HOUSTON—The hospitality sector is being increasingly targeted by hackers, lawyer Doug Meal said during a breakout session at last week’s Hospitality Law Conference. Information security officials need to know how best to keep their guests’ data secure, and how to respond if a breach occurs.
“Virtually every company in the world … is susceptible to a data security breach,” Meal, a partner at Ropes & Gray, said.
 |
|
Doug Meal
Partner, Ropes & Gray
|
Meal, citing statistics from Verizon Business and the United States Secret Service, said data breaches at hospitality-related businesses account for as much as 40% of all data security breaches. “Hackers want information they can monetize,” he said. “The most easy to monetize is credit card information.”
Such breaches can be incredibly costly for businesses, costing as much as US$214 per record for each record breached. This means if a hacker attack is not immediately detected, the total cost to the company can be in the millions.
Pre-breach measures
With that as a backdrop, Meal outlined some common mistakes companies make that create a business ripe for hacking.
• Insufficient data security: “This is the case in almost every case,” he said. Hospitality-related businesses should ensure there are systems in place that will go into effect in the event of data loss.
• Overreliance on third parties: According to Verizon Business, 20% of companies that get hacked are given a clean bill of health by third-party data security consultants. While it’s important to use these consultants, companies must be diligent in self-checking, too, Meal said.
• Don’t brag about your information security prowess: “It’s the classic ‘No good deed goes unpunished,’” Meal said. Touting your IS strength in corporate collateral could come back to haunt you if your company is hacked, and those who lose their data take you to court.
• Bad incident reporting standards: The time after a hack is chaotic, and the more time a company wastes in trying to figure out what to do, the more costly the breach becomes.
Post-breach measures
If the worst-case scenario occurs, and a company becomes victim of a data security breach, Meal said there are measures that should be enacted.
• Don’t go into denial: If you are alerted by a credit or debit card company that you might have been breached, don’t go into denial about it, Meal said. “A significant amount of time clicks off,” he said. In his experience, he has not seen a situation where a card brand has been wrong about a possible breach, so take such warnings seriously, he added.
• Be careful what you say: Contrary to what a public relations company might advise, it might be best to stay quiet following a data security loss, Meal said. If you are unsure who has been affected, stay quiet. Notifying too many people that their data might have been lost will only serve to widen the pool of a potential class action lawsuit against your company.
In the event an information security issue arises, the company’s management will need to be able to think quickly on their feet, he said.
“The time pressure is enormous,” Meal said. “Decisions that would take weeks or months need to be made in hours.”
