1 / 31

DATA PRIVACY - HOT TOPICS IN HOSPITALITY TRACY PULITO, DEPUTY CPO, STARWOOD HOTELS

DATA PRIVACY - HOT TOPICS IN HOSPITALITY TRACY PULITO, DEPUTY CPO, STARWOOD HOTELS CHRIS ZOLADZ, FOUNDER, NAVIGATE LLC AHIA SPRING MEETING – APRIL 23, 2010. Agenda. Current landscape Legal environment Framework to protect data Common data privacy weaknesses

errol
Télécharger la présentation

DATA PRIVACY - HOT TOPICS IN HOSPITALITY TRACY PULITO, DEPUTY CPO, STARWOOD HOTELS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DATA PRIVACY - HOT TOPICS IN HOSPITALITY TRACY PULITO, DEPUTY CPO, STARWOOD HOTELS CHRIS ZOLADZ, FOUNDER, NAVIGATE LLC AHIA SPRING MEETING – APRIL 23, 2010

  2. Agenda • Current landscape • Legal environment • Framework to protect data • Common data privacy weaknesses • Gauging risks at a high level

  3. Current Data Privacy Landscape in Hospitality • “Hackers are now stealing credit-card data from hotels more often than any other industry.” • Wall Street Journal, March 18, 2010 • Major forensic investigative company stated that 38% of its data-breach investigations in 2009 occurred at hotels. • Hackers are finding industry specific weakness and exploiting them. • To prevent it is recommended hotels follow data-security standards established by the PCI Security Standards Council.

  4. Data Privacy Landscape (cont’d) • Historical under investment in information security • Nature of the business makes it susceptible • Current economic conditions placing more emphasizes on revenue generation and cost cutting • PCI compliance more aggressively pursued by merchant banks • Regulatory environment becoming more onerous

  5. European Union EU Data Protection Directive and Member States Data Protection Laws Japan The Personal Information Protection Act, The Anti-Spam Act US Federal HIPAA, GLBA, COPPA, Do Not Call, Can- Spam Act, Safe Harbor Certification Canada Federal/Provincial PIPEDA, FOIPPA, PIPA Hong Kong Personal Data Privacy Ordinance US State 46 Breach Notification Laws Argentina Personal Data Protection Law, Confidentiality of Information Law South Africa Electronic Communications and Transactions Act Australia Federal Privacy Amendment Bill, Spam Act Global Privacy/Data Protection Laws, Regulations & Standards

  6. State Breach Notification Laws Breach Notification Laws are effective in nearly all states requiring disclosure to customers when personal information is compromised. 45 states, plus DC, PR & VI. No law in Alabama, Kentucky, Mississippi, New Mexico & South Dakota. Common requirements: Notice to affected individuals of unauthorized access to personal info (cc#, ss#, drivers lic, acct #, medical info, health insurance and name). Trigger, when Co knows or “reasonably believes” there has been a security breach – unauthorized acquisition of unencrypted personal info. Notice prompt, without reasonable delay May be delay if it would impede criminal investigation, or allow a company to determine the extent of the breach and take action to restore security.

  7. State Breach Notification Laws Variations: AR, DE, IN, NV, ND, and NY – include medical, last 4 SSN, employer ID, mother’s maiden name, signature or biometric data as a trigger. AR, NV and TX require reasonable security measures. Encrypted data is not exempt in NY and MN. AR, MT, NV, NYC and TX impose a duty of secure destruction. NV – businesses may not transfer covered data without encryption unless internally or by fax (10/1/08). Some states require add’l reporting obligations to Consumer reporting agencies, Office of the AG, Dept or Consumer Affairs/Protection. Plus specific language or notice re credit agencies. Always required to contact credit card companies an acquirers. TJX – several states discuss holding merchants liable for costs associated with breaches of cc data while in possession of merchant. Still waiting for Fed reg.

  8. http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspxhttp://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspx

  9. International Breach Notification Canada File with appropriate Privacy Commissioners Office Containment & Assessment Evaluate the Risk Potentially required to provide notice to affected customers Remediation and Prevention EU Enacted (member states have 18 months to implement) Effective May 2011 Applies to ISPs & Telecos

  10. International Breach Notification Member States - Germany Notify if the incident "threatens significant harm" to the rights and protected interests of an individual. Notification must be provided "immediately" after measures have been taken to secure the data and ensure criminal investigations will not be adversely affected. Notice requirement is limited to a breach of sensitive data (bank or credit card information, or information that is subject to professional or official confidentiality protections) Only require only a single trigger for notification while most U.S. state statutes require two (name, plus sensitive data element). Delivery of breach notices - in cases where there are a large number of individual affected and notification would be too burdensome, notice may be made by at least a half-page advertisement in at least two daily national newspapers, or other means providing similar exposure.

  11. Costs of a Data Breach • Forensic experts • Sending notification letters • Credit monitoring service • Call center to handle questions • Legal fees • Lost productivity of employees that are part of the incident response effort • Credit card company fines and assessments • Potential FTC settlements • Loss of customer, public and regulator trust • Recently released Ponemon Institute study disclosed cost of $204 per record

  12. The FTC is also an Enforcer • Focuses on “unfair” or “deceptive” trade • practices • Settlements: • - Range from tens of thousands to millions of dollars. • - Include agreement by the company to independent oversight of their information security program for 20 years. • Learn More • http://www.ftc.gov/privacy/privacyinitiates/promises_educ.html “Privacy is a central element of the FTC’s consumer protection mission.” -Source www.ftc.gov

  13. Massachusetts Data Privacy Regulation Companies that hold any personal information about Massachusetts residents are required to develop security policies conforming to the Massachusetts standard, including encryption of personal information on laptops, new certifications from service providers, and amended outsourcing deals. In August 2009, the Office of Consumer Affairs and Business Regulations filed amended regulations with major changes including: Compliance deadline March 1, 2010 Apparent incorporation of FTC standards under GLBA allowing for a risk based approach to data security and consistency with Federal law and statutory intent Removal prescriptive technology requirements Removing some requirements for the written security program Third Party contracts entered into prior to March 1, 2010 have until March 1, 2012 to be amended to include appropriate security measures If technically feasible, backup tapes must be encrypted on a go-forward basis, including creation of new backup tapes and movement of old backup tapes (e.g., from storage back to the company facility). If not technically feasible, appropriate steps should be taken to secure and safeguard the PII based on sensitivity of information, amount of PII, distance traveled, etc.

  14. Nevada Encryption Law In October 2008, Nevada became the first U.S. state to enact a law that specifically requires encryption for all external electronic transfers of customers’ personal information — rather than referring to “reasonable security procedures and practices” to protect data. Encryption means* “the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to: Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound; Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.”

  15. Washington Law New addition to the Washington State breach notification law imposes additional liability in payment card breaches. Effective July 1, 2010, certain companies processing payment card transactions may be liable to financial institutions for the costs associated with reissuing cards after the company experiences a breach. The law intends to encourage the reissuance of cards thereby mitigating the potential harm which could be caused by a security breach and applies to: Businesses - “processes more than six million credit card and debit card transactions annually, and who provides, offers, or sells goods or services to . . . residents of Washington.” Processors - “directly processes or transmits [payment card] account information for or on behalf of another person as part of a payment processing service.” Vendors - “entity that manufactures and sells software or equipment that is designed to process, transmit, or store [payment card] account information or that maintains account information that it does not own.”     The new law is triggered if a business or processor fails to take reasonable security measures to protect against unauthorized access to account information thereby causing a breach. The business or processor will be liable to the relevant financial institution for the costs of reissuing payment cards to Washington residents to mitigate “potential current or future damages”. Likewise, a vendor will be liable to the financial institution for such costs if such damages were caused by the vendor’s negligence. HOWEVER, there are two exceptions, there shall be no liability if (1) the account information is encrypted; OR (2) if the company’s PCI DSS compliance was validated by an annual security assessment within the past year prior to the breach, even if such security assessment is subsequently revoked.

  16. Framework for Protecting Customer & Employee Data Legal compliance - International & Domestic laws and regulations, government agencies – FTC –practices, Industry standards - PCI, etc. Corporate Public & Internal Policy Development and Implementation - on and off line Training Audit Work with corporate offices & various departments – marketing, development, security, etc. advising and providing strategic guidance on ensuring privacy of customer & employee data through legal and policy compliance Business and partner contracts – include privacy & security provisions Monitor systems, operations, programs and marketing Conducting new initiative assessments Periodic review of laws and regulations and potential affect on company policies and procedures

  17. Policies & Procedures Who should the policies apply to: Employees, Consultants, Contractors and any one with access to customer or employee data. What should the policies govern: Collection, Use, Access, Monitoring, Disclosure, Transfer and Storage of data and company systems. What systems/technologies should the policies apply to: All company servers and systems, personal computers, e-mail, IM, PDAs, telephones, cell telephones, voice mail, fax, intranets, wire services, on-line services, the Internet, etc.

  18. Data Loss Prevention Data Leakage The movement of a data asset from an intended state to an unintended, inappropriate, or unauthorized state, representing a risk or a potentially negative impact to the company. Locate all sensitive information A key challenge is being able to accurately identify relevant data at all key locations (stored data, laptops, network, message server). Many companies do not know where such data is, who has access to it, and what the company and it’s employees are doing with it. Control and protect all sensitive information There are many ways to misuse and lose sensitive data. Companies must control and protect sensitive data in order to meet legal, regulatory and company policy compliance obligations. Report and remediation IT and Security teams need a system that allows the quick identification of real violations and trends without wasting time and resources on valid business activity.

  19. Breakdown of the Risk As data is processed, data leakage may occur resulting in the following significant risks to a company: Financial Damages Financial damages may include asset loss, replacement, management time, public relation, shareholder value, etc. Legal & Regulatory Compliance Risks Non-compliance may have serious impact on ongoing operations Damage to Reputation Significant impact on the brand and reputation has higher value than the actual value of the potential damages. Operational Risks Disruption of service, business operation, system outages, etc. Privacy Risks Failing to notify of an incident has serious long-term brand and legal consequences. Numerous U.S. and international privacy and data protection regulations, including the EU-DPD, GLBA, HIPAA, and breach notification laws.

  20. Contractual Agreements Data Management with Third Parties Data protection through contracts with outsourcing, marketing agreements, and vendor relationships that involve data transfer across organizational, geographic, and system boundaries Data transfer across geographic borders Vendors or Partners may expose sensitive data to their third parties agents and contractors Granting vendors access to a Company’s sensitive data and processing environments Existing contracts may contain risk data leakage and misuse by third parties Inconsistent implementation of privacy practices among independent organizations Who has responsibility and associated liability for data protection? Contract language and internal auditing of those contracts

  21. Contractual Agreements Data Management with Third Parties Contractual Requirements Data ownership v. Usage rights Usage restrictions and confidentiality Security requirements: Maintain appropriate technical and organizational measures to protect data Take all necessary steps to ensure security of systems that process data Protect against unauthorized, unlawful or accidental access, disclosure, transfer, destruction. Breach notice requirements and government/regulatory agency investigative notice requirement, or disclosure due to subpoena, court order, etc. Disclosure only to those with a business need to know, third party vendors must have same terms in a written agreement. Vendor responsible for actions of employees, agents, consultants, subcontractors, anyone with access to data. Audit rights, certification (breach of contract claim) Secure data destruction, disaster recovery. Legal and Privacy Policy compliance Survivability and assignability

  22. Marketing Guidelines regarding the collection, processing, use, transfer, storage and retention of customer data for marketing purposes. List specific data fields that may be used for specific situations when customer data is captured Ordering products or services (online, call centers, in person, catalog, etc.) Loyalty program registration Newsletters Marketing sign up Contest entry Who may have access to such data Only those employees with a business need to know

  23. Marketing Include Secure transfer and storage guidelines No Excel spreadsheets! Printed copies, in locked file cabinets in locked offices Reference Data Management Policies for retention requirements Contact management strategy Number of times a month/year a customer may be contacted Specific promotions Creative content review & approval process

  24. Co-Branded & Partner Marketing Avoid sharing lists directly with marketing partners, including opt out list Use a Third Party Mail house Both parties create creative, equal use of branding, or for companies that do not collect consents for third party marketing, consider having significantly more company branding with reference to co-branded partner name, logo and offer. Provide creative to mail house with appropriate company(ies) recipient list excluding opt outs (unless mail house will remove opt outs) Marketing piece should be sent soon after provided to mail house to ensure compliance with CAN SPAM if customer opts out; however their name is included in list provided to mail house. If both company lists are being provided, have the mail house conduct a “bump up” of the lists to remove duplicates.

  25. Co-Branded & Partner Marketing Ensure CAN SPAM requirements are met Appropriate company name, address and opt out is provided Under Revised CAN SPAM, a co-branded marketing partner may be held liable for their partner’s non-compliance with CAN SPAM Therefore, ensure proper Contractual requirements are in place such are requiring a warrant and representation that the partner company has all the necessary consents and permission from the intended recipients to send such marketing communications and will indemnify its co-branded partner.

  26. Common Weaknesses at Hotels Unsecured Credit Card authorization forms Imposters on the phone or on property Use of commonly known default passwords Poor physical security over the computer room or computer servers Use of default user IDs and passwords Systems intrusions by hackers (organized crime)

  27. Common Weaknesses at Hotels • Old registration cards with credit card data • Unsecured laptops with personally identifiable information • Paper records with personal information that are discarded without shredding • Credit card skimmers and key loggers • Insecure disposal of laptops/desktops/servers

  28. Risk Management Challenges • PII can be in many locations – paper and electronic • Laptops, Flash drives, CDs • BlackBerrys, iPhones • Homes’ of Teleworkers • Third party service providers • Contractors of third party service provider • Potential resistance to business process and/or technology changes • Limited staff and resources to assess and mitigate risk • “It won’t happen to me syndrome”

  29. Gauging Your Client’s Risk at a High Level • Are there adequate experienced resources dedicated to this area? • Are the necessary activities being focused on? • Policies and procedures • Training • Communications • Information inventory • Risk Assessment • Monitoring new threats and legal requirements, etc. • Is there a current risk assessment? • Does it include all the places PII is contained?

  30. Gauging Your Client’s Risk At a High Level (cont’d) • Is senior management aware of the risks? • Are remediation plans prepared and implemented? • Have insurance options been considered? • Is the residual risk documented and approved by senior management? • Is there an effective process to manage information protection and privacy risks and legal requirements on an on-going basis?

  31. Questions? Tracy Pulito Starwood Hotels & Resorts Tracy.pulito@starwoodhotels.com (914) 640-8118 s Zoladz Chris Zoladz Navigate LLC chris@navigatellc.net (240) 475-3640

More Related