Much of the work hoteliers need to do in response to a data breach comes before the breach occurs.
REPORT FROM THE U.S.—A hotel company’s response to a data breach doesn’t begin when it’s discovered. It starts months, or years, before the breach.
The hotel industry has been a popular target of data thieves looking for credit card information and guests’ personal information in recent years. Hoteliers need to prepare themselves for potential attacks on their computer systems as many experts have warned that it’s a matter of when, not if, a breach happens.
“Your first step, hopefully, is to pull out of the drawer the breach protocol your company developed beforehand,” said Robert Braun, partner at Jeffer Mangels Butler & Mitchell. “It’s your list of people to call, who makes up the team. If you don’t, you have to make that up as you go along.”
More and more companies have these plans, he said. While many need to be changed and refined, Braun said it’s a good sign that someone is stopping to think about them beforehand.
A general liability and crime insurance plan excludes cyberattacks and breaches, which can target not just credit card data but personally identifiable information for guests and employees, said Joe DeMontigny, VP of accounting at Peachtree Hotel Group.
Cyber liability insurance has become quite expensive, he said, but the cost can be mitigated somewhat by the company proving it’s in full compliance with the insurance provider’s requirements.
DeMontigny said hoteliers should check when choosing a policy to see if it covers the costs of three things: public notification, a forensic investigation, and governmental and credit card issuer fines and penalties.
“A lot of times, those are excluded from a policy if you’re not compliant,” he said.
It’s also a good idea to have a policy that covers the loss of business as a result of the breach, he said.
Hospitality Ventures Management Group SVP and CFO Maria D’Alessandro said her company’s recent search for a new cyber liability policy underscored the importance of looking at limits and premiums for plans along with endorsements for exclusions.
What set the policy HVMG chose apart from the others was the inclusion of coverage for payment card industry recertification as well as for the PCI fines.
“PCI recertification is important,” she said. “Payment cards have to maintain standards. Through a breach, chances are, you didn’t, so they’ll come after you with fines.”
When searching for an insurance provider, a broker is a must, she said. Risk management can be a full-time job, and D’Alessandro said outsourcing the research for insurance coverage to a broker who is knowledgeable in all aspects of risk management is worth the cost.
With so much focus on a company’s technological ability to withstand online attacks and having a competent IT team, it’s easy to overlook user error on the front lines.
“The best defense against phishing is a healthy dose of skepticism,” said Ted Harrington, executive partner at Independent Security Evaluators, referring to online and phone scams in which an attacker poses as another person to gain information or access to a computer system.
Convincing front-desk associates to be more skeptical can be a difficult task because those employees are, by their very nature, focused on being accommodating and helpful.
“They’re going to be predisposed to performing the actions adversaries want them to, meaning hotel employees are more likely to click a link or open an attachment sent to them if it’s packaged in a way of ‘Can you help me with this?’ from a guest, a superior or a vendor,” he said. “It’s in their nature to help other people, and attackers will take advantage of that.”
Most security training focuses on what employees should and shouldn’t do, Harrington said, but he said the “what” isn’t as meaningful as the “why.” That means training also should focus on explaining how attacks work and how adversaries operate to illustrate why clicking a link in an email can have serious consequences.
“It’s human nature to perform better at something if you understand the purpose,” he said.
The goal isn’t to eradicate all trust, he said, but to instill a sense of skepticism to allow the front-desk staff to make decisions to accommodate guests while being aware of when someone is trying to take advantage of their hospitality.
“Awareness is the most effective training mechanism,” he said. “You’re trying to help an end user adopt that adversarial mindset, meaning you’re trying to help the end user think about the ways in which they might get attacked. Ultimately, it comes down to empowering end users to be able to make good decisions.”
Employees’ mindsets might also need to change, Harrington said. Security is everyone’s job, but not everyone thinks that way.
“Everyone, even those outside of the technology environment, is responsible for protecting data assets,” he said.
Before that training occurs, hoteliers must vet and choose a company to train their employees. The best trainers are the ones who are engaged every day in looking at how adversaries operate, how systems are broken and how the human element plays a role in the attack, he said. Those who are training-only firms can offer good content and education, he said, but they’re not necessarily watching the evolution of adversarial tools and techniques.
Choosing the forensics team
One of the most critical aspects of choosing a law firm and computer forensic firm to investigate and stop a data breach is to hire them before a breach occurs, said Craig Hoffman, partner at BakerHostetler, so the contracts are already in place and work can begin right away when needed.
The type of forensic firm necessary depends on the size and environment of the hotel company, he said, because the needs of a small hotel group with five or six properties and an outsourced IT department are much different from those of a large national or international corporation.
The investigators should not be the same team who built and installed protections into the networks, he said, as those are two different skill sets.
“You want a firm with a lot of incident response work,” he said.
Some data breach insurance providers can offer recommendations for forensic teams, Hoffman said. They have panels of people who have worked with certain firms and can explain their approach and capabilities.
Sometimes credit card companies have a set list of approved forensic investigators, he said. However, if the breach is a smaller one, perhaps 10,000 cards or fewer, the credit card companies might not require a certain firm. After choosing an investigator, pick a backup firm, he said, because it’s possible the primary team could be working on another case when needed.
The average cost of investigations Hoffman has participated in during the last year came to about $102,000, while the range is commonly between $25,000 and $400,000. The higher end of that range is where national and international operators tend to fit, he said, and it’s rare that the cost is significantly more than $400,000.
There’s a breach, now what?
After pulling out that data breach response plan, Braun said, it’s time to call the company’s attorney who specializes in data breaches to advise the company how to address the breach and meet the legal obligations without creating additional liability.
Following that, it’s time to assemble the rest of the team: the outside forensic investigators; the company’s IT team; the decision-makers, including the property owner, the management company and the brand; the insurance company; and the GMs of affected properties. Breached companies need a coordinated response, Braun said, and what makes hotel responses more challenging is it’s sometimes difficult to determine who is responsible for what.
After conferring with the company attorney, speak with both the local police department and the FBI, Braun said. There are different levels of expertise in the different jurisdictions, he said, and the local police will write up a report the company can use to make an insurance claim. The FBI will investigate and might have knowledge whether the breach falls into a larger case.
Almost every state in the U.S. and Washington, D.C., has data breach notification requirements, Braun said, and they vary by state. Certain types of breaches which target financial information—like bank account access or credit card numbers—can trigger notification laws. Other times there might be a breach of security but there’s no evidence any information was compromised or taken from the system, which typically doesn’t require disclosure. In some states, if the information accessed is encrypted, that might preclude disclosure.
“Then you have to decide if you should disclose or wait to see if anything happens,” he said. “It’s just as bad to disclose when it’s not needed as not disclosing.”
Notification is a tremendous expense, Braun said. Public disclosure of a data breach degrades public trust, which means people are less likely to stay at the affected hotel or brand. Disclosing lower-level breaches also sets the stage for having to disclose much more, he said. Sometimes law enforcement won’t want companies to publicly disclose a breach, he said, because it could compromise their investigation.
“If you disclose there was a breach but say no financial information was exfiltrated, then you find out later on it was, which is very much often the case, then you have to make two painful disclosures,” Braun said.