Hotels & Cyber security

March 17 2016:  We bring you highlights of PriceWaterhouseCoopers  study on Hotels and cyber security:

How often do you read or hear news stories about cyber security and data privacy issues? Is it something that you pick up on once or twice a month, or maybe more frequently?

1 Awareness levels about cyber security and data privacy issues are rising

The simple truth is that cyber security and data privacy problems can be big news and newsworthiness drives awareness levels. The public, law makers, regulators and judges are all sighted on the risks. These people provide “adverse scrutiny” to entities when things go wrong and they are fully aware of the fact that some of the world’s biggest, richest and more powerful entities have been humbled by poor approaches to security and privacy.

Awareness levels are only going one way and we are rapidly approaching a tipping point, when entities realise that they have no choice: they have to do much more to tackle the security and cyber risks they face and to live up to the expectations that society places in them. If the full roll call of entities that have been humbled in the news is considered, the conclusion seems to be obvious: security and privacy issues are not being accorded the priority they deserve.

2 Hotels are already in the spotlight due to high profile breaches

2015 was a really bad year for the hotel industry. It emerged to prominence as a massive risk area, due to a series of high profile breaches affecting payment cards. Just before Christmas 2015 the Federal Trade Commission in the United States concluded long running proceedings against a hotel. This case has established a need for the development of comprehensive information security programmes, annual security audit cycles and post-incident investigations in the hotel sector. Looking at this from the customer’s side, security experts are now advising travellers to be on heightened alert when using hotels.

Hotels have been propelled to the forefront of the mind and it is inevitable that this will play out in further legal and regulatory problems over time.

3 Trust, confidence and brand put at risk

Legal and regulatory problems bring their own special range of issues. Locking horns with regulators, litigants and judges is the last thing that business needs. Judicial and Regulator design of business models has to be avoided at all costs. In landmark EU litigation in 2014, the way global web search operates in Europe was redesigned by the European Court of Justice, in a case that has delivered into law the so-called “right to be forgotten”. The security of mobile phone operating systems has just been re-designed by a District Court in Los  Angeles, massively inflaming the passions of the technology sector and security experts alike. But legal and regulatory problems are just one arc of the consequences of bad security and privacy. Businesses need to think about trust, confidence and brand health and reputation.

These points are commonly understood, but some business people point to share prices, saying that prices don’t dip much, or for long, after big security and privacy problems. That may be the case at the moment, but the absence of share price volatility does not mean that value is not being eroded. Moreover, if share prices do not dip, that points to another problem, namely defects in market behaviour.

That is a dangerous place to go, because the classic response to market imperfection is the expansion of regulation: regulation is seen as the antidote to market imperfection.

Businesses that trumpet the share price issue, merely bring-on the risk of more red tape and bureaucracy, as well as serious penalties and sanctions risk.

Trust, confidence and brand health may operate in a different timeframe to share prices. The absence of share price volatility does not mean that trust, confidence and brand health are not being eroded. If that is true, then the logic points, perhaps, to a convergence in the future of value erosion. Entities that are damaging their trust, confidence and brand health today may pay in share price in the future. In other words, suffering security and privacy failure might be like a cancer, where the harm is hidden from view until it is too late. This returns the focus to legal risk.

4 The legal risks are significant

The EU will soon adopt the General Data Protection Regulation (GDPR).

This is a landmark piece of legislation that will radically change our perceptions on how personal data should be handled in business. The GDPR will also have global effect. This is not just law-making for the inside of Europe’s borders.

The purpose of the GDPR is to put people back in control of their personal information and to improve how entities look after personal information while it is in their custody.

Download the report "Staying Power"  and find the cyber security section on pages 26-29