitality businesses in the digital age where data privacy and protection define business success. Enabling that success relies on data and security policy awareness for end users and employees backed by strategic technology implementations. Only a holistic integration of people, processes and technology can mitigate breaches and data loss along alongside CCPA compliance.