In the past, we’ve discussed the fact that increasingly more companies are stepping up their efforts to stem cyber attacks and data breaches with preventative measures. Additionally, large and small organizations are realizing the need for Cyber Liability insurance to help protect company assets in the event of a breach. In fact, many in the insurance industry see Cyber Liability or Data Breach coverage becoming what Employment Practices Liability (EPLI) became two decades ago: “a must-have” insurance policy for all types of businesses.
The hotel industry over recent years has experienced its share of data breaches, with Wyndham Worldwide Corporation garnering a great deal of attention after the Federal Trade Commission’s (FTC) sued the hotel and its subsidiaries for alleging violating Section 5 of the FTC Act, which forbids “unfair or deceptive” practices by not maintaining “reasonable and appropriate” data security protections. Wyndham is suing the FTC and in early November in a New Jersey court sought to have the agency’s complaint dismissed. Attorneys for the hotel chain argued that the FTC, which typically polices phony claims about nutritional supplements or credit repair schemes, simply doesn’t have the legal authority to tell companies how they must store customer information online.
“This is not some anti-government polemic,” Wyndham’s lead attorney, Eugene Assaf of Kirkland & Ellis, said at the start of several hours of arguments before the judge. “This is a fair-minded discussion of what they can do around consumer protection as it extends to data security.”
Business groups and others are watching the Wyndham case closely because it could define the scope of the FTC’s authority over corporate cyber security, a significant issue to companies that collect and store sensitive customer information.
Hotels and motels are vulnerable to data breaches, as in addition to having credit card and other financial data on customers, they also have a wide range of other personal data, such as addresses, phone numbers, spending patterns, children’s names and ages along with travel plans, that are increasingly targeted by cyber criminals. According to Trustwave’s 2013 Global Security Report, 9% of all data breaches were in hospitality, making it the third most vulnerable industry.
In response to these increased exposures, hotels and motels are implementing data-security measures that protect guest information at the point of entry. They’re also hiring technology consultants to evaluate a hotel’s security, recommend the best product and help maintain a secure data environment.
Guests are also being educated about data security and the hotel’s privacy policies. Many hotels include a legal privacy statement on the guest registration card as well as on their websites for each hotel they manage.
What’s more, data security training in new employee orientation for all positions is taking place – from the room attendant to the front desk. Some companies provide annual refresher courses, and many also keep copies of all of our security policies on the network so each employee can quickly access the information anytime that they have a question.
These risk management practices are essential as is obtaining Data Breach insurance protection. As a reminder, as part of our comprehensive Hotel Insurance Program, we at IPOA offer EPLI insurance and Data Breach coverage to limited- and full-service hotel clients. As an IPOA agency partner, you can obtain a quick on-line premium indication for your hotel clients by visiting our website. The Data Breach coverage, available with our HotelPro program, includes: breach notification and credit monitoring services with separate coverage limits for third party claims; breach response coverage for forensic and legal assistance, and notification costs; bureau credit monitoring services; and crisis management sublimit for public relations; a separate limit of liability for privacy, network security and media claims; and more. It also includes a $100,000 PCI sublimit.