By Alaap Shah and Marshall Jackson
Data is going digital, devices are going mobile, and technology is revolutionizing how companies operate. It seems to be business as usual, as your hospitality company continues to collect, use and transmit large amounts of sensitive data to operate the business. You have even taken measures to help guard against the “typical” risks such as lost laptops, thumb drives and other electronic devices. However, unbeknownst to you, hackers sit in front of their computers looking for ways into your network so that they may surreptitiously peruse through confidential financial records and sensitive consumer and employee information.
Unfortunately, this scenario is commonplace, and brings with it hefty costs. To the extent personally identifiable information (“PII”) or electronic protected health information (“e-PHI”) is compromised in a cyber security breach, hospitality companies can expect to spend on average $114 per record to clean up the problem. As operations digitize, hospitality organizations should be cognizant of the cyber security risks impacting the data that flows through their systems. Further, hospitality organizations need to understand how to assess and manage these risks to meet the requirements under applicable state and federal privacy and security laws, including the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”).
The facts of “cyber” life…
The hospitality sector continues to be a primary target for cyber-attacks. Reports show that in 2012, the retail, food and beverage, and hotel industry made up the top three targeted industries for data breaches at 45%, 24% and 9% respectively. External attacks constitute the majority of data breaches, with 92% of them attributable to outsiders and 14 percent committed by insiders. In fact, hacking was a factor in 52% of data breaches. Moreover, studies show that in the last year 12.6 million people have fallen prey to identity theft as a result of data breaches.
Even given what we know, much of cyber security related breaches remains uncertain. There are namely two reasons for this uncertainty:
1. Most cyber security breaches go undetected; and
2. Many cyber security breaches go unreported.
Across all industries, one report asserted that approximately 69% of cyber security breaches go undetected. Of those breaches that are detected, 94% are unreported until months or longer until finally being discovered. Yet, there is one certainty in this climate—There are only two types of organizations: those that have already been hacked and those that will be at some point . . . .
Why cyber security is important now more than ever…
Recently, there has been increased scrutiny given the increased risk of data breaches. Federal agencies such as the Department of Justice and Federal Trade Commission, as well States Attorneys General and Departments of Health, have all turned their focus and resources to enforcement in the context of data breaches. Particularly, when e-PHI is involved, the Health and Human Services, Office of Civil Rights (“OCR”) has responded to data breaches by aggressively enforcing HIPAA, which reinforces that compliance with HIPAA requirements is a top priority. Chiefly, the HIPAA breach notification rule was amended to lower the reporting threshold from a “risk of harm” standard to a “probability of compromise” standard. As a result, the hospitality industry will likely see increased breach reporting when e-PHI is effected, which can result in increased enforcement for noncompliance. This is bad news for hospitality companies because penalties for noncompliance with HIPAA have also been ramped up under the HIPAA Final Rule promulgated under HITECH.
The FBI has also increased its role in investigating cyber security breaches. For example, in October 2013, the FBI opened an investigation of a cyber security breach affecting a network of hospitals and clinics, in which someone gained unauthorized access to the medical records of up to 1,800 patients.
The FBI has recognized that collaborative efforts are needed to solve the cyber security problem. These include investigating insider threats, detecting external threats, and informing the health care industry of cyber security threats. However, even with these collaborative efforts, hospitality organizations must be cognizant that assistance from the FBI could lead to increased scrutiny about the organization’s security practices.
With an increased focus on data breaches under privacy and security laws, hospitality organizations don’t want to be the last to know how their protected data is being compromised. Not understanding the organizations cyber security threats can be:
- Bad for patrons because it can lead to identity theft;
- Bad for the organization because regulators may use that as evidence of noncompliant security practices;
- Bad for the organization’s reputation; and
- Lead to noncompliance with reporting obligations under privacy and security laws.
Given the current focus on cyber security, proactive cyber security risk management is the best approach to ensure compliance with privacy and security laws.
What can you do…
The stakes are getting higher regarding cyber security. However, there are several steps hospitality organizations can take to protect against cyber security data breaches. Further, taking these steps can protect hospitality companies in the context of increasing investigatory activity by state and federal agencies.
First, organizations should conduct periodic risk analyses to determine cyber security related risks. The risk analysis can help organizations to:
- Identify key systems and locations;
- Determine where protected data is located;
- Identify vulnerabilities and threats;
- Evaluate security safeguards; and
- Evaluate risk to protected data.
Second, hospitality organizations should evaluate whether the draft cyber security framework established by the National Institute of Standards and Technology (“NIST”) can improve the organization’s risk management process. The NIST cyber security framework contains five core elements, which help an organization:
- identify critical infrastructure,
- protect the organization’s critical infrastructure using appropriate safeguards,
- detect cyber security events,
- respond to cyber security events using pre-defined and prioritized activities, and
- recover from cyber security events to restore critical infrastructure.
The framework’s core elements then further subdivide into categories and subcategories and provide cross-references to a number of different standards from industry and government that address each subcategory within those functions. Hospitality organizations can review these references and select the standard that best addresses the organization’s particular needs. Note that the cyber security framework is currently open for discussion, which means the components may change when the framework is finalized.
Ultimately, as the hospitality industry continues to digitize, organizations must be cognizant of the cyber security risks affecting their networks, systems and data. Further, as the number of cyber security related breaches increases, hospitality companies must prepare to identify and report such breaches as required by privacy and security laws. Yet, to avoid the pain and cost of recovering from a breach and also paying hefty fines for noncompliance, hospitality companies should proactively leverage risk analyses (potentially incorporating the NIST cyber security framework) to identify, prioritize, mitigation and monitor risk affecting protected data.