Travel and hospitality is the world’s largest industry, with the World Travel and Tourism Council predicting revenues in excess of $15 trillion by 2017. Over 50% of all travel reservations are now made online, including hotel reservations, with data collected and stored that may include: names, addresses, personal email addresses, and of course, financial data (credit cards and banking). This is in addition to employee information that is stored by organizations that includes Social Security numbers and medical information.
What’s more, many segments of the hospitality industry have rewards programs that encourage customers to frequent a particular establishment or chain. These programs store personal and financial information required in order to facilitate reservations, billing and payment and benefit awards.
With all of advanced technology comes the high exposure for data security breaches. In fact, according to a 2012 Verizon Communications Report, the accommodation and food service industries accounted for half of all breaches. Furthermore, a common misconception, according to the Verizon Report, is that only large companies have to worry about protecting against data breaches. But two-thirds of the 855 investigated incidents in the Report occurred at businesses with 11 to 100 employees, typical for many hospitality enterprises. However, no hospitality organization is immune to a data breach. Smaller, independent enterprises are vulnerable because of their size and may have systems that are easily breached. Franchise operations, on the other hand, often share a regional, national, or international data system that, once breached, can affect all or most of the individual franchisees.
In our July blog, we wrote about Wyndham Hotel Group, which over the last two years had three breaches that affected more than half a million customers. The group was later hit with a lawsuit from the Federal Trade Commission (FTC) for allegedly misrepresenting the security measures in place that were supposed to have prevented the hacker intrusions.
A security breach for a hotel, as with any other type of operation, can bring significant consequences. In the event of a potential breach of security, state laws in most jurisdictions require the business to notify all potentially impacted persons of the breach, the cost of which can be high. If the information causes damages, the hotel operation could face liability claims for failing to protect the data by maintaining reasonable safeguards. The business may also face additional costs such as purchasing credit-monitoring services, hiring a forensic team to determine the cause of the breach and take corrective measures, and in some cases hiring a public relations firm to help manage communications with customers and repair its reputation.
At IPOAUSA’s exclusive Hotel Insurance Program with Lloyd’s for limited and full-service hotels offer Data Breach coverage through Beazley for limited service hotels, which is normally only available to large resorts. This coverage includes breach notification and credit monitoring services with separate coverage limits for third party claims; breach response coverage for forensic and legal assistance, and notification costs; bureau credit monitoring services; crisis management sublimit for public relations and extraordinary notification expense; a separate limit of liability for privacy, network security and media claims; and more. There is a $100,00 PCI restriction.
For more information about our hotel insurance program, please call Stefan Burkey at 877.653.IPOA (4762).