By Julie Eisenhauer, CPA

As we head into May and the prime tourism months of summer, it is an opportune time for hospitality professionals to evaluate the important responsibility they have in maintaining data security and privacy.

One only has to read the headlines to realize that data security and privacy continue to be of paramount importance to customers of hospitality businesses. Several years ago, I wrote an article that outlined basic steps to consider when protecting data. These steps for protecting data I wrote about a few years ago are as relevant today as they were then.

Step 1: Locate and inventory where personally identifiable information (PII) is stored

PII includes first and last names, social security number, biometric records, date and place of birth, mother’s maiden name, address, email address, driver’s license number, or financial account information. Because PII can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context, it is critical to have an inventory of PII storage locations.

Determine which PII your business requires, what information is collected, how it’s secured, and who has access to it and under what circumstances. Once you have identified the location of your data, move it to more appropriate locations as needed.

Step 2: Assess your firewall and implement an intrusion detection system

The firewall has long been the first line of defense for network security. However, data breaches can occur because the firewall hasn’t been updated or the latest security patch installed. If you haven’t assessed your firewall lately, now is the time to do so.

Implementing an intrusion detection system allows for earlier detection of intrusion, which can translate into a quicker response that can help reduce the cost per data record stolen. To determine what is considered malicious or “unusual” activity, the business should first define what is considered “normal” activity based on the nature of their business.

Step 3: Secure all electronic devices

It should be second nature to encrypt all laptops and publicly accessible desktop computers. However, hackers have evolved their efforts to include other devices such as smart phones, mobile apps, and flash drives. This article, though focused on nonprofits, includes information about malicious IT attacks. The information is appropriate for all industries.

Consider investing in external training to provide up-to-date security tips for electronic devices, such as encrypting or limiting the use of flash drives, or communicating the peril of using an unsecured data port to charge your phone. As the use of technology continues to evolve in the hospitality industry, it is important to stay up-to-date on how it is used and the data it may be collecting (for example, mobile check-in innovations). This leads us to the next step.

Step 4: Expand staff training to include basic data security

Businesses train their staff for core, on-the-job duties. If you haven’t already done so, expand staff training to highlight the importance of protecting personal data. Include in your training appropriate use of your computer systems and how to identify threats such as phishing, as well as reviewing company policies for assessing and transferring data and safe web browsing rules. Encourage your employees to use passwords that are random, complex, changed regularly, and are closely guarded.

Step 5: Develop a detailed response plan

A quote from Cervantes sums up this step: “Forewarned, forearmed; to be prepared is half the victory.” Businesses that implement a detailed response plan can act quickly, thereby reducing the harm caused by a data security breach. The response plan should include the names of the response team members, including outside vendors such as an attorney, forensic/advisory firm and insurance broker. The plan should document the steps to access the scope of the breach and secure the premises, identify compromised data and eradicate hacker tools, and establish guidelines for notification.

Lastly, a crisis communication component should be part of the response plan. The fundamentals would include identifying crisis team members and their roles, core key messages, designated spokespersons, social media monitoring and response, and communications to employees.

I’ve presented these data protection steps as basic; however, basic does not equate to fast or simple. Yes, these steps will take some work, but the consequences of faulty data security are too great to overlook. Take the time now to secure your customers’ data and your company’s continuing success.

Contact Julie Eisenhauer for more information about issues impacting hospitality businesses.

Note: The European Union’s new General Data Protection Regulation (GDPR) takes effect May 25. This regulation makes a business legally accountable for what happens to personal data from European individuals they have marketed to and collected data from. The GDPR also includes rules around a customer’s consent to provide data and their right to demand removal of that data. These rules have not been addressed in this article.

© Clark Nuber PS, 2018. All Rights Reserved

This article contains general information only and should not be construed as accounting, business, financial, investment, legal, tax, or other professional advice or services. Before making any decision or taking any action, you should engage a qualified professional advisor.