This blog post was originally published as a Legal Alert on GSB's website on July 3, 2018. The post was also authored by Victoria Redman, GSB’s 2018 Summer Associate, located in the Seattle office.
On Thursday, June 28, 2018, the California Consumer Privacy Act of 2018 (the Act) passed with resounding support from both Republicans and Democrats, who voted in favor of the bill 73-0-7 in the Assembly and 38-0-3 in the Senate. The Act, which takes effect on January 1, 2020, imposes requirements on the processing and protection of personal data similar to, and in some cases, more extensive than the requirements under the EU General Data Protection Regulation (GDPR), which went into effect on May 25, 2018.
Lawyers often say “bad facts make bad law”. Combine that with weak legal arguments and, well, things can get really bad, really fast. That’s precisely what happened to Wyndham yesterday when the Third Circuit affirmed a federal District Court decision that the Federal Trade Commission (“FTC”) has authority to regulate cybersecurity under the unfairness prong of § 45(a) of the Federal Trade Commission Act. While commentators may disagree on the result from a legal or policy perspective, one thing is for certain, it was a bad result for Wyndham. The decision rejected in no uncertain terms Wyndham's argument that the FTC lacked authority; and not kindly.
Benjamin Lambiotte, technology and data privacy attorney in Garvey Schubert Barer’s D.C. office, shares key points from two significant survey reports analyzing trends in data security breaches during 2014 that were released this week; one from Verizon, and the other from IBM and the Poneman Institute. It should come as no surprise to anyone that once again, the hospitality industry is featured prominently in both reports. Thank you, Ben! – Greg
The Verizon report studies in depth the industry sectors most frequently targeted and affected, the nature of current threats, and causes and consequences of actual data breaches. The Poneman report focuses on costs associated with successful attacks. Both are worth a close read. Together, the reports starkly illustrate the increasing pervasiveness, complexity and costs associated with preventing and responding to data breaches. The good news is that they also provide guidance on effective preventive and cost control measures.
Here are some of our key takeaways and observations from these fascinating reports:
No Organization or Business is Immune from Attack, but Some are More Frequent Targets Than Others
- In terms of volume of security incidents by sector, the top ten (in order) were government entities, information, financial services, manufacturing, retail, hospitality, professional services, health care, and other services.
- Actual data breaches (attack succeeds; data lost or compromised) occurred most frequently (in order, by sector) in: government, financial services, manufacturing, hospitality, retail, professional services, health care, information, education, and other services.
- In certain industry sectors, cyber criminals more frequently breach smaller businesses. Smaller hospitality businesses, by far and away, ranked number one, with retail second. Financial services remains the number one large business target, followed by large retail, and health care.
- Certain industry sectors are more frequent targets of certain types of threats. For example, the hospitality industry is particularly susceptible to Point of Sale (POS) intrusions. Verizon reports that 91% of data breaches in that sector were POS intrusions. The POS credit card systems used in that industry have of late been plagued by a new breed of malware (including POSeidon) that burrows deep into the system and “scrapes” card data momentarily stored in RAM. “Insider” threats (errors and abuse of access privileges) are more prevalent in health care than other industries. Financial institutions are particularly vulnerable to “crimeware” and web application hacks. Businesses should calibrate their risk management approaches to the specific types of threats they face.
Dealing With a Data Breach is Expensive -- the More Records Compromised, the More it Costs
- Poneman predicts that the average per record mean cost of a data breach will be $201 per record, an increase over the past two years. Such costs include lost customers, and expenses of dealing with the breach. Relative costs depend on the scale of the breach. Verizon predicts that breaches of 1,000 records will result in losses between $52,000 and $87,000, and that breaches of 10 million records will result in losses of between $2.1 to $5.2 million.
- Certain industries have higher data breach costs than others, with regulated industries having a higher per capita record costs than non-regulated businesses. The highest relative per capita data breach costs (in order) are in the health care, transportation, education, energy and financial sectors.
The Most Frequent Ways Cybercriminals Gain Access is Through Dumb Stuff We Do or Don’t Do
- In order to steal or compromise sensitive data, cybercriminals have to get at it. The most common way they breach the castle continues to be “phishing” and “spearphishing.” “Phishing” involves baiting a system user to respond to an official-looking e-mail asking for a reply “verifying” a password or account number. “Spearphishing” is a variation where the e-mail also resembles a routine communication from a trusted sender, but invites the recipient to click on a web link or open an attachment whose payload is malware The stats are sobering. Fully 23% of e-mail recipients open phishing e-mails, and 11% click on the malware payload. 50% of the time, this happens within an hour after the “seafood” e-mail arrives. A phisher who sends out this kind of chum generally only has to wait 1.22 seconds before some sucker somewhere takes the bait.
- Another prevalent way cybercriminals get at sensitive data is an organization’s failure to install “patches” for known security vulnerabilities. The stats here are also depressing. In 2014, half of exploited vulnerabilities were defeated within less than a month after becoming known. But in 99% of the cases where a known vulnerability was exploited, a patch had been available for a year or more! Due to failure to implement available fixes, hackers continue to be able to exploit well-known “oldie but goodie” vulnerabilities.
- Plain old human error is another major inroad for hackers. 60% of incidents were caused by internal staff sending sensitive information to the wrong person, putting sensitive data on publicly accessible servers, or disposing of sensitive medical or personal data in insecure ways. Also, people forget or lose mobile devices containing sensitive data in an insecure environment all too frequently.
- While technological countermeasures are necessary, a focus on human factors – the loose nut behind the keyboard – is at least as important. Training and awareness, and practices designed to mitigate our natural tendencies to make the type of mistakes that frequently give hackers keys to the castle, are a key part of any data breach risk management strategy.
Certain Specific Measures Can Reduce the Cost of a Data Breach When it Occurs
- The Poneman report documents that certain types of expenditures can reduce the overall cost of data breach. Having in place before the breach a strong security posture, a Chief Information Security Officer with responsibility for data protection, and a defined incident response plan all reduce the per capita record cost of a breach. It makes sense that planning and investing resources before an incident occurs can save money when it happens.
How secure is the data on your office copier? Today's post from Benjamin Lambiotte, technology and data privacy attorney in Garvey Schubert Barer's D.C. office, outlines the data security risks associated with office machines, as well as the warning signs and steps that you can take to reduce those risks. Thank you, Ben! - Greg
Current generation multifunction printer/scanner/copier devices are convenient, inexpensive, and very popular. Often overlooked is the fact that most modern printers, copiers, and scanners have many of the same attributes of computers, and are just as vulnerable to the same kind of cyber exploits and attacks as computers. A truly comprehensive data security and privacy risk management approach requires that these commonplace devices be viewed as an integral part of an enterprise’s IT systems, and that device-specific measures be taken to secure them. The National Institute of Standards and Technology (“NIST”) last month published a report on risk management practices for “replication devices,” The NIST report identifies risks associated with such devices, and provides guidance on protecting the confidentiality and integrity of information processed, stored, or transmitted on them.
- Default administration/configuration passwords: Many devices have default passwords which can be easily obtained and used to access stored data, or to control the device.
- Data capture: Unless encrypted, data transmitted or stored, including passwords, configuration settings, and data from stored jobs, is vulnerable to interception or modification.
- Spam: Unless properly configured and without proper access control, many devices will process any job submitted, which could waste paper, toner, and ink, and tie up the device.
- Alteration/corruption of data: If passwords or configurations are changed, denials of service for authorized purposes or potential damage to the device could result.
- Outdated and/or unpatched operating systems and firmware: Many devices run an embedded operating system, making them subject to the same threats as any other computer running those operating systems. Also, older devices may have embedded versions of operating systems no longer supported by the manufacturer, which may leave “unpatched” security issues.
- Open ports/protocols: For devices that can connect to local networks or the Internet via wireless or ports, open ports and protocols allow data to flow to and from a device. Through open ports, attackers may gain undetected access, and data tampering, unauthorized access, and denial of service can result.
The Report identified several signs indicating that the security of such a device may be compromised:
- Display malfunctions or shows incorrect information;
- Materials (ink, paper, or other supplies) run out faster than usual;
- Increased number of failed or timed-out jobs;
- Unexplained/unauthorized changes in configuration settings;
- Device completes processes slower than expected;
- Device uses more network time/bandwidth than usual;
- Time stamps do not align or make logical sense;
- Communications with unknown IP or email addresses increase; and
- Markings indicating tampering around key areas of the device (e.g., hard drive or SSD compartment, display area).
An Appendix to the Report provides a very useful device risk assessment template and checklist. It gives practical guidance on best security practices, across the entire lifecycle of the device. Examples of some countermeasures include:
- At acquisition, or in third party supply and support contracts, ensure that the device meets common data security standards, is capable of operating in a secure mode, and that the OS is actively supported by the OEM;
- At deployment, change vendor default passwords, and configure the device to operate in a secure mode;
- During operation, control device access through PINS and passwords, control physical access to the device itself and its components, such as the SSD or hard drive, and track usage, ensure that stored and transmitted data are encrypted, and timely implement OEM security “patches” and fixes;
- During operation, control network access using standard organization practices, close unused open ports and protocols, disable wireless identifier broadcasting, and configure the device to prevent communications to and from unknown and unwanted addresses (blacklist/whitelist); and
- When taking the device out of service, change all passwords and PINS to vendor defaults, and remove or sanitize all hard drives and SSDs on which data may be stored.
The NIST report is available here.
I’m pleased to introduce guest author, Nick Montera, Vice President, Account Executive and head of the hospitality practice at Parker, Smith & Feek. PS&F is an insurance and risk management brokerage firm headquartered in Bellevue, Washington, providing innovative insurance solutions to clients nationwide. We appreciate Nick sharing his expertise and insights on this important and timely subject. - Roger Hillman
HOSPITALITY INDUSTRY RISKS: DATA PRIVACY AND SECURITY
Most hospitality businesses allocate time and capital to efficiently collect and process data in order to improve sales, customer service and loyalty, and operations efficiency. Technological advances have made it easier to manage a wide range of information about customers, vendors, and employees. Virtually all businesses that use computer systems are to some extent vulnerable to costly exposures associated with system breaches.
Hotels and restaurants are no exception and, in fact, have much higher levels of exposure because they collect vast amounts of private data from customers as a part of their day-to-day operations through credit card transactions, online reservations, and rewards programs. Private data may be both personal (names, physical addresses, email addresses, social security numbers) and financial (credit card and banking). While technology helps your business run more efficiently, it also increases your risk for data privacy and security breaches, as well your liability to affected customers. Unfortunately, many hospitality companies have not upgraded their risk management plans to address the inherent exposures associated with today’s sophisticated data management. A breach can severely impact the financial stability and continuing success of a company, and so it’s important to understand the risks associated with data breaches and to develop plans to mitigate them.
Hospitality: A Targeted Industry
According to Nicholas J. Percoco, hospitality businesses often proves to be an easy target for criminals who are looking for high transaction volume, a large database of customer records, and low barriers to entry. In fact, organizations analyzing data breach trends consistently cite hospitality as the single most vulnerable industry:
- The accommodation and food service industries accounted for half of all breaches in the 2012 Verizon Communications Report.
- The food and beverage industry made up 44% of all 2011 data breach investigations by Trustwave Spider Labs.
- Hotels were the single most breached sector for credit card data theft in 2009, accounting for over a third of all major breaches.
Percoco, head of Trustwave Spider Labs, believes that the criminal element targets the food and beverage industry because of high transaction volume, which makes it possible to turn criminal activities into money very quickly. Trustwave Spider Labs found that food and beverage companies not only have systems that are vulnerable to infiltration, but often fail to detect a breach until long after it has occurred. Their study revealed that criminals stay undetected in a breached food and beverage system for an average of 173.5 days. The combination of high transaction volume and undetected breach time can prove devastating to a business.
A common misconception is that only large organizations need to worry about protecting against data breaches. In Verizon’s 2012 Report, two-thirds of the 855 investigated incidents occurred at businesses with 11 to 100 employees, a common size for many hospitality enterprises. However, no hospitality company is immune. Smaller, independent enterprises are vulnerable because they are small and may have systems that are easily breached. On the other hand, franchise operations often share a regional, national, or international data system that, once breached, can affect all or most of the individual franchisees.
Most businesses today have data privacy and security exposures, which may include 1) a presence on the Internet, 2) data on servers connected to the Internet, 3) file maintenance that contains personal and/or financial information, and 4) transmission, storage, or processing of data such as credit card payments. Businesses in the hospitality industry need to be particularly cognizant of these exposures. It is important to develop programs to reduce the possibility of a breach and take steps to mitigate the impact of a breach before one occurs.
Costs of a Data Breach
A company that experiences a breach can incur a range of costs that quickly add up to a substantial loss. When private data is compromised, your expenses could include notification and claims processing, credit monitoring services for affected individuals (to lessen the potential for civil suits), and employment of a public relations team (to assist with damage control and preservation of your reputation). There may be additional costs associated with finding and fixing the root cause of the breach, and recovery of lost data. Finally, you may have liability claims for failure to have reasonable safeguards in place to protect personal and financial data.
In the event of a breach, you are responsible for notifying the affected individuals. In fact, 46 states have enacted broad privacy laws pertaining to notification whenever personal or financial information might have been compromised, lost, or stolen. Furthermore, if private data of individuals from other states is affected, you must comply with each applicable state’s laws. For those in the hospitality industry, compliance can be costly and time consuming because it entails research into the privacy laws of the state of residency for every potential affected customer. Since many hotels and restaurants depend upon customers from all over the United States (as well as other countries), notification requirements and the related costs are of particular importance. The possibility of regulatory violations and fines can be drastically reduced if you have an adequate plan in place ahead of time.
Estimates of the average incurred cost for a breach vary between the studies, but one thing is evident: it’s expensive. According to the Ponemon Institute’s 2011 report, the average cost of a data breach in 2009 was $6.75 million per incident and $204 per individual record. The immediate financial cost of a data breach is only part of the story. It can cause a loss of customer trust and a tarnished reputation, which can be extremely difficult and expensive to rehabilitate. This is especially true for hotels and restaurants, which usually have high public profiles.
Data Security and Risk Management Basics
There is no doubt that the risks associated with data retention and transfer are real and significant. For a hospitality organization, it is of paramount importance to identify areas of exposure and develop adequate risk management programs that address data privacy and security. To help you get started, here is a list of questions (from Cyber insurance specialist Swett & Crawford) with my added commentary:
- Is the corporation aware of all applicable state and federal privacy laws and notification requirements pertaining to customer data?
- Due to the wide geographic dispersion of your clients, it is best to do this research upfront. If a breach occurs, you may not have adequate time to research and comply with state laws, which may be time sensitive. Missed deadlines could lead to costly regulatory fines and penalties.
- Make sure that your organization is compliant with The Payment Card Industry Data Security Standards (PCI DSS) and any other standards that apply to your organization. Helpful information on PCI DSS can be found here.
- Is any personal identifiable information (PII) or client confidential information stored on computers or in paper files on premises? If so, where specifically is the data stored, how is it secured, who has access and how many PII data files are there?
- PII is often defined as unique information that can be used to identify, contact or locate a single person. In Washington state, PII is defined as an individual’s first name (or initial) and last name combined with one of the following: social security number, bank account number, credit or debit card number (including security code access code or password), driver’s license number, or a Washington identification card number.
- Track personal data throughout your entire information infrastructure and identify all parties that have access to this data. Conduct an audit that gauges employee access to and use of personal data.
- Make information security a written workplace policy.
- Are all of the companies laptops encrypted? Are portable media devices like thumb drives prohibited or at lease encrypted?
- Devices such as laptops, smart phones, external hard drives and flash drives all present possible data security threats if lost, stolen, or hacked. While most people assume that system hackers are the greatest threat, recent studies show that lost or stolen portable devices are the most common cause of data breaches.
- Has the company implemented strong internal password controls and training to all employees?
- Make sure passwords are strong. It is also a good practice to reset passwords periodically—90 days is a good timeline—and never duplicate passwords. It’s also a good idea to reset default passwords.
- Are the company’s firewalls current and all security patches regularly updated?
- A firewall can be the best defense when trying to isolate and contain breaches. Despite the expense, it is beneficial to invest in a robust set of firewalls that require user authentication.
- Does the company outsource any services to third party vendors that may involve a client’s information? If so, do these vendors provide hold harmless and indemnification agreements with regards to any data breach involving personal identifiable information?
- It’s a common misconception that outsourcing automatically transfers liability for data breaches to the vendor. It is vital that you have favorable hold harmless agreements and indemnification provisions in place with vendors, but even with these agreements in place, data owners can still be held responsible for compromised information.
- Does the company have in force a detailed plan in case of a data breach?
- In addition to developing and implementing a risk management program for data breach, risk transfer via insurance can be a cost effective risk management mechanism.
Data Breach Insurance Coverage Basics
Over 30 insurance carriers provide coverage that is tailored to specifically address exposures related to data breach. Naming conventions vary by insurance carrier, but some of the more common ones are Data Security, Data and Privacy, Cyber Liability, and Data Breach insurance. Coverage may be written on a standalone basis or combined with your Professional Liability or Media policy.
A properly structured policy will provide both first and third party coverage. First party coverage pays for direct losses incurred as a result of a breach including (but not necessarily limited to) notification costs, recovery of lost and destroyed data, forensic investigation expenses, credit monitoring and call center services for affected customers, business interruption losses, extortion demands, and public relations expenses. Third-party coverage protects companies from liability suits filed by individual customers, credit card companies, regulators, and various other third parties. Coverage should extend to defense costs as well as damages. Depending upon the carrier and insurability from a legal standpoint, it may also cover regulatory defense, fines, and penalties.
As a hospitality business, your financial stability and continuing success depend upon a proactive approach to data security risk management. Lax security practices or a security gap could result in a breach that encompasses massive amounts of stolen data, creating financial loss for your customers, vendors, and employees, as well as your business. It’s important to do all that you can to protect yourself from a breach. It’s equally important to devise a solid risk management plan, including insurance coverage, to mitigate the severity of loss when one occurs. If you have not yet done so, consult with your insurance professional about your data exposure and risk management solutions.
Our first of many anticipated privacy related posts comes from Colleen Hannigan of our Seattle office. Colleen is one of the newest members of our Hospitality, Travel and Tourism Practice and brings with her a wealth of privacy experience from Harvard Law School and her time spent at Berkman Center for Internet and Society. Welcome, Colleen, we look forward to many more posts in the future. - Greg
In September, 2013, Governor Jerry Brown of California signed into law Assembly Bill No. 370, which amends the California Online Privacy Protection Act (CalOPPA) to require that website and mobile app operators disclose whether they honor web browser “Do Not Track” signals. AB 370 took effect on January 1, 2014.
CalOPPA has, since 2003, required operators of commercial websites or online services that collect personally identifiable information (PII) from California consumers (including, most notably, guests and customers from California) through the Internet to post, conspicuously, their privacy policies. PII is “identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form.” PII includes, but is not limited to, first and last names, home or other physical addresses, email addresses, telephone numbers, social security numbers, and any other identifier that permits the online or physical contacting of a specific individual. PII also includes “[i]nformation concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.”
CalOPPA requires privacy policies to make certain specific disclosures regarding how the website or app operator collects, uses, and discloses users’ PII. For example, operators must disclose the type(s) of data they collect and the categories of third parties with whom that information is shared, if any. In addition, privacy policies must provide an effective date, information regarding how a consumer can access and/or request changes to his or her PII, and a description of how the operator will notify consumers of policy changes.
Do Not Track and AB 370
Do Not Track (DNT) mechanisms typically are small pieces of code, similar to cookies, that signal to websites and mobile applications that the user does not want his or her website or app activities to be tracked. Most Internet browsers, including Mozilla Firefox, Google Chrome, Microsoft Internet Explorer, and Apple Safari, allow users to choose whether to have the browser send out DNT signals. If a website that honors DNT signals receives such a signal, the browser blocks the website from collecting PII from that user.
AB 370 amends CalOPPA to require covered operators to update their privacy policies to include new disclosures. Specifically, the amended Act now requires that operators disclose:
- How they respond to DNT signals or other mechanisms that allow consumers to choose whether and how PII about their online activities is collected over time, both by the operator and across third-party websites or online services; and
- Whether third parties may collect such PII over time and across different websites when the consumer uses the operator’s website or service. However, the operator need not disclose the identities of such third parties.
AB 370 does not require website and app operators to obey DNT signals—it merely requires that operators disclose whether they obey or do not obey such signals. Operators may satisfy this requirement by either, if they do not respond to DNT signals, stating as much in their privacy policies, or, if they do respond to DNT signals, including in their policies a description of the program or protocol they use in responding or a clear and conspicuous hyperlink to an online location containing such a description.
Hoteliers and restaurateurs that operate websites, mobile applications, or other online services that collect personal information from California residents should familiarize themselves with both CalOPPA and AB 370. In addition, operators should review their websites and apps to determine how they respond to DNT signals and the tracking methods they use, as well as whether third parties (e.g. vendors or suppliers) conduct tracking activities on or using their websites or apps. Hoteliers and restaurateurs should then revise or update their privacy policies as needed.
Hoteliers and restaurateurs should be aware that other state laws and/or federal laws such as the Healthcare Information Portability and Accountability Act (HIPPA) or the Children’s Online Privacy Protection Act (COPPA) may also apply, depending on what information the Hotelier or restaurateur collects and from whom.
Over the past 2 days, MPI hosted its annual Cascadia Educational Conference in Portland, Oregon. I had the pleasure of participating at this year's event, presenting on group sales issues and privacy. Copies of my presentations are available here: Group Sales Contracts: Interesting Case Studies and The Rising Significance of Guest Information.
Scott Warner, a technology and intellectual property lawyer on our Hospitality, Travel & Tourism team, discusses some implications of the much publicized FTC lawsuit against Wyndham.
- failed to use strong (and in some cases any) passwords to limit access to computer files;
- failed to use firewalls to separate corporate and hotel computer systems;
- improperly stored payment information in clear text;
- failed to implement reasonable measures to detect security breaches;
- failed to implement proper incident response procedures or remedial steps after learning of a data breach; and
- failed to adequately restrict access to company systems by third party vendors.
The claims stem from three separate data breaches over a period of two years in which hackers obtained the private information of more than 600,000 customers, which led to more than $10.6 million in fraudulent charges.
A pair of recently effected state laws makes clear that information security remains a significant issue that receives and will continue to receive considerable legislative and commercial attention. Hoteliers, restaurateurs and others in the hospitality industry use personally identifiable information (PII) of their guests and customers to improve services and create a personalized experience.
Greg and I attended the annual Hospitality Law Conference in Houston this February, which devoted an entire track to data privacy issues. It’s the definition of a hot topic, and important, so please take note!
Greg Duff, Editor
Greg Duff founded and chairs GSB’s national Hospitality, Travel & Tourism group. His practice largely focuses on operations-oriented matters faced by hospitality industry members, including sales and marketing, distribution and e-commerce, procurement and technology. Greg also serves as counsel and legal advisor to many of the hospitality industry’s associations and trade groups, including AH&LA, HFTP and HSMAI.