The Westin Bonaventure in Los Angeles is the latest publicly disclosed hotel hacker target. Unfortunately, there are likely ten or more hotels hit this month that don’t even know about it. For years now, the hospitality industry has been hit hard with malicious attackers looking to gain access by whatever means necessary – whether via point-of-sale (as they did with the Bonaventure) or directly into a network server far removed from the restaurant or hotel’s location. In fact, according to one leading security vendor, in 2009 hackers broke into hotel networks more so than in any other industry. More importantly, the organizations hit by attacks didn’t discover breaches for an average of 156 days. This Trustwave report was compiled from data breach investigations across the world.
Given their data loss exposures, it is not surprising that some hotel brands have been purchasing network security and privacy insurance for years now. One leading luxury brand has bought such coverage for over six years. The covered claims for some of these insurance purchases have more than paid for the premium. The question remains whether an independent owner or franchisee needs to purchase its own coverage.
First of all, if you are a franchisee, the reservation networks are usually maintained by the franchisor. Why should a franchisee pay for coverage on a system maintained by another party – albeit a party with a strong relationship to the franchisee? To answer that question, the franchisee needs to review its Franchise Disclosure Document (FDD) to ensure that data loss indemnifications are in place. For example, under the FDD, who is liable for a breach if it’s point-of-sale and your employee was somehow negligent?
Secondly, what if your property collects information based on client preferences, health needs, or other sensitive data? Where and how is that information stored? Is it encrypted? Will this information ultimately be safeguarded by your franchisor partner. Although most recent hacks have focused on credit card information given that this financial information is so easy to monetize, what about the “cyber-extortion” threat potential should other sensitive client data be in the hands of those same hackers. Cyber-extortion has become a somewhat common insurance coverage grant.
As is a sound business strategy for any company, a “back up” plan should be in place that takes into consideration the potential your franchisor’s network may likely be compromised at some point. Not only should a back up network security and privacy plan be in place, but all related risks should be quantified. After this risk analysis is completed, an evaluation should be made determining whether separate NSAP insurance makes sense to protect your own interests.