The past year was a big year for data breaches in the hotel industry, and industry experts say thereâ€™s no sign of it stopping any time soon. That means hoteliers not only need to work on prevention, but they also need protection in case an attack does occur.
Panelists in the session â€œNailing down responsive cyber coverage that responds to hospitality industry risksâ€ at Februaryâ€™s Hospitality Law Conference told attendees that everything about the current digital age that makes it great, such as connectability and massive data storage, also makes it a risk.
Attempting to list all of the data breaches in the past 12 months would overwhelm the presentation screen, said Joshua Gold, a cyber-insurance attorney at Anderson Kill, and the problem continues to grow.
â€œItâ€™s getting worse, not better,â€ he said.
- For more from the Hospitality Law Conference, read how hoteliers can prepare for the likelyÂ changes to overtime exemptions.
Insuring for different scenarios
Darin McMullen, an attorney at Anderson Kill, said there are four overlapping causes of data breaches at a company:
- Accidental internal, a common cause of breaches, occurs when an employee loses a device with company business data on it, and it might fall into someone elseâ€™s benign or malicious possession.
- Accidental external breaches occur through third-party vendors or subcontractors who have access to a companyâ€™s system or network. While theyâ€™re not trying to compromise their clientâ€™s security, they may cause harm through their own negligence.
- Intentional internal breaches happen when a disgruntled employee creates the breach. This can be a common problem in hospitality where turnover can be high. Employees donâ€™t necessarily have to be high-level to access sensitive data.
- Intentional external breaches are the more traditional hacking events caused by criminal organizations or hacker activists, or hacktivists.
â€œSome you have control over; some you have virtually no control over,â€ McMullen said, who added that hoteliers should review their insurance options to protect against different risk exposures.
Gold said heâ€™s working on an insurance claim for a client who had a former employee introduce malicious code into the companyâ€™s system. The code fried every controller, he said, causing physical damage to real pieces of hardware. For a networking company, this was a huge loss.
â€œThe insurance company is saying electronic commands canâ€™t cause real property damage,â€ he said. â€œIt is covered under the literal language, but they donâ€™t want to set that precedent. We will have to sue them.â€
When looking for different cyber-insurance policies, Gold said, itâ€™s important to keep in mind all the potential scenarios as some have provisions that exclude what hoteliers might need and think would be included, such as the physical damage in his clientâ€™s case. He said hoteliers should work with a savvy broker who specializes in cyber-insurance packages. There are so many different primary forms out there, he said, which can change every three to four months based on what clients face.
For more:Â http://bit.ly/1TZLnue