It is easy to take for granted the special relationship that we as hotel operators have with our guests. Simply stated, our guests trust us with their complete security and safety as they sleep – an immense responsibility. They assume – appropriately – that we make exceptional efforts to justify and honor that trust.
Contributed by John Burns, president of Hospitality Technology Consulting, Scottsdale, Arizona. He is a member and past board member of HFTP, and a member of and executive adviser to HTNG.
That trust extends further as they give us the privilege (and associated responsibilities and expectations) of allowing us to know more and more about them.
Serving as their hosts, we learn a great deal about our guests. First, we know their future reservations. We know when they will be absent from their home, leaving it unoccupied or leaving their family alone. Beyond this sensitive information we also have a sense, sometimes limited, sometimes extensive, of their travel patterns, purposes and companions based on past stay activities.
The breadth of guest information we hold in our databases has grown still further as, in our quest to strengthen our relationships to enable deeply personalized recognition, we have sought and accepted still more personal detail into our guest profiles.
Our guests typically are not aware, and do not think about, how much we know about them – just as they do not dwell on the volume and depth of their personal data in Google, Facebook, Amazon or other companies that they use.
Awareness of the personal data – and its security – held by the hotel brands they patronize has not been an issue until recently. Hospitality-related data leaks have occurred periodically but have been similar in number and magnitude with those in other industries. As a consequence, they have not been particularly thought-provoking, not sufficiently jarring to provoke alarm or impact guest behavior.
This lack of interest, concern or alarm may change with the recent Marriott/Starwood data breach. The geographic breadth for impact, the volume and sensitivity of the data accessed, the apparent unawareness of the possibly years-long breach, may trigger greater concern, reduce trust, impact willingness to supply data to us (challenging our personalization efforts) or may change lodging brand preferences. Or it might not. We will keep travelling, and we will need hotel – or Airbnb or vacation rental – accommodation.
The Marriott/Starwood data security failure may, or may not, spur action by our guests. As the custodians of our guests’ sensitive information and as the stewards of our brands’ marketplace integrity and business success it absolutely should – it must – move us to decisive action.
Easier said than done
As conscientious hotel operators, our instinct to strive for a higher level of data security collides with several real-world issues. First, we need to acquire and hold personal data in order to meet our personalization intentions and our guests’ personalization expectations.
Second, in our hearts we are hosts – accommodating and agreeable. We want to be easy to work with and we hesitate to say no, even when the request is to open an email attachment or access a file off of a guest’s thumb drive.
Third, we want, no, we need, guest interaction with us to be easy, personal and genuine. Stronger security such as that provided by the Health Insurance Portability and Accountability Act (HIPAA) regulations in the United States promises improvement but only with the addition of onerous and commercially unacceptable processes. I have to believe that a middle ground approach, such as expanded use of two-factor authentication and implementation of the security verification techniques similar to those now present on our phones and tablets, could have meaningful value.
Finally, our goal to this point has been to meet “standard” data security protocols – we strive diligently to do so and generally succeed. Plus, our foremost focus has been on credit card data security, propelled by the successful PCI-DSS program. It now is apparent that the “industry standard” level and focus of data security is no longer sufficient.
The time has come of all of us in the lodging industry – and I include in this term not only traditional hotel operators but also shared accommodation representatives and vacation rental aggregators – to devise and lead implementation of more stringent guest data security standards.
Action plan 1: Joint Emergency Guest Data Security Workgroup
To identify and enable those more stringent standards, I recommend that Hospitality Technology – Next Generation (HTNG), which already operates its Chief Information Security Officers Forum, and Hospitality Finance and Technology Professionals (HFTP), which has had a longstanding focus on data security, immediately form the senior-level Joint Emergency Guest Data Security Workgroup. Its aim should be threefold:
- Define immediate actions, for implementation in months 0-6
- Define near-term actions, for implementation in months 7-15
- Define intermediate-term actions, for implementation in months 16-30
Action plan 2: Guest Data Security Summit
I suggest that this three-stage action plan be presented to the lodging industry – traditional hotel operators, shared accommodation representatives and vacation rental aggregators – at a Guest Data Security Summit in May 2019.
Action plan 3: Guest Data Security Summit
Additionally, I recommend convening a Travel Data Security Summit in November, 2019 at which the plans and progress of the May Summit and its security standards and processes definition and implementation efforts would be presented to the broader travel community.
Summit participants would ideally include the International Air Transport Association (IATA) on behalf of airlines, American Car Rental Association (ACRA) on behalf of the rental car industry, the two major OTAs, the major travel management company such as American Express Global Business Travel and Carlson Wagonlit Travel, and Cruise Lines International Association (CLIA) on behalf of the cruise industry, all meeting with the intent of achieving travel industrywide cooperation and collaboration on traveler data security.
We, the hotel industry, and more broadly the travel industry, must act to strengthen guest data security. The security of our guests’ data is inseparable from our own security and success.