Facing the Knowledge Gap: Why Hotels Need “Visibility” to Avoid Data Privacy Liability

By Robert E. Braun - Partner, Jeffer Mangels Butler & Mitchell, LLP

10 March 2022

Addressing privacy compliance and cybersecurity is becoming more and more challenging for companies. At least 26 states are considering various kinds of data privacy laws. At the same time the rate, depth, and impact of ransomware, wiperware and data breaches has become more intense and more expensive, and there is no indication that the trend will end soon. Hotel companies, as holders of significant amounts of personal information and highly dependent on computer networks for daily operations, are particularly at risk in this environment.

A hotel company that seeks to comply with privacy mandates, and to prepare for and defend against a data breach, requires knowledge – it requires visibility.

What does that mean? To achieve visibility, a hotel brand, manager or owner needs to increase its knowledge of key elements of its data infrastructure:

See Your Network

Most hotel executives, other than chief technology officers and chief financial officers, have little knowledge of their network. But understanding what data is stored on the network, how the various parts of the network interact, and who has access to the network (and what kind) is essential to evaluating risks, complying with privacy laws, and preparing and defending against attacks. This means not only knowing what is supposed to be on the network, but the “silent” nodes as well – things like unused servers and the devices that attach to the network, such as personal laptops, smart phones and tablets. As hotels become increasingly automated – by relying on smartphones to substitute for keys and allowing touchless registration – being able to see the full scope of the network is challenging but essential.

Part of seeing the network also means seeing what is happening on the network. A hotel brand or manager needs to know when there is a threat, where it is, and how to contain it. Simply having firewalls and other endpoint security isn’t enough; it’s too easy for hackers to gain access to the network. Being able to “see” what is happening on the network in real time is what can allow a company to defend itself. Age is good for wine, but not for a breach response. When a breach is in process, speed is essential.

See Your Data

Surprisingly, many hotel companies are not fully aware of the data they collect, save and process – but this is key to complying with data privacy laws. A hotel brand or manager needs to know:

  • What data does it collect?
  • What data does it need to collect?
  • How does it collect data – directly from users, clients, and consumers, or through third parties, such as OTAs and third party websites?
  • Where it store the data?
  • How does it use the data it collects – particularly personal information of guests and employees?
  • Who has access to the data?

The GDPR, the CCPA, the Virginia and Colorado privacy laws, the Utah privacy law being considered now, and each other statute currently proposed in the United States requires disclosure of each of these factors – and that knowledge is necessary to comply with consumer rights under those laws. A key question is differentiating between the data you collect and the data you need; companies need to recognize that there is no benefit in collecting data that’s not necessary. There is often a sense that “we might want to have this information in the future,” but that rationale does not stand up in today’s environment. Instead of being something of potential future value, collecting, storing, and using data that isn’t necessary for running a hotel business creates liability.

See Your Software

During the past year, understanding the extent of the software a company uses – and the software that its key vendors and partners use – has become increasingly important. The Log4j experience made it clear that if a company doesn’t know the software it relies upon, it cannot take preventative and reactive action to mitigate risks. Companies should create a “Software Bill of Materials,” identifying the software used by or for its business, and should understand how the software is managed, licensed, and supported. The hotel industry is particularly reliant on third party software, whether it be for property management, reservations, or point of sale operations.

The Log4j issues also emphasized how important it is for companies to consider their use of open-source software. Open-source software is ubiquitous, but it is not always well-managed or updated, and is often overlooked when evaluating a company’s risk profile. Hotel companies need to understand what open source and other licensed software is imbedded into their essential software functions.

See Your Vendors

Hotels have always been aware that vendors not only provide essential services; they do not, however, always recognize the risks and vulnerability to bad actors those vendors create. Simply stated, when a vendor has access to a hotel network, a hacker can access a hotel’s network through the vendor. The situation is more complicated because vendors rarely act alone – they themselves have vendors, and those vendors have vendors, and so on. Even when a company can achieve a degree of comfort with a direct vendor, it may be difficult, if not impossible, to do the same with the vendor’s vendors, who do not have a direct relationship with the hotel.

The hotel industry can address some of these issues by taking a systematic approach to engaging new vendors and evaluating current vendors. Key steps include:

  • Qualifying vendors by doing a deep dive into their past performance, their privacy and security qualifications, and other key issues.
  • Enter into strong data security agreements, whether as part of a vendor contract or as an addendum.
  • Identifying their key vendors, and at least attempting to obtain similar information about those subvendors.
  • Regularly repeating this effort – vendors can change, and a regular (at least annual) review of their practices is essential, especially as vendors change ownership regularly.

Visibility, by itself, doesn’t prevent a malware attack. Without taking other measures – such as a thorough incident response plan – it won’t ensure an effective response or compliance with privacy laws. However, a company that fails to take elemental steps to understand its network, data, software, and vendors will be more vulnerable and non-compliant. The risks of not taking these steps far outweighs the time, effort, and cost of the effort.

You should be aware that you are not alone in this effort. Since the adoption of the GDPR and the CCPA, great strides have been made in overcoming what can, at first, seem to be an overwhelming task. The JMBM Global Hospitality Group, in coordination with the JMBM Cybersecurity and Privacy Group, works with hotel companies to understand and address their security and privacy needs, and we are ready to help you. For more information, contact Bob Braun (rbraun@jmbm.com).

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

Further information about cybersecurity issues

If this article was of interest, you may also wish to read other articles by Bob Braun on “Data Technology, Privacy & Security,” which include the following:

For more information about JMBM, visit www.jmbm.com

Return to overview

JMBM Global Hospitality Group

1900 Avenue of the Stars, Seventh Floor
Los Angeles, CA 90067
United States
Phone: (310) 203-8080

Robert E. Braun

Robert Braun co-chairs JMBM's Privacy and Data Security Group and is a senior member of the Firm's Global Hospitality Group. Mr. Braun specializes in transactions with an emphasis on data security, privacy and information technology. Mr. Braun's practice includes establishment and development of strategies to implement computer software, cloud computing, computer hardware, communications and e-commerce solutions, designing and implementing privacy and security programs and protocols, as well as remediating security breaches. Mr.Braun has spent more than 20 years representing hotel owners and developers in their contracts, relationships and disputes with hotel managers, licensors, franchisors and brands, and has negotiated hundreds of hotel management and franchise agreements. His practice includes experience with virtually every significant hotel brand and manager.