Less than a year ago, Marriott had to admit its data had been hacked, leading to the release of information on about 500 million guests worldwide. And by summer, Capital One was in the news for a similar reason.
Now, hotel guests say they’ve had enough. Hotel Management notes that more than 22 million U.S. travelers self-report as being the victim of a cyberattack through their business with hotels, according to the Morphisec 2019 Hospitality Guest Threat Index. The index also found 70 percent of travelers don’t believe the hotels they stay at are investing enough in cybersecurity. Almost 50 percent say their trust in a hotel’s cyber defenses influences if they book a stay with them.
The level of comfort (or discomfort) is also tied to athletes’ and their families’ use of credit cards onsite in a hotel. Almost 60 percent of consumers believed that restaurant point-of-sale systems were the most susceptible to cyberattacks within the hospitality industry. Another 40 percent believed Wi-Fi breaches pose the most significant threat during their hotel stay. (Worth noting: earlier this year, Morphisec discovered FIN8, a cybercrime group most known for targeting the retail industry, was actively targeting POS systems within hospitality companies in the U.S. and abroad.)
Hotel Management’s article says the U.S. Department of Commerce believes hotels could do far more to protect guests. Following the Marriott breach, U.S. Commerce Secretary Wilbur Ross noted that “many companies have been scrimping on the cybersecurity budget” — both in the hospitality sector and beyond.
It’s a hard place for event owners to be. They’ll certainly be subjected to complaints if there’s a data security breach – although it won’t be their fault. One thing they can do in advance – not to avoid it but to guard against financial damages from it – is make sure appropriate insurance is in place. Insurance companies that specialize in planned events, such as sports, often offer special coverage for those who want to guard against damages, according to Lorena Hatfield, marketing manager for K&K Insurance, who noted, “Cyber liability insurance does exist; K&K includes it in some, but not all of their program coverage but we really aren’t the experts and don’t offer it as a “stand alone” policy as other insurance companies do."
So knowing people are uncomfortable, and knowing that travel sports are not the only option for athletes (high school teams will be more than happy to take on youth athletes), what can event owners do to try to put safeguards in place?
A number of sites list best practices for enhancing cybersecurity when traveling; sites such as Gravoc list steps individuals can take prior to departure, and while on the road.
Nic Collins of HBC Event Services, noted in a recent article in Sports Destination Management that event owners who have data breach concerns, and who are considering using a housing service to take reservations for hotel, “should make sure to ask about PCI compliance. The Payment Card Industry Data Security Standard is an information security standard for organizations that handle branded credit cards. The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council.”
With the proper insurance and with a PCI-compliant housing bureau, event owners can turn their attention to the workings of their event. They should, however, be prepared, just in case, and should have an plan set up to deal with it. The Federal Trade Commission has provided a full action plan. A few of the key points are as follows:
Make sure your professional cybersecurity company is aware of the breach immediately. Follow their instructions such as changing passwords and locking access to computers where information has been stored.
- Notify your legal counsel without delay and follow recommendations.
- Notify law enforcement and ask to be connected to the appropriate department to handle the matter
- Contact your insurance provider who may need a copy of the police report
- Consider providing information about the law enforcement agency working on the case, if the law enforcement agency agrees that would help. Identity theft victims often can provide important information to law enforcement.
Always have a communications plan set up in advance to reach out to all those whose records you have kept: This will lay the groundwork, should you need to get the word out about a data breach in the future.
The action plan will communicate the news of the breach to all those affected, including not just athletes and their families but vendors, employees, customers, investors, business partners, athletic trainers, sports commissions, convention and visitors’ bureaus and other stakeholders. (The FTC link includes a sample letter that can be sent out.) Anticipate questions that people will ask and create a FAQ section.
Information acknowledging should be posted on your website as soon as it is finalized. Good communication up front can limit concerns and frustration, and could be helpful in efforts to save time and money
Among the information that should be posted:
- A description of the breach, including the fact that certain records may now be at risk.
- Significant dates: When did the breach occur? Is there any way of knowing which records were compromised?
- Tell people what steps they can take, given the type of information exposed, and provide relevant contact information. The FTC advises that people whose Social Security numbers may have been stolen should contact the credit bureaus to ask that fraud alerts or credit freezes be placed on their credit reports. The IRS Identity Protection Specialized Unit can also be reached at 1-800-908-4490. See IdentityTheft.gov/databreach for information on appropriate follow-up steps after a compromise, depending on the type of personal information that was exposed.
- Include current information about how to recover from identity theft. For a list of recovery steps, refer consumers to IdentityTheft.gov.
- Encourage people who discover that their information has been misused to file a complaint with the FTC, using IdentityTheft.gov. This information is entered into the Consumer Sentinel Network, a secure, online database available
- Describe how you’ll contact consumers in the future. For example, if you’ll only contact consumers by mail or via a direct e-mail from a specific address, then say so. If you won’t ever call them about the breach, then let them know. This information may help victims avoid phishing scams tied to the breach, while also helping to protect your company’s reputation. Some organizations tell consumers that updates will be posted on their website. This gives consumers a place they can go at any time to see the latest information.
Above all, don’t delay in releasing information to those affected. Gather all information as quickly and efficiently as possible and refer to your communications plan. Having a plan and being able to follow it will provide the best possible road map through the troubled time ahead.