DATA PRIVACY - HOT TOPICS IN HOSPITALITY TRACY PULITO, DEPUTY CPO, STARWOOD HOTELS CHRIS ZOLADZ, FOUNDER, NAVIGATE LLC AHIA SPRING MEETING – APRIL 23, 2010. Agenda. Current landscape Legal environment Framework to protect data Common data privacy weaknesses
DATA PRIVACY - HOT TOPICS IN HOSPITALITY
TRACY PULITO, DEPUTY CPO, STARWOOD HOTELS
CHRIS ZOLADZ, FOUNDER, NAVIGATE LLC
AHIA SPRING MEETING – APRIL 23, 2010
of its data-breach investigations in 2009 occurred at hotels.
EU Data Protection Directive and Member States Data Protection Laws
The Personal Information Protection Act, The Anti-Spam Act
HIPAA, GLBA, COPPA, Do Not Call, Can- Spam Act, Safe Harbor Certification
PIPEDA, FOIPPA, PIPA
Personal Data Privacy Ordinance
46 Breach Notification Laws
Personal Data Protection Law, Confidentiality of Information Law
Electronic Communications and Transactions Act
Federal Privacy Amendment Bill, Spam Act
Global Privacy/Data Protection Laws, Regulations & Standards
Breach Notification Laws are effective in nearly all states requiring disclosure to customers when personal information is compromised.
45 states, plus DC, PR & VI. No law in Alabama, Kentucky, Mississippi, New Mexico & South Dakota.
Notice to affected individuals of unauthorized access to personal info (cc#, ss#, drivers lic, acct #, medical info, health insurance and name).
Trigger, when Co knows or “reasonably believes” there has been a security breach – unauthorized acquisition of unencrypted personal info.
Notice prompt, without reasonable delay
May be delay if it would impede criminal investigation, or allow a company to determine the extent of the breach and take action to restore security.
AR, DE, IN, NV, ND, and NY – include medical, last 4 SSN, employer ID, mother’s maiden name, signature or biometric data as a trigger.
AR, NV and TX require reasonable security measures. Encrypted data is not exempt in NY and MN.
AR, MT, NV, NYC and TX impose a duty of secure destruction.
NV – businesses may not transfer covered data without encryption unless internally or by fax (10/1/08).
Some states require add’l reporting obligations to Consumer reporting agencies, Office of the AG, Dept or Consumer Affairs/Protection. Plus specific language or notice re credit agencies.
Always required to contact credit card companies an acquirers.
TJX – several states discuss holding merchants liable for costs associated with breaches of cc data while in possession of merchant. Still waiting for Fed reg.
File with appropriate Privacy Commissioners Office
Containment & Assessment
Evaluate the Risk
Potentially required to provide notice to affected customers
Remediation and Prevention
Enacted (member states have 18 months to implement)
Effective May 2011
Applies to ISPs & Telecos
Member States - Germany
Notify if the incident "threatens significant harm" to the rights and protected interests of an individual.
Notification must be provided "immediately" after measures have been taken to secure the data and ensure criminal investigations will not be adversely affected.
Notice requirement is limited to a breach of sensitive data (bank or credit card information, or information that is subject to professional or official confidentiality protections)
Only require only a single trigger for notification while most U.S. state statutes require two (name, plus sensitive data element).
Delivery of breach notices - in cases where there are a large number of individual affected and notification would be too burdensome, notice may be made by at least a half-page advertisement in at least two daily national newspapers, or other means providing similar exposure.
Costs of a Data Breach
The FTC is also an Enforcer
“Privacy is a central element of the FTC’s consumer protection mission.”
Companies that hold any personal information about Massachusetts residents are required to develop security policies conforming to the Massachusetts standard, including encryption of personal information on laptops, new certifications from service providers, and amended outsourcing deals.
In August 2009, the Office of Consumer Affairs and Business Regulations filed amended regulations with major changes including:
Compliance deadline March 1, 2010
Apparent incorporation of FTC standards under GLBA allowing for a risk based approach to data security and consistency with Federal law and statutory intent
Removal prescriptive technology requirements
Removing some requirements for the written security program
Third Party contracts entered into prior to March 1, 2010 have until March 1, 2012 to be amended to include appropriate security measures
If technically feasible, backup tapes must be encrypted on a go-forward basis, including creation of new backup tapes and movement of old backup tapes (e.g., from storage back to the company facility). If not technically feasible, appropriate steps should be taken to secure and safeguard the PII based on sensitivity of information, amount of PII, distance traveled, etc.
In October 2008, Nevada became the first U.S. state to enact a law that specifically requires encryption for all external electronic transfers of customers’ personal information — rather than referring to “reasonable security procedures and practices” to protect data.
Encryption means* “the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to:
Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;
Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or
Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.”
New addition to the Washington State breach notification law imposes additional liability in payment card breaches.
Effective July 1, 2010, certain companies processing payment card transactions may be liable to financial institutions for the costs associated with reissuing cards after the company experiences a breach.
The law intends to encourage the reissuance of cards thereby mitigating the potential harm which could be caused by a security breach and applies to:
Businesses - “processes more than six million credit card and debit card transactions annually, and who provides, offers, or sells goods or services to . . . residents of Washington.”
Processors - “directly processes or transmits [payment card] account information for or on behalf of another person as part of a payment processing service.”
Vendors - “entity that manufactures and sells software or equipment that is designed to process, transmit, or store [payment card] account information or that maintains account information that it does not own.”
The new law is triggered if a business or processor fails to take reasonable security measures to protect against unauthorized access to account information thereby causing a breach. The business or processor will be liable to the relevant financial institution for the costs of reissuing payment cards to Washington residents to mitigate “potential current or future damages”. Likewise, a vendor will be liable to the financial institution for such costs if such damages were caused by the vendor’s negligence.
HOWEVER, there are two exceptions, there shall be no liability if (1) the account information is encrypted; OR (2) if the company’s PCI DSS compliance was validated by an annual security assessment within the past year prior to the breach, even if such security assessment is subsequently revoked.
Legal compliance - International & Domestic laws and regulations, government agencies – FTC –practices, Industry standards - PCI, etc.
Corporate Public & Internal Policy Development and Implementation - on and off line
Work with corporate offices & various departments – marketing, development, security, etc. advising and providing strategic guidance on ensuring privacy of customer & employee data through legal and policy compliance
Business and partner contracts – include privacy & security provisions
Monitor systems, operations, programs and marketing
Conducting new initiative assessments
Periodic review of laws and regulations and potential affect on company policies and procedures
Who should the policies apply to:
Employees, Consultants, Contractors and any one with access to customer or employee data.
What should the policies govern:
Collection, Use, Access, Monitoring, Disclosure, Transfer and Storage of data and company systems.
What systems/technologies should the policies apply to:
All company servers and systems, personal computers, e-mail, IM, PDAs, telephones, cell telephones, voice mail, fax, intranets, wire services, on-line services, the Internet, etc.
The movement of a data asset from an intended state to an unintended, inappropriate, or unauthorized state, representing a risk or a potentially negative impact to the company.
Locate all sensitive information
A key challenge is being able to accurately identify relevant data at all key locations (stored data, laptops, network, message server). Many companies do not know where such data is, who has access to it, and what the company and it’s employees are doing with it.
Control and protect all sensitive information
There are many ways to misuse and lose sensitive data. Companies must control and protect sensitive data in order to meet legal, regulatory and company policy compliance obligations.
Report and remediation
IT and Security teams need a system that allows the quick identification of real violations and trends without wasting time and resources on valid business activity.
As data is processed, data leakage may occur resulting in the following significant risks to a company:
Financial damages may include asset loss, replacement, management time, public relation, shareholder value, etc.
Legal & Regulatory Compliance Risks
Non-compliance may have serious impact on ongoing operations
Damage to Reputation
Significant impact on the brand and reputation has higher value than the actual value of the potential damages.
Disruption of service, business operation, system outages, etc.
Failing to notify of an incident has serious long-term brand and legal consequences.
Numerous U.S. and international privacy and data protection regulations, including the EU-DPD, GLBA, HIPAA, and breach notification laws.
Data protection through contracts with outsourcing, marketing agreements, and vendor relationships that involve data transfer across organizational, geographic, and system boundaries
Data transfer across geographic borders
Vendors or Partners may expose sensitive data to their third parties agents and contractors
Granting vendors access to a Company’s sensitive data and processing environments
Existing contracts may contain risk data leakage and misuse by third parties
Inconsistent implementation of privacy practices among independent organizations
Who has responsibility and associated liability for data protection?
Contract language and internal auditing of those contracts
Data ownership v. Usage rights
Usage restrictions and confidentiality
Maintain appropriate technical and organizational measures to protect data
Take all necessary steps to ensure security of systems that process data
Protect against unauthorized, unlawful or accidental access, disclosure, transfer, destruction.
Breach notice requirements and government/regulatory agency investigative notice requirement, or disclosure due to subpoena, court order, etc.
Disclosure only to those with a business need to know, third party vendors must have same terms in a written agreement.
Vendor responsible for actions of employees, agents, consultants, subcontractors, anyone with access to data.
Audit rights, certification (breach of contract claim)
Secure data destruction, disaster recovery.
Survivability and assignability
Guidelines regarding the collection, processing, use, transfer, storage and retention of customer data for marketing purposes.
List specific data fields that may be used for specific situations when customer data is captured
Ordering products or services (online,
call centers, in person, catalog, etc.)
Loyalty program registration
Marketing sign up
Who may have access to such data
Only those employees with a business
need to know
Include Secure transfer and storage guidelines
No Excel spreadsheets!
Printed copies, in locked file cabinets in locked offices
Reference Data Management Policies for retention requirements
Contact management strategy
Number of times a month/year a customer may be contacted
Creative content review & approval process
Avoid sharing lists directly with marketing partners, including opt out list
Use a Third Party Mail house
Both parties create creative, equal use of branding, or for companies that do not collect consents for third party marketing, consider having significantly more company branding with reference to co-branded partner name, logo and offer.
Provide creative to mail house with appropriate company(ies) recipient list excluding opt outs (unless mail house will remove opt outs)
Marketing piece should be sent soon after provided to mail house to ensure compliance with CAN SPAM if customer opts out; however their name is included in list provided to mail house.
If both company lists are being provided, have the mail house conduct a “bump up” of the lists to remove duplicates.
Ensure CAN SPAM requirements are met
Appropriate company name, address and opt out is provided
Under Revised CAN SPAM, a co-branded marketing partner may be held liable for their partner’s non-compliance with CAN SPAM
Therefore, ensure proper Contractual requirements are in place such are requiring a warrant and representation that the partner company has all the necessary consents and permission from the intended recipients to send such marketing communications and will indemnify its co-branded partner.
Unsecured Credit Card authorization forms
Imposters on the phone or on property
Use of commonly known default passwords
Poor physical security over the computer room or computer servers
Use of default user IDs and passwords
Systems intrusions by hackers (organized crime)
Gauging Your Client’s Risk at a High Level
Gauging Your Client’s Risk At a High Level (cont’d)
Starwood Hotels & Resorts