Rising to the challenge: privacy and cyber security within the hotel sector

UK businesses will have until May 2018 to comply with the EU General Data Protection Regulation (GDPR) or potentially face fines of up to 4% of annual turnover or €20 million. Hotel owners need to ensure that their IT directors or managers are fully up to speed so that their operations are compliant.

New technology continues to drive change in the hotel sector. It affects the customer experience in multiple ways, from the process for making hotel reservations, through to check-in.

Alongside the efficiency benefits for customers and hotel owners alike, technology also brings new challenges. Firstly, hotel owners must make sure they address their customers’ privacy rights and hold their data securely. Secondly, they must face up to the cyber security threat and take protective action.

Privacy and data protection

Privacy and data protection is a serious issue for the hotel sector, as illustrated by a number of high profile data breaches reported in the press. Organisations recently affected include the Hilton, Trump and Hyatt hotel groups and whilst incidents involving large hotel groups are most likely to reach the press, data breaches can happen in any hotel, regardless of size. If management and owners are not taking appropriate protective steps, a data breach is more than likely to occur at some point.

So why are hotels targeted? This is largely due to the types of information they hold about their customers. A standard data set within a hotel database typically contains names, addresses, dates of birth and credit card details. All of this information can be used to carry out identity or credit card fraud.

Clients trust hotels to look after their personal data so that it remains private and never ends up in the wrong hands. So what can hotels do to ensure that the data they hold is protected and used in the correct way?

All UK organisations should be aware of the Data Protection Act 1998 (DPA), which defines UK law on the processing of data and governs the protection of personal data. The DPA contains eight principles that all organisations should be following. Failure to adhere to the DPA principles significantly increases the likelihood of a hotel suffering a data breach, which in turn could lead to loss of revenues and financial penalties issued by the Information Commissioner’s Office. Perhaps most importantly for hotel operators and owners, a data breach could also result in a loss of reputation when news of the data breach reaches the public domain.

Organisations with operations outside the UK but within the European Union should be aware of the Data Protection Directive, adopted in 1995 to regulate the processing of data within the EU. However, this is soon to be replaced by the EU GDPR, widely dubbed the “biggest shake up of data protection laws for 20 years”. This is designed to strengthen and unify data protection for individuals within the EU with the primary objective of giving citizens back the control of their personal data. It also aims to simplify the regulatory environment for international business.

UK businesses will have until May 2018 to comply with the GDPR or potentially face fines of up to 4% of annual turnover or €20 million. Hotel owners need to ensure that their IT directors or managers are fully up to speed so that their operations are compliant. Of course, there are no guarantees that the UK will still be in the EU in 2018, and if the UK does leave the EU, it is unclear what would happen to UK regulation around privacy and data protection. However, it seems likely that the UK regulations would still be updated to bring them in line with EU requirements.

Cyber security

Cyber security concerns the protection of information systems from theft or damage to the hardware, software and the information on them. It also includes protection from disruption or misdirection of the services that the information systems provide.

Hotel owners that take the recommended steps to protect themselves from data breaches should also reduce their risk of cyber security threats. Of course, the threat will never be diminished entirely – cyber criminals nowadays are becoming much more able to break through any security defence that organisations put around their systems. It is also worth noting that cyber threats are not just external, but are just as likely to originate from an internal source. Management teams need to ensure they are taking action to protect their organisation from threats from all sources.

Unfortunately, understanding of cyber security threats is poor in many sectors, including hotels. Management teams can underestimate the risks they face, and so fail to ensure that adequate controls and governance processes are in place. They may also overlook the importance of preparing for a cyber breach and understanding how to respond if the worst does happen.
Once hotel owners understand the extent of the threat, they need to ensure that fully documented policies and procedures are in place that owners, key management individuals and hotel employees must follow as part of their employment terms and conditions. Applying the Information Security Management standard (ISO27001) should enable organisations to ensure that all requirements are covered. To maintain security over time, documented policies and procedures need ongoing management. Employees need appropriate training so that they understand the importance of following guidelines and company policies, as well as how to spot a potential cyber breach. Organisations should also consider the need to obtain an assurance report on the controls included within documented policies. This can provide valuable reassurance that everything is operating as it should.

What next?

All sectors are undergoing major technological change, and the hotel sector is no different. In fact, given the type of data that hotels hold, they may be particularly attractive to target by fraudsters and cyber criminals. IT is also so widely used across hotel operations that the criminally minded have multiple avenues open for mounting cyber attacks.

Hotel owners must protect themselves by ensuring they are adequately informed, insured and have the necessary governance procedures in place. Action is essential to reduce the risk of a serious attack that threatens the future viability of their business.