The Hospitality sector and data breaches
27th July, 2018
The hospitality sector is an industry built on collecting customer data through many different points of contact. The act of holding personal data is attractive to cyber criminals because of the ability to steal payment and identity information.
In particular, the most vulnerable sector of the hospitality industry is accommodation. This is because of the number of ways that hotels use to make contact with their customers, such as online reservations, loyalty programmes connected up to credit and debit cards, card payments at the front desk and online, and purchasing onsite.
Whilst hotels are the most vulnerable, all hospitality businesses have a higher exposure. This is due to two main reasons:
1. Point of Sales – this sector relies heavily on Point of Sales terminals. Whether this is using a card machine, mobile and tablet payment systems and apps, online and ecommerce payment systems or self-service kiosks. Important information is collected here included name, card details, address, date of birth and more.
2. The use of third-parties – a lot of hospitality businesses use third-parties on behalf of their customers, such as booking flights and car hire, ordering caterers, and offering additional services through another company. These third-party companies tend to be smaller brands, perhaps with less data security in place.
Whatever size of your hospitality business, it is important to have the security procedures in place as all sized businesses are exposed to data breaches.
The following guidance can help reduce the risk of a data breach for your hospitality business:
· Regularly change passwords and choosing passwords that are not easy to guess
· Keep guest Wi-Fi separate from the business Wi-Fi network – Keeping the two entities separate means that there is less chance of a cybercriminal posing as a guest to access data
· The new data protection law states that businesses across all sectors must have a process for regularly testing and evaluating the effectiveness of their data security – regular testing will not only show you weak links in your data collection processes but can highlight anything unusual quickly
· The new law requires there to be a lawful basis for processing personal data –therefore they must be given a clear option to opt-in
· Personal customer data should only be kept for as long as it is needed, for the reason it has been collected for – if customer information is no longer required for business purposes, it may be good practice to remove it from your system to reduce the risk of it being stolen.
The new data protection law and cybercrime must be taken very seriously in order to protect not only your customers, but your business reputation and profits. A cyber-attack can cost a business thousands of pounds in recovery, and not complying with GDPR can cost a business €20m or 4% of turnover whichever is higher.
At Routen Chaplin, we provide Leisure, Hospitality and Catering Insurance for all kinds of business within this sector, including Hotel Insurance. This is coupled with our expertise in cyber security and data protection.
Do not hesitate to contact a member of the team for further information or assistance with your insurance cover.
Sources: