Data Security and Privacy in Hospitality – Who’s Paying the Bill?
One of the most valuable assets of a hotel brand is information – detailed personal information about guests at their hotels, participants in their loyalty programs, and visitors to their websites. This information allows hotel brands to focus on creating guest loyalty, acquiring potential guests, engaging in effective marketing, expanding market share, and creating properties and services that entice and satisfy hotel guests. Because of this, hotel brands have long contended that they “own” hotel guest data and have unencumbered rights to use it, without respect to the interests of hotel owners and even the guests themselves.
While this attitude may have been correct in the past, the world is changing. The EU’s General Data Protection Regulation, the California Consumer Protection Act, the California Privacy Rights Act, and similar laws throughout the United States and the world have turned this idea on its head. Anyone who collects personal data can do so only with the permission of the individual consumer; brands don’t own the personal information of guests, the guests do, and they are the ones who give the operator, brand or owner the right to collect and use it – and they can limit or revoke that right.
The Traditional View
The traditional view of hotel brands and operators has been to treat data security and data privacy like any other component in the hotel business – a cost that should be assumed by the owner. This is the case even when a hotel owner has no control over operations. Take employment costs as an example – the selection, hiring, training and firing of hotel employees is almost entirely within the control of a hotel manager; all of the costs of employment, however, including liability for claims arising out of an employee’s egregious behavior, are borne by the owner.
Most management agreements state specifically that it is only when the manager itself – not the on-site general manager or another supervisor, but the management company itself – acts with gross negligence or willful misconduct, will the manager bear any of those costs. The manager’s rationale is that this is a cost of doing business; if the manager didn’t undertake employment matters, the owner would, and the owner would bear the cost and responsibility.
Data Privacy and Security is Different
While hotel managers and brands present the same reasons for shifting the financial burden for data privacy and security, the rationale doesn’t hold up.
First, it’s rare that the owner would have any access to the collection or use of a guest’s personal information. Most management agreements specifically state that if an owner does have access to any guest data, the owner can use it only for the purposes of operating the hotel. On the other hand, managers and brands all use guest data for their own purposes, including marketing other properties and services, and the goods and services of affiliated companies and business partners.
Moreover, owners have virtually no control over the collection, storage, use or sharing of guest data. In almost all cases, that is controlled exclusively by the brand or manager, either directly or through third parties, who may not even be known to the owner. Owners should recognize that data collection and use is an enterprise-wide process; Managers are the only ones who can implement effective and compliant systems.
The Past is Present
The issue of data security is one that should be front and center for hotel companies. For years, hotel companies have been targeted by hackers and other bad actors, specifically because they hold so much personal information – not just credit card data, but also highly personal information about guests that could lead to further breaches.
In addition to being an attractive target, the structure of hotel firms makes them more vulnerable. As Gallagher (a global leader in insurance, risk management and consulting services) pointed out in its September 2022 Hotel Industry Cyber Update,
“[a] major challenge for hospitality in cyberspace is allowing consumers to have a single access point to roam freely across a property. Third parties often manage restaurants, shops or spas within a hotel, which means systems need to be interconnected and data needs to be shared. . . Hospitality companies face a further challenge when buying and selling properties. The buyer may face difficulties integrating new property management systems, payment terminals or overall cybersecurity strategies. Meanwhile the seller needs to ensure no residual data can come back to hurt them.”
What Can Owners Do?
The challenge to owners is clear – how can the playing field be leveled? While achieving an equitable allocation of risk is a process, there are a number of things owners can and should do:
- Make Sure Your House is in Order. Data privacy and security laws don’t apply solely to the brands and managers; owners are at the core, since they engage brands and managers to collect and process personal information. That means that owners need to consider their own data privacy and security practices, and ensure that they have taken the steps to create a data secure environment and comply with applicable privacy and security laws.
-
Make Data Privacy a Core Value for Your Hotel. Adding data privacy and security is a burden to the operation of a hotel, but it pays dividends. DPO Magazine recently reported that consumers
expect organizations to respect their privacy concerns and protect their data.
Companies that are able to demonstrate data privacy and security are more likely to win loyalty in a competitive world; hotels, which rely on the trust of their guests and are particularly impacted when they are seen as insecure, benefit equally if they do protect guest data. - Require Brands and Managers to Make Data Privacy a Core Value. Since owners have limited, if any, control over the personal information of guests, owners should clarify in their agreements that this is an obligation of the manager and brand, and that they have an obligation to step forward and ensure, on an enterprise level, that data privacy and security is key. Owners need to make it clear that this focus will benefit not just hotel owners, but the brands themselves, and they should be willing to make the investment and the effort. Ultimately, hotel managers and brands should be held to the same standards as other companies engaged in international business with consumers – including ensuring that their business partners secure the personal information of customers.
The Future
Change is gradual in the hospitality industry, but change in data privacy and security are lightning-fast. All owners should be pushing managers and brands to recognize the cost of non-compliance and the benefits of creating a privacy-focused environment.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.
Further information about cybersecurity issues
If this article was of interest, you may also wish to read other articles by Bob Braun on “Data Technology, Privacy & Security,” which include the following:
Hotel Data Security Update: Hotels, Hotel Owners and Employee Personal Information Why hotels need “visibility” to avoid data privacy liability Hotel Data Security: Challenges to Address in 2022 New Challenges for Hotels: The New California Privacy Rights and Enforcement Act of 2020 Hotel Managers and Owners Be Warned – You are Responsible for Your Hotel’s Data Security
Jim Butler
+1 310 201 3526
JMBM