As various technologies make it easier to collect, share, analyze and use consumer data, companies need to balance the desire to process the data with consumers’ privacy interests and to ensure that they are keeping pace with the continually evolving legal and regulatory landscape applicable to privacy and data security.
While such privacy considerations inevitably impact all industries, companies in the hospitality sector have particular business needs for consumer data as well as unique compliance requirements. Accordingly, this article explores five key privacy considerations for operators of hotels and resorts.
|
| Jacqueline Klosek |
1. How secure is your data?
Data security is a fundamental concern for companies of all sizes and all industries. While all companies are at risk for data breaches and other security incidents, hotels and resorts appear to be particularly vulnerable to these attacks. According to Experian, a global information services group, 38% of data incidents in 2011 targeted hotels, resorts and tour companies.
The consequences of a data security incident can be far-reaching. Companies that experience data security breaches can face tremendous negative publicity and lost profits. They also can incur substantial costs, including costs incurred from investigating the breach, issuing required consumer notifications, responding to regulator inquiries and rectifying the breach.
Of course, governmental investigations and lawsuits can also result out of a data breach. Earlier this year, for example, the Federal Trade Commission commenced an action against Wyndham Worldwide Corporation and three of its subsidiaries following an incident that allowed hackers to access more than 600,000 credit-card accounts in a series of three data breaches. The incident resulted in fraud losses in excess of $10.6 million.
In the suit, the FTC alleges that Wyndham misrepresented the security measures it and its subsidiaries use to protect customer data. Wyndham has fired back, seeking to have the complaint dismissed. Whatever the outcome in this case, one thing is clear, we can expect to see similar actions in the future.
In its news release on the Wyndham case, the FTC emphasized “the case against Wyndham is part of the FTC’s ongoing efforts to make sure that companies live up to the promises they make about privacy and data security.”
A review of the FTC’s track record in this area certainly provides support for this statement. As of 1 May 2011, the FTC has brought 32 legal actions against organizations for failing to adequately protect the security of customer data.
2. Have you taken steps to ensure third-party vendors will protect all data?
Whether it is for bulk mail processing, database management, website development or a variety of other services, many companies will need to engage third parties to perform certain services that may involve entrusting them with certain customer information. It is critical all third parties be considered as an integral part of one’s privacy and data security initiative. Specifically, prior to sharing any customer data with third parties, it is advisable to conduct an audit or other inquiry into the service provider’s privacy and data security policies, track record and capabilities.
Beyond this initial due diligence review, it will be advisable to ensure the services agreement includes sufficient privacy and data security provisions. Moreover, where possible, the service provider should agree to indemnify the customer for any breaches of these provisions and to ensure adequate recourse in the event of any privacy breach, any limitations on liability and/or exclusion of damages should not apply to privacy breaches and/or indemnified claims.
3. Are you addressing applicable foreign legal requirements?
Although there is a growing body of privacy and data security requirements in the U.S., many foreign jurisdictions, including, most notably, the European Union, have stringent privacy requirements. With international operations and guests traveling from different countries, companies operating in the hospitality sector might be more likely than companies in other industries to fall under the requirements of foreign privacy and data security requirements. Moreover, as is the case in the U.S., foreign privacy and data security laws continue to evolve at a rapid pace. Accordingly, companies operating in the hospitality sector are advised to include due consideration of the potential impact of foreign privacy laws in all new initiatives and plans, as well as in all regular privacy audits.
4. What are your data sharing policies and procedures?
Hotel and resort operators, like companies in many other industries, often have the need to share consumer data with various third parties for a diverse number of legitimate business reasons. For example, a hotel operator might wish to enter into a co-marketing arrangement with another company and, as part of that arrangement, each of the parties will elect to share data. Also, other third parties, such as property owners, might request certain guest information from hotel operators. To minimize the risks of any privacy claims arising out of any contemplated data sharing, it is highly recommended to review any proposed data sharing arrangements in light of one’s stated privacy policies and in consideration of all applicable legal requirements.
5. Are you keeping current with the rapidly evolving legal and regulatory environment?
Consumer privacy has been a hot button issue for legislators and policymakers at both the federal and state level. Each year there is a flurry of new legislative proposals on privacy and data security. Each of these proposals, if successful, could lead to significant changes in how companies treat data by, for example, requiring companies to implement more protective data security policies, regulating how companies are able to collect and use certain types of data, limiting the types of online tracking that a company is permitted to do and the kind of data that is collected through that tracking. Continued vigilance of this rapidly evolving legislative landscape is essential for any operator collecting consumer data.
Going forward, both the value of personally identifiable data to companies and the risks of processing such data are likely to continue to grow. Hotels that are able to collect and process information about their guests will be better positioned to offer their guests an enhanced, personalized experience. However, collecting, processing and disclosing personally identifiable data will also give rise to significant legal and regulatory obligations as well as the potential for a data breach. Companies operating in the hospitality sector will be better able to meet these challenges by building a culture of privacy throughout their organization, all the while keeping in mind these five key questions.
Jacqueline Klosek is Senior Counsel with Goodwin Procter LLP in New York, NY, where she is a member of the firm’s Privacy and Data Security Task Force. She may be reached for comment at: jklosek@goodwinprocter.com.
The opinions expressed in this column do not necessarily reflect the opinions of HotelNewsNow.com or its parent company, STR and its affiliated companies. Columnists published on this site are given the freedom to express views that may be controversial, but our goal is to provoke thought and constructive discussion within our reader community. Please feel free to comment or contact an editor with any questions or concerns.