You think training is expensive? Try NOT training!
In a recent hospitality industry trade magazine, Richard Sheinis, a partner in the data security and privacy group of Hall Booth Smith in Atlanta.GA states: “The fact is that a very substantial number of data breaches at companies of all sizes occur because of employee mistakes and negligence.” The “Global Cost of a Data Breach” study by the Ponemon Institute found that 35 percent of data breaches are attributable to negligence or human error.
The iCloud breach last month drives this home. In his first interview on the subject, Apple Chief Executive Tim Cook said the most important measures to prevent future intrusions might be “more human than technological.” In particular, he said Apple could have done more to make people aware of the dangers of hackers trying to target their accounts or the importance of creating stronger and safer passwords.
“When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece,” he said. “I think we have a responsibility to ratchet that up. That’s not really an engineering thing.”
When a breach involves personal information, such as credit card information, of hundreds or thousands of people, the result is often a costly class action lawsuit. David Vladeck the former director of the FTC’s Bureau of Consumer Protection and a professor of law at Georgetown University believes Apple will be sued in class action.
As of September 15th the first suit has been filed by model Joy Corrigan who Corrigan, 20, said her iCloud account was hacked in July 2014 and nude pictures of her were posted online.
NOTE: images on one’s iPhone are by default stored to iCloud and a lot of iPhone users do not know that. As such, she and many others thought the images were on their phone ONLY when in fact they were also uploaded to iCloud.
In July she complained to Apple and was allegedly told she was a victim of phishing, and it was not Apple’s fault — She WAS told she would need to change her password. She complied. Her iCloud account was hacked within days for a second time. She contacted Apple again and again was told it was not the company’s fault.
Corrigan has called in a lawyer after the naked photos of over 100 actors, performers and even Olympic athletes were hacked from their iCloud accounts and released by a user on anonymous web forum 4Chan on August 31. Corrigan wants other victims to contact her lawyers for a class-action lawsuit against Apple
Experts in privacy and data security alike believe regulators and courts are finally realizing our legal system puts consumers at a fundamental disadvantage against the businesses with which they entrust their digital lives. If Apple were to appear in court, these experts say, the case could finally set precedent for how companies must behave.
While such suits have had little success in the past, Vladeck and other legal and cybersecurity experts are unanimous: a lawsuit over the iCloud (high-profile) hack may be just the thing to push companies to more aggressively protect the people using their services.
Speaking of lawsuits, Sheinis reminds us in the case of a hotel data breach, other factors will be factored into the considerations by judge and jury:
“In addition to the risk of damage to a business because of a data breach caused by employee negligence, such negligence can also lead to legal liability for damages to hotel guests resulting from the data breach.”
Although the law regarding liability for breaches is still developing Sheinis reminded us that it should not be overlooked that a business is generally liable for the actions of employees.
“A business can be liable for losses suffered by hotel guests as a result of their personal information being disclosed because of employee negligence. If it is found that the employee was negligent because he or she was not properly trained or supervised on data security procedures, this lack of training or supervision can be another basis for the hotel to be held liable.”
Sheinis wraps up by driving a key point home: “The importance of training and supervision is two-fold. It can reduce the likelihood of a data breach occurring in the first place. Second, if a breach DOES occur, it can reduce the likelihood of the business being liable for damages experienced by hotel guests.”
Beyond determining or avoiding vulnerabilities, hoteliers can easily evaluate the monetary impact of a security breach and be prepared should one occur. According to the 2014 PONEMON Data Breach study, (the “Gold Standard” expert source related to data breach findings) “The average cost for each lost or stolen record containing sensitive and confidential information has increased from $188 to $201”
If only 1,000 records were compromised (guest data or employee data) the “cost” not including loss of brand trust, is a minimum of $200,000. –> You have HOW MANY LOYALTY CLUB MEMBERS? –> You have HOW MANY EMPLOYEES? –> You have had HOW MANY GUESTS in the last year alone at your hotel(s)?
Do the math.
When it comes to value for your dollar, training on proper data security policies and procedures will pay immediate dividends.