How to implement a cyberattack protection plan
16 MARCH 2015 6:51 AM
Having a data-breach plan in place can help you act quickly, prevent further loss and assist in avoiding hefty fines.
Hospitality has been on the receiving end of several major cyberattacks in recent years.
Hotel cyber criminals are increasingly getting smarter and constantly finding new ways of stealing customer data from hotel websites, systems and front desks.
In the past few years, a slew of hotel chains were the victims of cybersecurity breaches totaling many millions of dollars in losses. In several instances, hackers even installed malicious software on cash registers in order to access thousands of credit and debit cards.
The American Hotel and Lodging Association recently commended President Obama for hosting The White House Summit on Cybersecurity and Consumer Protection. This January, the White House proposed the Personal Data Notification & Protection Act. If passed, this legislation will increase authority for the Federal Trade Commission and subject properties to increasingly rigorous notification requirements in the event of a cyberattack. Further, several different data breach bills are pending before the United States Congress. The passage of a federal law also could result in greater consistency regarding the types of data protected, pre-breach security standards and response and notification requirements.
In this highly complex arena, hoteliers are encouraged to enact extensive security measures that will not only protect their customers’ sensitive data but save them from serious liability as well. These days, every business is a potential target for hackers.
To learn more about how to present data attacks, click here.
To learn more about how to present data attacks, click here.
Ensuring your hotel has an effective incident response plan is of paramount significance. Having a data-breach plan in place can help you act quickly, prevent further loss and assist in avoiding hefty fines. Internal procedures should cover detection, analysis, recovery and post-incident steps.
In order for hoteliers to respond quickly and effectively, assembling a “security incident response team” is critical. Each team member should have a clearly defined role and the ability to execute the plan. This team should not be solely made up of technical support staff. Key decision makers must be included to make high-level decisions regarding costs and procedures in the event of a breach. SIRTs may be comprised of:
- CEO or executive equivalent;
- CFO or equivalent;
- attorney—whether in-house or outside general counsel;
- technical support staff;
- director of security or equivalent; and/or
- director of operations or equivalent.
SIRTs may also include members of corporate communications, compliance and audit and regulatory affairs. It is a best practice that the incident response manager be the person who has the overall responsibility of ensuring implementation, monitoring and enforcement of security policies.
Implementing the plan
Once your SIRT is in place, each member should be tasked with enacting his or her respective parts of the incident response plan. These individuals should be responsible for:
- researching the best security options;
- making pertinent financial decisions;
- facilitating penetration testing;
- receiving information about a potential breach;
- calling appropriate authorities;
- dealing with public relations; and
- ensuring an adequate notification system is created.
Security, with the help of IT, will have a strong hand in stopping a data breach, but working with a reputable forensics firm to lead an investigation after a breach occurs is a best practice. Having an external legal team to help shape your response plan is also fundamental to minimize the risk of litigation and fines. Attorneys specializing in this area know how best to notify affected individuals, media, government agencies and third parties.
Your legal team also will review and stay current with both state and federal laws that govern security requirements in the hospitality industry. If the breach is large enough, having a public relations team on hand that specializes in crisis management to handle information leaks and track media coverage will be vital. Lastly, knowing the appropriate state and federal enforcement officials to contact, including the FBI, will enable a hotel to act quickly post-breach.
Hoteliers should take steps to clearly define employee policies and procedures, including:
- limiting who has access to sensitive information;
- creating protocols for transferring the information;
- making sure off-site technology is secure;
- securing paper files that might include medical information protected by HIPAA; and
- creating a workplace culture with a strong emphasis on privacy and data security.
Additionally, while cyberthreats are traditionally thought of to exist only externally, some do come from within, as insiders know precisely where to obtain financial information. Having strong safeguards in place will lessen the risk of malicious behavior occurring.
It is a common misconception that outsourcing automatically transfers liability for cyber-breaches to the third-party vendor. Hacking incidences involving point-of-sale system breaches have been responsible for millions of dollars in losses. Make certain your hotel not only has indemnification agreements in place with vendors to mitigate liability, but also that the third parties you do business with keep up with the requisite standards to lessen the likelihood of a breach.
Insurance policies are becoming increasingly comprehensive and are often worth the price. Not only do the policies cover certain costs associated with a data breach, but many now include portions of an incident response plan; this is highly beneficial for companies lacking the time or resources to tend to a formal response plan. Hotels should be fully cognizant of what the policy will and will not cover.
The FTC is of the mindset that companies should take reasonable data security measures to protect themselves. When assessing liability, the agency will consider:
- the level of employee training;
- security of system passwords;
- adequate firewalls;
- penetration testing; and
- utilization of an intrusion detection system as well as mobile applications.
Where are we headed?
With technology evolving faster than law, cybercrime is likely to get worse before it gets better.
Experts in the field predict that the slew of high profile data breaches we’ve seen make headlines so far in 2015 will continue through year-end. These incidents will likely lead to more state and federal legislation and force properties to take increased security measures.
Properties implementing best practices today will be significantly advantaged as these requirements are unveiled. As cyberthreats increase, so does the ability to defend against them. Implementing a solid plan to deter a cyber-breach might not only reduce your chances of one taking place, but it will help you to better respond if one occurs.
Lara Shortz is an experienced litigation attorney at the law firm of Michelman & Robinson, LLP, who represents clients in the hospitality, and restaurant, food and beverage industry. Ms. Shortz advises management on state and federal employment acts (such as EEOC, FEHA, ADA, ADEA, WARN, etc.), hiring, firing and wage and hour compliance in the areas of employment law for management. She also handles executive employment contract disputes and conducts workplace training, investigations and compliance.
The opinions expressed in this column do not necessarily reflect the opinions of Hotel News Now or its parent company, STR and its affiliated companies. Columnists published on this site are given the freedom to express views that might be controversial, but our goal is to provoke thought and constructive discussion within our reader community. Please feel free to comment or contact an editor with any questions or concerns.