Data security has risen to the top of board agendas in the hospitality industry. A recent survey conducted by Verizon of the data breaches and network attacks occurring in 2012 demonstrates that the retail and restaurants industry ranked second in the percentage of overall data breach incidents, accounting for 24% of all breaches. Philip James, Joint Head of Technology and Partner at Pitmans reviews the relevant legal considerations for effectively managing your customers’ data through technology and some preventative measures for stopping cyber-crime.
Hotels and restaurants have historically always been targets for fraud; the industry’s prevalent use of point-of-sale systems, complex supply chains, transient nature of guests, high volume of transactions and loyalty programmes and marketing and reservation databases makes hospitality businesses a key target for hackers and criminals.
Back to basics
The relevant legislation governing the safeguarding and processing of customers’ personal data is the Data Protection Act (DPA). ‘Personal data’ means information which identifies any living individual or can, with other information held by you, identify any individual.
‘Processing’ of personal data means obtaining, recording or holding the information. As a business, you will be handling the personal information of your employees, suppliers and/or customers: it is therefore likely that your activities will be caught by the provisions of the DPA. If you are a ‘data controller’ under the Act and fail to notify your organisation to the Information Commissioner, your directors may be criminally liable for failing to do so.
Under the DPA, personal data must be (amongst other things):
- fairly and lawfully processed;
- adequate, relevant and not excessive;
- processed in line with the rights of the individual;
- kept secure (the 7th principle); and
- not transferred to countries outside the EEA unless adequately protected. (the 8th principle)
Non-compliance can result in an enforcement notice preventing your business from processing data, effectively preventing many businesses from operating. Furthermore, the officers of your company, the managers and directors, can be held personally criminally liable for non-compliance.
From a corporate law perspective, directors may be found to have breached their duties as company directors when they have failed to address a vulnerability and known risk; in the event of an incident, damage to reputation and falling share price, it is not unlikely that an institutional investor will seek redress for any failure for a company to keep its information assets secure.
On the other side of the coin, where an organisation is considering installing CCTV or other means of monitoring facilities and managing security and improving services within premises (e.g. casinos, lobbies), it will be important to consider and implement appropriate measures to balance the effects and risks of developing and installing such technology. It is also unlawful not to (a) conduct reasonable due diligence before appointing a supplier who may handle personal data; and (b) have a written contract in place requiring that supplier to keep personal data secure and only to process it in accordance with your instructions. Common failures in this area relate to outsourced SaaS (software as a service) platforms and cloud solutions. Portability of data on exit and transition to a new supplier on exit remains a key consideration.
Operators should establish data protection and social media policies to ensure that legal obligations are met. This policy should take into account the particular personal information needs of the business as well as the way it processes this information. The policy should also address areas where personal and sensitive data might inadvertently leak in contravention of your obligation under the law.
The law aside, it also makes good business sense to have a policy as:
- Keeping the information you have about your customers secure will help protect your and their information;
- Sending out a mailing from incorrect or out-of-date records could not only annoy your customers but also wastes your time and money;
- Good information handling can improve your business’s reputation by increasing customer and employee confidence in you;
- Good information handling should also reduce the risk of a complaint being made against you; and
- It acts as guidance for employees as to how to use social media responsibly and effectively.
Every day individuals contact the Information Commissioner to enquire about the way their information is handled. The Information Commissioner can also be asked to assess whether particular processing is likely or unlikely to comply with the Act.
Problems resulting in data being hacked can be as simple as a failure to change the default password on wireless point of sale handsets or a failure to implement a firewall. Verizon reported that 97% of breaches were avoidable through simple or intermediate controls. The risk management message appears to be that, predominantly due to lack of awareness, small companies are failing to take low cost, and often rudimentary, steps to protect themselves and their customers.
For instance, in 2008 a series of hacking attacks took place on hotels in the US which lead to IT security companies warning British hotels to step up security on their Wi-Fi servers. In this case the hacker accessed personal emails through the hotel’s Wi-Fi system, which was left running on an open network, leaving several hotels in the chain facing lawsuits. Many hotels and restaurants leave their networks open for guests to use which potentially leaves the systems open to hacker incursions. A simple preventative measure of protecting the network via a password handed out to guests at reception, and changed frequently, would have prevented such an attack from occurring.
Other measures to ensure compliance with the DPA and to limit the possibility of cyber-attacks are to:
- Ensure your organisation is notified with the Information Commissioner;
- Review, or write, your data protection and social media policies;
- Ensure that you hold no more personal information than is necessary for the business activities that you perform. Eliminate any unnecessary data; Establish procedures for staff to follow when processing personal data. (Important as ‘due diligence’ might be required as a defence in the event of a complaint brought against you);
- Train, and regularly refresh, all your staff in best practice under your policy. Lack of awareness of the dangers posed by cyber security remains a major threat, particularly amongst smaller organisations. The paradox is that the implications for these organisations in terms of reputational damage and liability are severe and in some cases can threaten their very survival;
- Put in place contracts with suppliers, and conduct due diligence with suppliers, to assist in the protection of information assets;
- Check your insurance and evaluate your risks of suffering a security incident; Ensure continuing investment is made in cyber security;
- Encrypt or anonymise data (the Information Commissioner has very useful guidance in this regard; and
- Ensure Wi-Fi networks are password protected and that such passwords are changed on a regular basis.