By 

The rules around data privacy and cybersecurity are constantly evolving. In order to protect themselves from liability, hotel owners should pay attention to ongoing legal developments and learn more about their own data infrastructure.

Bob Braun, senior member of JMBM’s Global Hospitality Group® and Co-Chair of the Firm’s Cybersecurity & Privacy Group, explains why hotels need to understand exactly what data they hold, where it is stored and who has access to it.

Facing the Knowledge Gap: Why Hotels Need “Visibility” to
Avoid Data Privacy Liability

by 
Bob Braun, Hotel Lawyer

Addressing privacy compliance and cybersecurity is becoming more and more challenging for companies. At least 26 states are considering various kinds of data privacy laws. At the same time, the rate, depth, and impact of ransomware, wiperware and data breaches has become more intense and more expensive, and there is no indication that the trend will end soon.  Hotel companies, as holders of significant amounts of personal information and highly dependent on computer networks for daily operations, are particularly at risk in this environment.

A hotel company that seeks to comply with privacy mandates, and to prepare for and defend against a data breach, requires knowledge – it requires visibility.

What does that mean? To achieve visibility, a hotel brand, manager or owner needs to increase its knowledge of key elements of its data infrastructure:

See Your Network

Most hotel executives, other than chief technology officers and chief financial officers, have little knowledge of their network. But understanding what data is stored on the network, how the various parts of the network interact, and who has access to the network (and what kind) is essential to evaluating risks, complying with privacy laws, and preparing and defending against attacks. This means not only knowing what is supposed to be on the network, but the “silent” nodes as well – things like unused servers and the devices that attach to the network, such as personal laptops, smartphones and tablets.  As hotels become increasingly automated – by relying on smartphones to substitute for keys and allowing touchless registration – being able to see the full scope of the network is challenging but essential.

Part of seeing the network also means seeing what is happening on the network. A hotel brand or manager needs to know when there is a threat, where it is, and how to contain it. Simply having firewalls and other endpoint security isn’t enough; it’s too easy for hackers to gain access to the network. Being able to “see” what is happening on the network in real-time is what can allow a company to defend itself. Age is good for wine, but not for a breach response. When a breach is in process, speed is essential.

See Your Data

Surprisingly, many hotel companies are not fully aware of the data they collect, save and process – but this is key to complying with data privacy laws. A hotel brand or manager needs to know:

  • What data does it collect?
  • What data does it need to collect?
  • How does it collect data – directly from users, clients, and consumers, or through third parties, such as OTAs and third-party websites?
  • Where it store the data?
  • How does it use the data it collects – particularly personal information of guests and employees?
  • Who has access to the data?

The GDPR, the CCPA, the Virginia and Colorado privacy laws, the Utah privacy law being considered now, and each other statute currently proposed in the United States requires disclosure of each of these factors – and that knowledge is necessary to comply with consumer rights under those laws. A key question is differentiating between the data you collect and the data you need; companies need to recognize that there is no benefit in collecting data that’s not necessary. There is often a sense that “we might want to have this information in the future,” but that rationale does not stand up in today’s environment. Instead of being something of potential future value, collecting, storing, and using data that isn’t necessary for running a hotel business creates liability.

See Your Software

During the past year, understanding the extent of the software a company uses – and the software that its key vendors and partners use – has become increasingly important. The Log4j experience made it clear that if a company doesn’t know the software it relies upon, it cannot take preventative and reactive action to mitigate risks. Companies should create a “Software Bill of Materials,” identifying the software used by or for its business, and should understand how the software is managed, licensed, and supported. The hotel industry is particularly reliant on third-party software, whether it be for property management, reservations, or point of sale operations.

The Log4j issues also emphasized how important it is for companies to consider their use of open-source software. Open-source software is ubiquitous, but it is not always well-managed or updated, and is often overlooked when evaluating a company’s risk profile.  Hotel companies need to understand what open source and other licensed software is embedded into their essential software functions.

See Your Vendors

Hotels have always been aware that vendors not only provide essential services; they do not, however, always recognize the risks and vulnerability to bad actors those vendors create. Simply stated, when a vendor has access to a hotel network, a hacker can access a hotel’s network through the vendor. The situation is more complicated because vendors rarely act alone – they themselves have vendors, and those vendors have vendors, and so on. Even when a company can achieve a degree of comfort with a direct vendor, it may be difficult, if not impossible, to do the same with the vendor’s vendors, who do not have a direct relationship with the hotel.

The hotel industry can address some of these issues by taking a systematic approach to engaging new vendors and evaluating current vendors. Key steps include:

  • Qualifying vendors by doing a deep dive into their past performance, their privacy and security qualifications, and other key issues.
  • Enter into strong data security agreements, whether as part of a vendor contract or as an addendum.
  • Identifying their key vendors, and at least attempting to obtain similar information about those subvendors.
  • Regularly repeating this effort – vendors can change, and a regular (at least annual) review of their practices is essential, especially as vendors change ownership regularly.

Visibility, by itself, doesn’t prevent a malware attack. Without taking other measures – such as a thorough incident response plan – it won’t ensure an effective response or compliance with privacy laws. However, a company that fails to take elemental steps to understand its network, data, software, and vendors will be more vulnerable and non-compliant. The risks of not taking these steps far outweighs the time, effort, and cost of the effort.

You should be aware that you are not alone in this effort. Since the adoption of the GDPR and the CCPA, great strides have been made in overcoming what can, at first, seem to be an overwhelming task. The JMBM Global Hospitality Group, in coordination with the JMBM Cybersecurity and Privacy Group, works with hotel companies to understand and address their security and privacy needs, and we are ready to help you. For more information, contact Bob Braun (rbraun@jmbm.com).

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

Further information about cybersecurity issues

If this article was of interest, you may also wish to read other articles by Bob Braun on “Data Technology, Privacy & Security,” which include the following:

Hotel Data Security: Challenges to Address in 2022

New Challenges for Hotels: The New California Privacy Rights and Enforcement Act of 2020

Hotel Managers and Owners Be Warned – You are Responsible for Your Hotel’s Data Security

The California Consumer Privacy Act – What Hoteliers Need to Know Now

Avoiding Hotel Data Breaches With a Risk Assessment Audit™ – Lessons From the Marriott International “Glitch”

California Adopts the California Consumer Privacy Act of 2018

GDPR: What you need to know about the EEU’s new data privacy rules

Cyberattacks on Hotels — What Should Hotel Owners and Operators Do?

Hotel Cybersecurity: Protecting your guests and your property from vendor data breaches


Bob Braun is a Senior Member of JMBM’s Global Hospitality Group® and is Co-Chair of the Firm’s Cybersecurity & Privacy Group. Bob has more than 20 years of experience in representing hotel owners and developers in their contracts, relationships and disputes with hotel managers, licensors, franchisors and brands, and has negotiated hundreds of hotel management and franchise agreements. His practice includes experience with virtually every significant hotel brand and manager. Bob also advises clients on condo hotel securities issues and many transactional matters, including entity formation, financing, and joint ventures, and works with companies on their data technology, privacy and security matters. These include software licensing, cloud computing, e-commerce, data processing and outsourcing agreements for the hospitality industry.

In addition, Bob is a frequent lecturer as an expert in technology, privacy and data security issues, and is one of only two attorneys in the 2015 listing of SuperLawyers to be recognized for expertise in Information Technology. Bob is on the Advisory Board of the Information Systems Security Association, Los Angeles chapter, and a member of the International Association of Privacy Professionals. Contact Bob Braun at 310.785.5331 or rbraun@jmbm.com.