Listen to the full “Data Security: Compliance and Enforcement in the Hospitality Industry” webcast. The on-demand webcast is available online through January 31, 2013.

What are the data breach risks that are of the most concern to the hospitality industry?

Boyle: External risks, which are "bad" guys coming in and trying to get things. Internal risks, which are people figuring they can do damage by pushing confidential information out or using it to the disadvantage of the organization. And, one of the biggest risks that we see is just plain old human error; people make mistakes. In fact, breaches overwhelmingly result from failure to implement basic or intermediate security controls across a network or across a linked network of affiliated entities.

What is the US Federal Trade Commission’s (FTC) jurisdictional authority and what enforcement tools do they have available when it comes to data security?

Archie: In the data security area there are no federal laws or regulations that specifically articulate standards for disclosure or care in connection with a breach. What the FTC instead hangs its hat on is the very general prohibition in Section 5 of the FTC Act prohibiting entities that are engaged in interstate commerce from engaging in unfair or deceptive acts or practices. Each of those words, unfair and deceptive, has a distinct body of common law that has built up through consent decrees, complaints and some litigated court cases.

Typically, in the data security area, the FTC has been going after conduct it deems deceptive, meaning misleading statements have been made to the public about how consumer data is secured. Unfair is another prong of authority that they have, but they don’t use it very often because it’s more nuanced and requires some balancing.  The Wyndham Hotel complaint has received a lot of attention from the bar and commentators because the agency expressly added factual allegations and legal claims that Wyndham’s practices were not only deceptive, but also unfair.

What is the current state of data regulations in the EU?

Crawford: The situation in the EU is very different, or at least the framework looks very different. Essentially we have a directive, which is legislation at a European level. That itself is not binding on each of the member states. Each country has to then implement those rules into its national legislation and there can be some quite significant differences in both how it’s implemented and also how the regulator in each country looks at it in terms of enforcement. What we don’t have currently, which the US does have, are uniform data breach laws. We do have them in the communications sector. They apply to all providers of public communications services, but we don’t have them for all business sectors. What we do have are data privacy rules, which do apply to all sectors and all types of information. The lack of uniformity is due to change when new EU rules are introduced in the next few years. The proposal is then to introduce data breach rules for all sectors.

What is your advice to companies looking to create information security policies?

Boyle: In my work I see lots of people who want to just go pull privacy policies, terms of use, or their information security policies off the shelf and change some names. The problem with this is that it defeats the whole purpose behind trying to do those things. If you go through the process of actually creating an information security policy, what it does is help you identify deficiencies in what you are doing because one of the first steps of creating an information security policy is to identify what it is you do now with respect to security. The other step is to identify what it is you need to secure and what sorts of rules you have to follow with respect to the data you handle. In going through that process, it helps you identify what you need to do. It also helps you identify where your real risks are and where you can get the most bang for your security buck. So there is real value in going through it.  Most importantly, companies need to adopt a comprehensive, cross-functional approach to information security management that extends throughout the company and includes third parties with whom data is shared or stored.