The past year was a big year for data breaches in the hotel industry, and industry experts say there’s no sign of it stopping any time soon. That means hoteliers not only need to work on prevention, but they also need protection in case an attack does occur.
Panelists in the session “Nailing down responsive cyber coverage that responds to hospitality industry risks” at February’s Hospitality Law Conference told attendees that everything about the current digital age that makes it great, such as connectability and massive data storage, also makes it a risk.
Attempting to list all of the data breaches in the past 12 months would overwhelm the presentation screen, said Joshua Gold, a cyber-insurance attorney at Anderson Kill, and the problem continues to grow.
“It’s getting worse, not better,” he said.
- For more from the Hospitality Law Conference, read how hoteliers can prepare for the likely changes to overtime exemptions.
Insuring for different scenarios
Darin McMullen, an attorney at Anderson Kill, said there are four overlapping causes of data breaches at a company:
- Accidental internal, a common cause of breaches, occurs when an employee loses a device with company business data on it, and it might fall into someone else’s benign or malicious possession.
- Accidental external breaches occur through third-party vendors or subcontractors who have access to a company’s system or network. While they’re not trying to compromise their client’s security, they may cause harm through their own negligence.
- Intentional internal breaches happen when a disgruntled employee creates the breach. This can be a common problem in hospitality where turnover can be high. Employees don’t necessarily have to be high-level to access sensitive data.
- Intentional external breaches are the more traditional hacking events caused by criminal organizations or hacker activists, or hacktivists.
“Some you have control over; some you have virtually no control over,” McMullen said, who added that hoteliers should review their insurance options to protect against different risk exposures.
Gold said he’s working on an insurance claim for a client who had a former employee introduce malicious code into the company’s system. The code fried every controller, he said, causing physical damage to real pieces of hardware. For a networking company, this was a huge loss.
“The insurance company is saying electronic commands can’t cause real property damage,” he said. “It is covered under the literal language, but they don’t want to set that precedent. We will have to sue them.”
When looking for different cyber-insurance policies, Gold said, it’s important to keep in mind all the potential scenarios as some have provisions that exclude what hoteliers might need and think would be included, such as the physical damage in his client’s case. He said hoteliers should work with a savvy broker who specializes in cyber-insurance packages. There are so many different primary forms out there, he said, which can change every three to four months based on what clients face.
Prepare for disruption
Referring to recent data breaches at Sony and online dating site Ashley Madison, Gold said not every hacker is after customer credit card information or personally identifiable information.
“These are breaches where the hackers didn’t want the money,” he said. “They had a cause. They wanted to shut down Ashley Madison right before their IPO. They’re not looking for credit cards. They just want to come in and basically take down your business.”
Insurance policies can respond well to loss of credit card data, Gold said, but hacktivists can cause damage that liability insurance might not cover. With just liability coverage, the insurance company could argue that any loss of income after a hacking event could be from another cause, such as a downturn in the economy, he said. In that case, companies would need coverage that deals with business interruptions, which is sometimes sold under the guise of reputational coverage.
“You have to look at what your peril is, who your potential enemies are,” Gold said. “If it’s about money, insurance can work in a straightforward way with a good broker. If it’s because of a cause and they want to bring you down, it may necessitate a different insurance product.”
Timing it right
Stats show that as many as 70% of data breaches are undetected, according to Heather Wilkinson, EVP of insurance and a senior broker Willis Towers Watson. It can take most companies as long as 200 days before they find malware in their systems, she said. If a company can purchase a policy with one year of retroactive coverage, she recommended getting it.
“If you’re purchasing it today and you discover malware on there that originated six months ago, you won’t have coverage without the retro policy,” she said.
Many times data breaches only become known after information hits the dark Web, which is when customers see charges popping up on their cards, Wilkinson said. They point to the last times they used the cards, and then forensic teams start looking over the systems.
“Sometimes it’s worse than that,” she said. “Sometimes the FBI says, ‘You have a problem. We need to talk.’”
Wilkinson said premiums are going up for cyber insurance. Companies that didn’t buy it two to three years ago are now shopping around, and the prices have increased for the same products they considered years before.
“The market is reflective of what is being paid out in the industry,” she said.