CHICAGO—If credit-card security issues were causing hotel information technology departments to toss and turn through the night, worries about personally identifiable information breaches are keeping them wide awake.
During a recent discussion with IT leaders at LodgeNet’s Customer Technology Symposium, several hotel technology leaders representing brands and hotel owners said security issues are their top concern.
“Wireless, Wi-Fi, high-def—that’s easy stuff, that’s hardware fixable,” said Ken Barnes, VP of IT for White Lodging Services, an owner/operator with 165 hotels either open or under development. “Security is definitely the biggest concern I have on my plate.”
Personally identifiable information is data that can be used to uniquely identify, contact or locate a single person. As hoteliers increase their focus on loyalty, guest preferences and tailoring the guest experience, exchanging information about the guest is becoming much more prevalent. Hoteliers are aiming to find out more about their customers through social media and customer relationship management, and protecting that information is a serious concern.
“We’re starting to target the customers pre-stay and post-stay. If you’re a golfer, you’re going to get an email about golf. If you travel with your wife and she likes the spa, you’re going to get emails about the spa experience,” said Mark McBeth, VP of information technology at Starwood Hotels & Resorts Worldwide. “The other thing, with all the new above-property or hosted software, there needs to be an exchange of information from the (property-management system), whether it be room number and departure date or some other information.”
McBeth said the risk with a personally identifiable information breach is much greater than that of a payment-card industry breach. A breach of credit-card numbers is serious, he said, but a PII breach could potentially lead to child abduction or a murder.
“PII is considered high-risk because if there were to be a breach, you’re exposing the guest’s identity,” he said. “It paints some pretty scary pictures.”
“It’s sad we live in a world where that is No. 1 because it’s really just a huge distraction from the things we want to do and what the guests want us to do,” added Josh Weiss, VP of brand and guest technology at Hilton Worldwide. “Security keeps me up at night because of what it prevents us from doing, not what it enables us to do.”
McBeth said a handful of high-profile breaches during the past year—including Sony Electronics and marketing and communications vendor Epsilon—have brought personal security issues to the forefront. Consumers are more aware of the dangers and are asking more questions.
Personally, McBeth said he finds himself looking for specific symbols—VeriSign, for example—that let him know certain transaction sites are certified secure. “I sense more and more people are doing that,” he said.
Technology Ad Will Appear Here
On the business side, there is also increased awareness of security concerns from hotel operators, hotel leadership and even down to the guest service agents, McBeth said. He said the bottom line in assuring operations are secure comes down to money. Compliance is tiered for companies depending on how many transactions are performed per month. Which arm of the hotel—owner, management company, brand—is responsible is continually up for debate. At the property level, compliance can be earned by simply self-assessing, but brands are often required to spend significant funds to hire a third-party auditor.
“Where it has changed for managers, operators, franchisees is not only do cities ask a brand for indemnification, brands are now coming to operators asking for indemnification on data breach security-related items and owners are expecting management companies to indemnify them, etc., etc.,” Barnes of White Lodging said.
“There are companies who have had problems, and they’ve had problems because they haven’t spent the money,” McBeth added. “Some of the things are extremely difficult to do without a third party. If you have limited or no IT staff, you can’t do it.”
McBeth said a lot of what has been done during the past few years to secure the hotel environment for PCI compliance also needs to be done for PII compliance. Maintaining a secure firewall is the first step, but really only the tip of the iceberg. Obtaining the proper controls and deploying the proper measures for compliance is very difficult, he said.
“There really is no gray area with these security issues,” McBeth said. “You’re either secure or you’re not.”
Security requires a partnership between the hotelier and the vendor, but legal responsibility ends up falling on the merchant to secure their information. Service providers to franchisees, as many hotel brands are, must go through even stricter assessments and report compliance on behalf of the franchisees, McBeth said.
“We want to protect the Starwood name by making sure all 542 properties are compliant,” McBeth said, “but it’s tough to do when each hotel is only required to perform a self-assessment.”
Security compliance is difficult because it’s an issue that’s always evolving. What hoteliers learned and understood last year is different today. The goal for brand leaders, they said, is to one day understand the issues so completely that security compliance can become an annual update task.
“Right now we’re spending 40%, 50%, 60% of our time dealing with this,” McBeth said. “We need to get to a point where we’ve got our systems in order and then we need to get into maintenance mode. We ought to be able to scale that work back to 25% or 30% of our time.”
“I don’t think we’re going to have the time we had with PCI,” added Richard Tudgay, VP of technology for Omni Hotels & Resorts. “There’s going to be no luxury with this. It’s just 1) getting my arms around it, and then 2) actually executing on it.”