Cybersecurity and the threat of the unknown


When a guest slips and falls in a hotel lobby, operators know what to do. The laws behind safety liability haven’t changed much over the years, but the same can’t be said for cybersecurity. Nick Economidis, errors & omissions underwriter for risk insurance writer Beazley, said hotels often don’t understand they are in trouble when it comes to cyber security, and then when it becomes an issue they end up buried under the weight. 

“People don’t understand the liability associated with accepting payment cards, and usually sign agreements without looking over them with their lawyer,” Economidis said. “The second mistake they make is failing to call their lawyer when they get a demand under the agreement.”

When a hotel accepts a demand for its purchase reports from the payment card brand, such as Visa or MasterCard, it leads to a forensic audit should the payment card brand suspect there was a breach—an audit the hotel is expected to pay for. Even worse, hotels may be forced to pay for the audit without being sued if it was included in their liability agreements. This stems from another major issue with data theft: Hotels are often completely unsure who is liable, and there is no standardized policy that lays out all the requirements.

Virtual Event


Survival in these times is highly dependent on a hotel's ability to quickly adapt and pivot their business to meet the current needs of travelers and the surrounding community. Join us for Optimization Part 2 – a FREE virtual event – as we bring together top players in the industry to discuss alternative uses when occupancy is down, ways to boost F&B revenue, how to help your staff adjust to new challenges and more, in a series of panels focused on how you can regain profitability during this crisis.

“Data theft is in the news, so people are more aware of it. But many hotels think if they are compliant [with the Payment Card Industry Data Security Standard] they are in the clear, but a breach is still possible,” said David DeMoss, president of Wakeup Call. 

DeMoss said that PCI compliance is vitally important to protect against hotel liability, but recommends operators, especially those in franchises, consult with their lawyer and an IT professional to understand where the real liability falls.

“Liability lies with the data owner, often the hotel operator and in some cases the franchisor,” said Sean Murphy, senior director/VP of the real estate & hospitality practice at Arthur J. Gallagher & Co. “In many cases the [point-of-sale] systems used by hotels don’t tie into the franchisor; instead it falls on the management company.” 

What is more important is that the hotel is prepared for a breach. Murphy says to have a plan, any plan, in place should a data breach occur, and know what sort of policy you bought into ahead of time.

“There are certain products the market has developed to help with these situations,” Murphy said. “Public relations, crisis management, someone to deal with impacted individuals. Your response is key.” 


Suggested Articles

Patrick Barrett, Younes Atallah and Reggie Dominique will lead hotels in New Orleans, Santa Monica and Los Angeles, respectively.

Radisson Individuals aims to bring independent hotels and local, regional chains into the global Radisson Hotel Group platform.

This agreement provides Magnuson Hotels with access to Hotelbeds’ distribution network of more than 60,000 travel trade buyers.