By May 2018, businesses operating in the EU and those that process any data pertaining to EU citizens will need to have systems in place to comply with the general data protection regulation (GDPR).
"This will have significant repercussions, and an important point to consider from the outset is that the regulations could affect any business, anywhere around the world," says Andrew Pickthorn, managing principal at Integro Insurance Brokers.
While it is likely that the new regulations will need to be tested in court on a case-by-case basis, businesses should not rely on the hope that a court will rule against the European Commission (EC).
"Taking on the might of the EC would not be a cheap task, but non-member states may take a dim view of their companies being sued by Brussels," Pickthorn says. "Anticipate a raft of litigation as each side squares up in the battle of personal data versus extraterritoriality."
GDPR sets out obligations for businesses to be far more diligent when protecting personal data. This means better and more secure information systems, and posts to manage them.
"The primary task of employees in these roles will be to manage, protect and take responsibility for the protection of EU citizens' personal data," argues Bill Egerton, chief strategy officer at Vauban Cyber Technologies. These may not necessarily be new posts; best practice suggests that companies will have delegated these roles already, but what is new is the depth of scrutiny and the legal obligations that now come with them.
Robust processes will need to be put in place, particularly with respect to incident response and reporting. The regulations prescribe that the relevant authorities need to be informed within 72 hours in the case of breaches involving personal data.
Organisations that fail to report in a timely manner will be sternly fined. These can be up to €20 million, or 4% of an organisation's global turnover. "We see this getting more stringent over time,"observes Egerton. "At some point, someone is going to be fined a huge amount or be sent to prison. These regulations have every possibility to become as fierce as Sarbanes Oxley."
Pickthorn agrees. "For the hotel industry, this is significant. As custodians of a great deal of guest data, they are now obliged to be scrupulous and accountable," he says.
A major chain that runs hotels on a franchise basis may not be able to so easily delegate responsibility and accountability to the franchisee, particularly if it is dictating data standards and infrastructural requirements. "The concept of risk transfer will need to be thought through very carefully, as will structures and appropriate governance mechanisms," Pickthorn warns.
Earlier this year, a worrying number of cyberattacks were made against Wi-Fi networks and hotspots in hotels across Europe, leading the UK's National Cyber Security Centre to warn hotel guests to take extra precautions. "To restore confidence, hotels will need to demonstrate that they have upgraded the protections available to guests using booking platforms, shared services and business centres," Egerton says. "Cybersecurity must be given the same attention as physical security."
The incidence of cybercrime will continue to rise as long as victims fail to take the necessary precautions. Hotels should prepare accordingly by setting aside money for breach remediation, fines and apologies. "You will be attacked. Assume you will be breached, and practice the routines relentlessly.," Pickthorn advises. "Consult your insurer and work in partnership with their cyber experts to mitigate the risks."
Because threats are constant, Pickthorn suggests companies prepare a cyberinsurance policy as robust as the cybersecurity system espoused by Egerton. The right insurance policy provides expert help when implementing security strategies, identifies vulnerabilities and provides support in the wake of an incident.
The policy should cover the cost of identifying the cause of a breach, determine how to avoid repetition, and pay for the expense of notifying guests of the breach and subsequent monitoring costs.
"Criminals are constantly looking for soft targets," Egerton says and warns hotels to understand their responsibilities to guests and the changing law that determines their duties. High-quality security systems and robust insurance policies work together to foster a culture of best practice.
Hotel teams need to be well equipped to deal with this new threat. "Ensure that you benchmark limits of liability against your peer group," Pickthorn says. "Train your people properly, and make sure they know their responsibilities and duties. This is vital risk management. You cannot avoid the risk, but you can manage it before it happens, when it happens and in the aftermath."