ARLINGTON, Virginia — The threat of data breaches continues to grow for hotel companies as hackers’ methods of infiltration further evolves.

Though many parts of business slowed or paused during the pandemic, data breaches as a whole did not. Hotel companies are still a popular target for data thieves looking to gain personal information of guests and employees and monetize them or to hold sensitive information for ransom.

During the Hospitality Law Conference Washington, D.C., experts in data breaches and insurance spoke about how these breaches have changed and how best to respond to them.

The data breaches have been nonstop with news breaking every month of another breach, said Dale Buckner, CEO of security solutions company Global Guardian. COVID-19 further complicated data security because of how many people have been working from home.

The issue is that if a company has its employees working from home, they’re running systems that connect back to the company. The employees may be using routers that are 10 years old and haven’t been updated using a weak password without an encrypted virtual private network. The Wi-Fi network they’re using may be open to the neighborhood.

“If you don’t issue a company phone that has an encrypted end-to-end VPN on it where everything is encrypted and protected, or you have employees bringing their own device, it’s wide open,” he said. “These are all ways into your company. You are completely exposed.”

Until corporations are willing to issue work laptops and phones to employees and actually protect those devices, it doesn’t matter what insurance, software or platform they have, Buckner said. Eventually, companies won’t be able to get insurance to protect against data breaches. He said his own company has seen cyber insurance costs increase by 65%, and his company has a specialty in cybersecurity.

When hackers get past a company’s security and hold vital information or operations for ransom, they used to hold out for higher figures, he said. Now the amounts are for tens of thousands up to a couple hundred thousand dollars, but they’re doing it at scale.

“Now, it's just high volume, low rates,” he said. “They know you'll pay it typically. They know you're insured for it, and it'll go — in some cases or not. But ultimately, that's how that entire industry has changed.”

Throughout the pandemic, data breaches were off the chart, said Daniel Healy, partner at Anderson Kill.

“Ransomware was in the news literally every day, and it’s not going away,” he said. “There’s a huge human error problem that we are unable to solve.”

The purchase of data breach policies is becoming increasingly difficult with some insurance companies talking about pulling out of selling the coverage, he said.

Privacy is an ongoing issue for companies, and they need to review what type of coverage they have for such breaches, Healy said. Some may fall under commercial general liability insurance, but most companies hopefully have coverage under their cyber policies for specific privacy rights violations.

When purchasing policies, there are a couple of options, Healy said. There are stand-alone cyber policies that have five to six coverage parts. There’s also a set that are “morphed policies,” he said.

“Neither is necessarily bad, but they are different, and they function differently,” he said.

The policies define harmful acts that may be a different set of events that would need to occur to trigger coverage, he said. Companies need to understand what those are in order to decide exactly what kind of policy they need.

When reviewing stand-alone cybersecurity policies, companies should be aware of any data or electronic equipment exclusions, Healy said. When looking at a company’s full insurance coverage tower, it could appear to provide $100 million in coverage but may have some exclusions after $30 million to $40 million.

Return to the Hotel News Now homepage.