Cyber and data security in the hotel industry

Start adding items to your reading lists:
Save this item to:
This item has been saved to your reading list.

The shifting paradigm

In the Digital Era, technology is everywhere; people can connect to your company, your employees, customers, providers and competitors through laptops, smartphones and even wearable devices. We rely on connected technology for the safe operations of our energy, utilities, transport, healthcare, government and financial systems.

The Digital Era: ubiquitous data, everyone and everything online, greater connectivity, porous perimeters and external drivers.

With increasing reliance comes increasing risk, many of which are outside the Enterprise’s control.

Cyber Security and Data Privacy risks in the hotel sector

1. Awareness levels about cyber security and data privacy issues are rising

The simple truth is that cyber security and data privacy problems can be big news and newsworthiness drives awareness levels. The public, law makers, regulators and judges are all sighted on the risks. These people provide “adverse scrutiny” to entities when things go wrong and they are fully aware of the fact that some of the world’s biggest, richest and more powerful entities have been humbled by poor approaches to security and privacy.

Awareness levels are only going one way and we are rapidly approaching a tipping point, when entities realise that they have no choice: they have to do much more to tackle the security and cyber risks they face and to live up to the expectations that society places in them. If the full roll call of entities that have been humbled in the news is considered, the conclusion seems to be obvious: security and privacy issues are not being accorded the priority they deserve.

View more

2. Hotels are already in the spotlight due to high profile breaches

2015 was a really bad year for the hotel industry globally. Cyber and data security emerged to prominence as a massive risk area, due to a series of high profile breaches affecting payment cards. Just before Christmas 2015 the Federal Trade Commission in the United States concluded long running proceedings against a hotel. This case has established a need for the development of comprehensive information security programmes, annual security audit cycles and post-incident investigations in the hotel sector. Looking at this from the customer’s side, security experts are now advising travellers to be on heightened alert when using hotels.

Hotels have been propelled to the forefront of the mind and it is inevitable that this will play out in further legal and regulatory problems over time.

View more

3. Trust, confidence and brand put at risk

Legal and regulatory problems bring their own special range of issues. Locking horns with regulators, litigants and judges is the last thing that business needs. Judicial and Regulator design of business models has to be avoided at all costs. In landmark EU litigation in 2014, the way global web search operates in Europe was redesigned by the European Court of Justice, in a case that has delivered into law the so-called “right to be forgotten”. The security of mobile phone operating systems has just been re-designed by a District Court in Los Angeles, massively inflaming the passions of the technology sector and security experts alike. But legal and regulatory problems are just one arc of the consequences of bad security and privacy. Businesses need to think about trust, confidence and brand health and reputation.

These points are commonly understood, but some business people point to share prices, saying that prices don’t dip much, or for long, after big security and privacy problems. That may be the case at the moment, but the absence of share price volatility does not mean that value is not being eroded. Moreover, if share prices do not dip, that points to another problem, namely defects in market behaviour.

That is a dangerous place to go, because the classic response to market imperfection is the expansion of regulation: regulation is seen as the antidote to market imperfection.

Businesses that trumpet the share price issue, merely bring-on the risk of more red tape and bureaucracy, as well as serious penalties and sanctions risk.

Trust, confidence and brand health may operate in a different timeframe to share prices. The absence of share price volatility does not mean that trust, confidence and brand health are not being eroded. If that is true, then the logic points, perhaps, to a convergence in the future of value erosion. Entities that are damaging their trust, confidence and brand health today may pay in share price in the future. In other words, suffering security and privacy failure might be like a cancer, where the harm is hidden from view until it is too late. This returns the focus to legal risk.

View more

4. The legal risks are significant

The EU will soon adopt the General Data Protection Regulation (GDPR).

This is a landmark piece of legislation that will radically change our perceptions on how personal data should be handled in business. The GDPR will also have global effect. This is not just law-making for the inside of Europe’s borders.

The purpose of the GDPR is to put people back in control of their personal information and to improve how entities look after personal information while it is in their custody.

View more

5. Hotels need a vision for security and privacy

There is much more to security and privacy than compliance and risk.

There is also the economic interest in gaining commercial advantages from the use of personal data. Gaining better customer insights and providing them with personalised services are now recognised by many in the hotel industry as core business goals.

In order to properly bring together the interests of economic advantage, risk management and compliance with legal obligations, entities need to develop an appropriate Vision for their desired end state. That Vision will take account of the entity’s “special characteristics” and the points of view of all necessary stakeholders. Once a Vision has been set, a strategy to deliver the Vision can be developed and appropriate structures can be put in place.

When the lessons of failure are examined (failure of data handling projects, such as Single Customer View systems, and failure in the sense of security and privacy breaches), it becomes obvious that the absence of an appropriate Vision is at root cause.

People responsible for security and privacy in hotels ought to ask themselves whether their entities have appropriate Visions for desired end states. If not, they should bring together the stakeholders to discuss ways to take things forward.

View more

Contact us

Steve Drake

Partner, Capital Markets, PwC Middle East

Tel: +971 4 304 3421

Follow us