slide1 n.
Skip this Video
Download Presentation

Loading in 2 Seconds...

play fullscreen
1 / 31


  • Uploaded on

DATA PRIVACY - HOT TOPICS IN HOSPITALITY TRACY PULITO, DEPUTY CPO, STARWOOD HOTELS CHRIS ZOLADZ, FOUNDER, NAVIGATE LLC AHIA SPRING MEETING – APRIL 23, 2010. Agenda. Current landscape Legal environment Framework to protect data Common data privacy weaknesses

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript





  • Current landscape
  • Legal environment
  • Framework to protect data
  • Common data privacy weaknesses
  • Gauging risks at a high level
current data privacy landscape in hospitality
Current Data Privacy Landscape in Hospitality
  • “Hackers are now stealing credit-card data from hotels more often than any other industry.”
    • Wall Street Journal, March 18, 2010
  • Major forensic investigative company stated that 38%

of its data-breach investigations in 2009 occurred at hotels.

  • Hackers are finding industry specific weakness and exploiting them.
  • To prevent it is recommended hotels follow data-security standards established by the PCI Security Standards Council.
data privacy landscape cont d
Data Privacy Landscape (cont’d)
  • Historical under investment in information security
  • Nature of the business makes it susceptible
  • Current economic conditions placing more emphasizes on revenue generation and cost cutting
  • PCI compliance more aggressively pursued by merchant banks
  • Regulatory environment becoming more onerous

European Union

EU Data Protection Directive and Member States Data Protection Laws


The Personal Information Protection Act, The Anti-Spam Act

US Federal

HIPAA, GLBA, COPPA, Do Not Call, Can- Spam Act, Safe Harbor Certification




Hong Kong

Personal Data Privacy Ordinance

US State

46 Breach Notification Laws


Personal Data Protection Law, Confidentiality of Information Law

South Africa

Electronic Communications and Transactions Act


Federal Privacy Amendment Bill, Spam Act

Global Privacy/Data Protection Laws, Regulations & Standards

state breach notification laws
State Breach Notification Laws

Breach Notification Laws are effective in nearly all states requiring disclosure to customers when personal information is compromised.

45 states, plus DC, PR & VI. No law in Alabama, Kentucky, Mississippi, New Mexico & South Dakota.

Common requirements:

Notice to affected individuals of unauthorized access to personal info (cc#, ss#, drivers lic, acct #, medical info, health insurance and name).

Trigger, when Co knows or “reasonably believes” there has been a security breach – unauthorized acquisition of unencrypted personal info.

Notice prompt, without reasonable delay

May be delay if it would impede criminal investigation, or allow a company to determine the extent of the breach and take action to restore security.

state breach notification laws1
State Breach Notification Laws


AR, DE, IN, NV, ND, and NY – include medical, last 4 SSN, employer ID, mother’s maiden name, signature or biometric data as a trigger.

AR, NV and TX require reasonable security measures. Encrypted data is not exempt in NY and MN.

AR, MT, NV, NYC and TX impose a duty of secure destruction.

NV – businesses may not transfer covered data without encryption unless internally or by fax (10/1/08).

Some states require add’l reporting obligations to Consumer reporting agencies, Office of the AG, Dept or Consumer Affairs/Protection. Plus specific language or notice re credit agencies.

Always required to contact credit card companies an acquirers.

TJX – several states discuss holding merchants liable for costs associated with breaches of cc data while in possession of merchant. Still waiting for Fed reg.

international breach notification
International Breach Notification


File with appropriate Privacy Commissioners Office

Containment & Assessment

Evaluate the Risk

Potentially required to provide notice to affected customers

Remediation and Prevention


Enacted (member states have 18 months to implement)

Effective May 2011

Applies to ISPs & Telecos

international breach notification1
International Breach Notification

Member States - Germany

Notify if the incident "threatens significant harm" to the rights and protected interests of an individual.

Notification must be provided "immediately" after measures have been taken to secure the data and ensure criminal investigations will not be adversely affected.

Notice requirement is limited to a breach of sensitive data (bank or credit card information, or information that is subject to professional or official confidentiality protections)

Only require only a single trigger for notification while most U.S. state statutes require two (name, plus sensitive data element).

Delivery of breach notices - in cases where there are a large number of individual affected and notification would be too burdensome, notice may be made by at least a half-page advertisement in at least two daily national newspapers, or other means providing similar exposure.


Costs of a Data Breach

  • Forensic experts
  • Sending notification letters
  • Credit monitoring service
  • Call center to handle questions
  • Legal fees
  • Lost productivity of employees that are part of the incident response effort
  • Credit card company fines and assessments
  • Potential FTC settlements
  • Loss of customer, public and regulator trust
  • Recently released Ponemon Institute study disclosed cost of $204 per record

The FTC is also an Enforcer

  • Focuses on “unfair” or “deceptive” trade
  • practices
  • Settlements:
      • - Range from tens of thousands to millions of dollars.
      • - Include agreement by the company to independent oversight of their information security program for 20 years.
    • Learn More

“Privacy is a central element of the FTC’s consumer protection mission.”


massachusetts data privacy regulation
Massachusetts Data Privacy Regulation

Companies that hold any personal information about Massachusetts residents are required to develop security policies conforming to the Massachusetts standard, including encryption of personal information on laptops, new certifications from service providers, and amended outsourcing deals.

In August 2009, the Office of Consumer Affairs and Business Regulations filed amended regulations with major changes including:

Compliance deadline March 1, 2010

Apparent incorporation of FTC standards under GLBA allowing for a risk based approach to data security and consistency with Federal law and statutory intent

Removal prescriptive technology requirements

Removing some requirements for the written security program

Third Party contracts entered into prior to March 1, 2010 have until March 1, 2012 to be amended to include appropriate security measures

If technically feasible, backup tapes must be encrypted on a go-forward basis, including creation of new backup tapes and movement of old backup tapes (e.g., from storage back to the company facility). If not technically feasible, appropriate steps should be taken to secure and safeguard the PII based on sensitivity of information, amount of PII, distance traveled, etc.

nevada encryption law
Nevada Encryption Law

In October 2008, Nevada became the first U.S. state to enact a law that specifically requires encryption for all external electronic transfers of customers’ personal information — rather than referring to “reasonable security procedures and practices” to protect data.

Encryption means* “the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to:

Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;

Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or

Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.”

washington law
Washington Law

New addition to the Washington State breach notification law imposes additional liability in payment card breaches.

Effective July 1, 2010, certain companies processing payment card transactions may be liable to financial institutions for the costs associated with reissuing cards after the company experiences a breach.

The law intends to encourage the reissuance of cards thereby mitigating the potential harm which could be caused by a security breach and applies to:

Businesses - “processes more than six million credit card and debit card transactions annually, and who provides, offers, or sells goods or services to . . . residents of Washington.”

Processors - “directly processes or transmits [payment card] account information for or on behalf of another person as part of a payment processing service.”

Vendors - “entity that manufactures and sells software or equipment that is designed to process, transmit, or store [payment card] account information or that maintains account information that it does not own.”    

The new law is triggered if a business or processor fails to take reasonable security measures to protect against unauthorized access to account information thereby causing a breach. The business or processor will be liable to the relevant financial institution for the costs of reissuing payment cards to Washington residents to mitigate “potential current or future damages”. Likewise, a vendor will be liable to the financial institution for such costs if such damages were caused by the vendor’s negligence.

HOWEVER, there are two exceptions, there shall be no liability if (1) the account information is encrypted; OR (2) if the company’s PCI DSS compliance was validated by an annual security assessment within the past year prior to the breach, even if such security assessment is subsequently revoked.

framework for protecting customer employee data
Framework for Protecting Customer & Employee Data

Legal compliance - International & Domestic laws and regulations, government agencies – FTC –practices, Industry standards - PCI, etc.

Corporate Public & Internal Policy Development and Implementation - on and off line



Work with corporate offices & various departments – marketing, development, security, etc. advising and providing strategic guidance on ensuring privacy of customer & employee data through legal and policy compliance

Business and partner contracts – include privacy & security provisions

Monitor systems, operations, programs and marketing

Conducting new initiative assessments

Periodic review of laws and regulations and potential affect on company policies and procedures

policies procedures
Policies & Procedures

Who should the policies apply to:

Employees, Consultants, Contractors and any one with access to customer or employee data.

What should the policies govern:

Collection, Use, Access, Monitoring, Disclosure, Transfer and Storage of data and company systems.

What systems/technologies should the policies apply to:

All company servers and systems, personal computers, e-mail, IM, PDAs, telephones, cell telephones, voice mail, fax, intranets, wire services, on-line services, the Internet, etc.

data loss prevention
Data Loss Prevention

Data Leakage

The movement of a data asset from an intended state to an unintended, inappropriate, or unauthorized state, representing a risk or a potentially negative impact to the company.

Locate all sensitive information

A key challenge is being able to accurately identify relevant data at all key locations (stored data, laptops, network, message server). Many companies do not know where such data is, who has access to it, and what the company and it’s employees are doing with it.

Control and protect all sensitive information

There are many ways to misuse and lose sensitive data. Companies must control and protect sensitive data in order to meet legal, regulatory and company policy compliance obligations.

Report and remediation

IT and Security teams need a system that allows the quick identification of real violations and trends without wasting time and resources on valid business activity.

breakdown of the risk
Breakdown of the Risk

As data is processed, data leakage may occur resulting in the following significant risks to a company:

Financial Damages

Financial damages may include asset loss, replacement, management time, public relation, shareholder value, etc.

Legal & Regulatory Compliance Risks

Non-compliance may have serious impact on ongoing operations

Damage to Reputation

Significant impact on the brand and reputation has higher value than the actual value of the potential damages.

Operational Risks

Disruption of service, business operation, system outages, etc.

Privacy Risks

Failing to notify of an incident has serious long-term brand and legal consequences.

Numerous U.S. and international privacy and data protection regulations, including the EU-DPD, GLBA, HIPAA, and breach notification laws.

contractual agreements data management with third parties
Contractual Agreements Data Management with Third Parties

Data protection through contracts with outsourcing, marketing agreements, and vendor relationships that involve data transfer across organizational, geographic, and system boundaries

Data transfer across geographic borders

Vendors or Partners may expose sensitive data to their third parties agents and contractors

Granting vendors access to a Company’s sensitive data and processing environments

Existing contracts may contain risk data leakage and misuse by third parties

Inconsistent implementation of privacy practices among independent organizations

Who has responsibility and associated liability for data protection?

Contract language and internal auditing of those contracts

contractual agreements data management with third parties1
Contractual Agreements Data Management with Third Parties

Contractual Requirements

Data ownership v. Usage rights

Usage restrictions and confidentiality

Security requirements:

Maintain appropriate technical and organizational measures to protect data

Take all necessary steps to ensure security of systems that process data

Protect against unauthorized, unlawful or accidental access, disclosure, transfer, destruction.

Breach notice requirements and government/regulatory agency investigative notice requirement, or disclosure due to subpoena, court order, etc.

Disclosure only to those with a business need to know, third party vendors must have same terms in a written agreement.

Vendor responsible for actions of employees, agents, consultants, subcontractors, anyone with access to data.

Audit rights, certification (breach of contract claim)

Secure data destruction, disaster recovery.

Legal and Privacy Policy compliance

Survivability and assignability


Guidelines regarding the collection, processing, use, transfer, storage and retention of customer data for marketing purposes.

List specific data fields that may be used for specific situations when customer data is captured

Ordering products or services (online,

call centers, in person, catalog, etc.)

Loyalty program registration


Marketing sign up

Contest entry

Who may have access to such data

Only those employees with a business

need to know


Include Secure transfer and storage guidelines

No Excel spreadsheets!

Printed copies, in locked file cabinets in locked offices

Reference Data Management Policies for retention requirements

Contact management strategy

Number of times a month/year a customer may be contacted

Specific promotions

Creative content review & approval process

co branded partner marketing
Co-Branded & Partner Marketing

Avoid sharing lists directly with marketing partners, including opt out list

Use a Third Party Mail house

Both parties create creative, equal use of branding, or for companies that do not collect consents for third party marketing, consider having significantly more company branding with reference to co-branded partner name, logo and offer.

Provide creative to mail house with appropriate company(ies) recipient list excluding opt outs (unless mail house will remove opt outs)

Marketing piece should be sent soon after provided to mail house to ensure compliance with CAN SPAM if customer opts out; however their name is included in list provided to mail house.

If both company lists are being provided, have the mail house conduct a “bump up” of the lists to remove duplicates.

co branded partner marketing1
Co-Branded & Partner Marketing

Ensure CAN SPAM requirements are met

Appropriate company name, address and opt out is provided

Under Revised CAN SPAM, a co-branded marketing partner may be held liable for their partner’s non-compliance with CAN SPAM

Therefore, ensure proper Contractual requirements are in place such are requiring a warrant and representation that the partner company has all the necessary consents and permission from the intended recipients to send such marketing communications and will indemnify its co-branded partner.

common weaknesses at hotels
Common Weaknesses at Hotels

Unsecured Credit Card authorization forms

Imposters on the phone or on property

Use of commonly known default passwords

Poor physical security over the computer room or computer servers

Use of default user IDs and passwords

Systems intrusions by hackers (organized crime)

common weaknesses at hotels1
Common Weaknesses at Hotels
  • Old registration cards with credit card data
  • Unsecured laptops with personally identifiable information
  • Paper records with personal information that are discarded without shredding
  • Credit card skimmers and key loggers
  • Insecure disposal of laptops/desktops/servers
risk management challenges
Risk Management Challenges
  • PII can be in many locations – paper and electronic
    • Laptops, Flash drives, CDs
    • BlackBerrys, iPhones
    • Homes’ of Teleworkers
    • Third party service providers
    • Contractors of third party service provider
  • Potential resistance to business process and/or technology changes
  • Limited staff and resources to assess and mitigate risk
  • “It won’t happen to me syndrome”

Gauging Your Client’s Risk at a High Level

  • Are there adequate experienced resources dedicated to this area?
  • Are the necessary activities being focused on?
    • Policies and procedures
    • Training
    • Communications
    • Information inventory
    • Risk Assessment
    • Monitoring new threats and legal requirements, etc.
  • Is there a current risk assessment?
    • Does it include all the places PII is contained?

Gauging Your Client’s Risk At a High Level (cont’d)

  • Is senior management aware of the risks?
  • Are remediation plans prepared and implemented?
  • Have insurance options been considered?
  • Is the residual risk documented and approved by senior management?
  • Is there an effective process to manage information protection and privacy risks and legal requirements on an on-going basis?

Tracy Pulito

Starwood Hotels & Resorts

(914) 640-8118

s Zoladz

Chris Zoladz

Navigate LLC

(240) 475-3640