When a guest slips and falls in a hotel lobby, operators know what to do. The laws behind safety liability haven’t changed much over the years, but the same can’t be said for cybersecurity. Nick Economidis, errors & omissions underwriter for risk insurance writer Beazley, said hotels often don’t understand they are in trouble when it comes to cyber security, and then when it becomes an issue they end up buried under the weight.
“People don’t understand the liability associated with accepting payment cards, and usually sign agreements without looking over them with their lawyer,” Economidis said. “The second mistake they make is failing to call their lawyer when they get a demand under the agreement.”
When a hotel accepts a demand for its purchase reports from the payment card brand, such as Visa or MasterCard, it leads to a forensic audit should the payment card brand suspect there was a breach—an audit the hotel is expected to pay for. Even worse, hotels may be forced to pay for the audit without being sued if it was included in their liability agreements. This stems from another major issue with data theft: Hotels are often completely unsure who is liable, and there is no standardized policy that lays out all the requirements.
“Data theft is in the news, so people are more aware of it. But many hotels think if they are compliant [with the Payment Card Industry Data Security Standard] they are in the clear, but a breach is still possible,” said David DeMoss, president of Wakeup Call.
DeMoss said that PCI compliance is vitally important to protect against hotel liability, but recommends operators, especially those in franchises, consult with their lawyer and an IT professional to understand where the real liability falls.
“Liability lies with the data owner, often the hotel operator and in some cases the franchisor,” said Sean Murphy, senior director/VP of the real estate & hospitality practice at Arthur J. Gallagher & Co. “In many cases the [point-of-sale] systems used by hotels don’t tie into the franchisor; instead it falls on the management company.”
What is more important is that the hotel is prepared for a breach. Murphy says to have a plan, any plan, in place should a data breach occur, and know what sort of policy you bought into ahead of time.
“There are certain products the market has developed to help with these situations,” Murphy said. “Public relations, crisis management, someone to deal with impacted individuals. Your response is key.”