Hotel Franchises & Cyber Attacks: Who is responsible for cyber security measures?

Posted 20/03/19

Over the last few years, cyber attacks and data security breaches have occurred at many high-profile companies.

One of the biggest hotel chains we’ve seen fall victim to an attack is HEI Hotels, the group responsible for Marriott, Starwood and Hyatt hotels. In a nutshell, Malware was found on HEI’s systems affecting 20 U.S hotels and, although the malware was eventually spotted (a staggering 15 months after systems were first infiltrated), the group found that it could potentially have harvested payment card data from more than 20,000 food, drink and other transactions.

This breach at HEI followed a series of similar attacks at Hyatt Hotels Corp (H.N) and Starwood Hotels & Resorts Worldwide Inc HOT.N over the same period. So why is it that hoteliers and hotel groups seem to be so vulnerable to a cyber attack?


Every data collection touch point is a potential Achilles heel

As we covered in a previous post, hotels, unlike other industries, have a very specific set of vulnerabilities and challenges when it comes to cyber security. This is largely due to the nature in which many of these chains operate. With a huge amount of data and cash collected and processed at numerous touch points every day, your business is more exposed than most to a breach. Potentially worse still, being part of a franchise or group can add a further layer of complexity to your business, with data processed and shared among the group.

Liability however, depends upon the specific contract between the hotel chain franchisee and the hotel chain group. Each individual property that is part of the chain will have a separate contract with the group that is specific to that property, even if one franchisee owns multiple properties. In this post we outline everything you need to know about cyber attack liability as the owner of a hotel franchise.

An industry that is becoming increasingly vulnerable and making headlines for the wrong reasons…

According to Verizon’s Data Breach Investigations report, the hotel and restaurant industry collected 33% more breaches and incidents in 2018 than in the previous year. This data also illustrates more of the same financially-motivated point of sale (POS) breaches that we have seen dominate the industry previously, with POS interceptions. These serious, financial data breaches account for 90% of all breaches.

For many years, the hotel industry as a whole has fallen quite far behind in terms of cyber security and this has been well-reported. As well as the reputational damage, the legal implications are also not to be sniffed at, particularly with the implementation of the new General Data Protection Regulations (GDPR) last year. So, as a hotel owner, now more than ever before you need to step up your game. Hotels like yours can now become liable to face fines of up to 4% of global turnover. So, who would take responsibility for a cyber security incident, along with payment of any fines?

Who is responsible for cyber security in a hotel franchise?

With several different parties involved within your hotel franchise, responsibility could lie with yourself - the franchisee, your property management company, the hotel group, or perhaps all of the above to some extent.

When becoming a hotel franchisee, you are agreeing to take on responsibility of maintaining the reputation of the brand. Afterall, there are key consistencies that each franchisee must stick to in order to represent the brand accurately. This should be no different when it comes to cyber security. However, it appears that too few hotel groups implement strong cyber security measures into its franchisor contracts.

Because of the sense of security that being part of a franchise offers, all too often as an individual franchise owner, you won’t think about cyber security as a priority, as your bookings, payment processing and various other systems are likely managed by the wider hotel brand and their bespoke software or chosen software provider. Because of this, as an individual you don’t physically collect or store any personal customer data. If your independent property uses third-party systems, the third-party will rarely take responsibility and this would instead fall on you as the owner of the establishment.

You should be aware that as the owner of a business, you are obligated to abide by any law that is relevant to you, and should take measures in order to protect all of the information that enters your hotel business.

The definitive responsibility is difficult to determine, as each party involved in the running of a business has some accountability for letting the business become compromised. This is why it is incredibly important to be fully prepared to prevent an attack. Do you have a specific cyber security clause in your franchise contract?

However, if this unfortunate incident does occur in your hotel franchise, there are certain measures that can be put in place to help lower the costs that will be incurred by a breach or attack.

How can a hotel franchise prepare for a breach or attack?

In order to prepare for an attack, it’s important for hotel groups and hotel franchisees to have some form of cyber security insurance. Without such insurance, the costs incurred can be detrimental to the business and could lead to financial difficulty or even cause the business to close.

When a hotel suffers from a data breach, not only does it affect the physical aspects that have been compromised but there are far more losses to account for too. If your business is unable to operate as normal, then you lose profits that you would have otherwise made. The reputation of the hotel is also damaged and loyal customers feel their trust with the brand has been tarnished. New customers are also likely to be wary of investing their money with such a hotel. Afterall, it is the customer’s personal and important identifiable details that have been compromised.

There are many ways in which a cyber security incident can cause damage to your hotel business and it isn’t worth the risk. Hotel groups and property management companies should take responsibility for ensuring that you as a hotel franchisee has all the information required to competently understand the threats posed by cyber criminals. This should be made a contractual obligation for all parties involved, with the importance of cyber insurance written in.

Depending on the extent of a breach or attack, costs can be staggeringly high. Don’t leave your business at risk. Safeguard your business from cyber security threats by implementing high-standard insurance cover. Get your no-obligation quote for Cyber+Insure today.

Posted 20/03/19

Latest News from Ashley Page

Five ways business owners can prevent a cyber attack

28th October 2019

However big or small your enterprise may be, no business is exempt from falling victim to a cybersecurity attack. Learn how to minimise the risk.

Small Businesses: Human error is your number 1 Cyber Security risk

9th September 2019

Human error remains one of the biggest cybersecurity risks to small business owners. Read our guide on how to spot the most common threats.

Supply chain and Cyber Security risks

9th September 2019

Supply chains are at a greater risk of a cybersecurity attack, due to the large nature of chains and third party suppliers, learn about the risks…

What is the most common cause of a cyber incident in the hospitality industry?

29th August 2019

The digital nature of the hospitality industry makes businesses vulnerable to a cyberattack. In this post, we outline the most common causes.