Last November, the ride-sharing service Uber announced that it had suffered a data breach in 2016. (It then made the mistake of paying the hackers $100,000 to delete the information and keep the breach a secret.) But it wasn’t Uber’s internal system that was hacked; it was actually GitHub, a service that Uber’s software engineers use to collaborate on software code.
In 2015, HomeAway suffered a breach of critical homeowner data via their third-party payment processor, Yapstone. Although guest data wasn’t at the heart of this breach, what’s essential to understand in both of these cases is that when it comes to accountability for data security, vacation rental companies are equally, and frequently more, responsible for the breach, even if it occurs on third-party technology. The costs of breaches such as these come in the way of fines, lawsuits from government entities and consumers, significant brand damage, and the risk of having your ability to process credit cards taken away.
Therefore, vacation rental companies must make every possible effort to ensure that every one of their vendors that handles customer data is compliant with national payment card industry data security measures, also known as PCI Compliance.
The Actual Cost
IBM’s 2017 Ponemon Cost of Data Breach Study showed that the average cost of a data breach was $3.62 million. That is $141 for each lost or stolen record. The report further noted that the average size of data breaches has increased to more than 24,000 records.[i]
For vacation rentals, the financial liability can have devastating consequences. To demonstrate the extent of a data breach situation, look at the small Florida hotel group Rosen Hotels & Resorts. The group, which owns seven properties, experienced a data breach in 2016. According to a lawsuit filed against Rosen by its insurance company, the group saw “a $1 million fine each from Visa and MasterCard; a $128,830 fine from American Express; $50,000 in attorneys’ fees; $40,000 in costs to send notifications to clients; $15,000 in fees to a crisis-management firm; and a bill for $150,000 to a data-forensics team that identified the breach. The costs could continue to grow if Rosen faces additional legal claims from customers, according to the lawsuit.”[ii]
Our country and our industry are still, in the grand scheme of things, fairly inexperienced in dealing with security breaches. There is little standardization when it comes to recourse. So companies like Rosen see fine after fine and are challenged by their insurance companies—and still they face possible lawsuits from the affected guests. This is a recipe for disaster, and one that’s not going anywhere. As industry insider Tim Critchley notes, the hospitality industry provides “high-value targets for cybercriminals because they not only hold payment card information on guests, but also a wealth of other sensitive personal data that can be used to steal their identity.”[iii]
Complicating matters is what lawyer Robert Braun calls “cross-contamination.”[iv] Frequently, data security breaches in the hospitality world are at the point-of-sale, which is almost always a third-party system. Because so many data systems of vacation rental companies are interconnected, this means that all of the systems become a target, not just the point-of-sale technology.
Vacation rental companies must take extreme precautions, not only with their on-site security processes but also with their third-party systems, particularly point-of-sale systems where guests give credit card information via a call center or a booking engine. PCI Compliance is one of the few standards vacation rental managers can use to gauge the safety of their third-party point-of-sale providers.
“Level One PCI Compliance is extraordinarily challenging to obtain, and any technology provider that does so is demonstrating their dedication to the security of their vacation rental companies,” says Amber Mayer, NAVIS VP of product. “Vacation rental companies are at even greater risk for a truly damaging impact of a breach than the big hotel companies. Hotel brands tend to have deeper pockets than vacation rental companies when it comes to rolling out crisis campaigns and paying all the hefty fines.”
The Hidden Cost
Although the financial repercussions of a data breach can take a toll—and for some will be devastating—the hidden cost of a security failure comes from the degraded brand and the subsequent decline in customer loyalty. As the New York Times noted about Uber’s cover up, “the handling of the breach underscores the extent to which Uber executives were willing to go to protect the $70 billion ride-hailing giant’s reputation and business, even at the potential cost of breaking users’ trust and . . . state and federal laws.”[v]
A survey by Ponemon showed that 31 percent of consumers said they discontinued their relationships with a company that had a data breaches, whereas 65 percent said they lost trust in the breached organization.[vi]
For the hospitality industry, the impact can be worse than other industries due to the nature of the relationship. Matt Rizzetta, CEO of brand communication firm North 6th Agency, notes, “The brand crisis is exacerbated in the hospitality industry when a data breach happens . . . the communication strategy needs to reflect the intimate nature of the guest/brand relationship.”[vii]
Make Security a Part of Your Brand
There is only so much you can control, and data breaches can happen no matter how careful you are. It’s a fact of modern life. Vacation rentals must rely on multiple vendors to serve guests in an increasingly technologically savvy and complicated world. There are many ways to head off data breaches at the pass, however:
- Initiate a comprehensive review of more than just internal security measures, with priority given to the reservations department.
- Assess call centers and booking engines for compliance.
- Review all platforms/providers that integrate with point-of-sale technology to ensure PCI Compliance.
- Here’s the big one: Once you have invested in security and compliance, make it a part of your brand.
According to Ponemon, companies that report a data breach experience, on average, a 5 percent decline in stock prices. However, “companies that self-reported their security posture as superior and quickly responded to the breach event recovered their stock value after an average of 7 days.” Companies that had what was identified as a poor security posture had a stock decline that lasted more than 90 days.[viii] The takeaway: take security seriously and integrate it into all aspects of your vacation rental business so that, even in the event of a breach, brand trust is recoverable.
In an ideal world, though, you should avoid a security breach altogether with proactive security measures applied to your internal and third-party systems. Although the steps to securing your data systems may seem overwhelming, doing nothing is far more costly. It’s not a case of whether a breach will happen, but when. Ensure you are partnering with vendors that take security seriously to minimize the chances of a breach and to control the breach (i.e., how much data is compromised).