Safety not guaranteed? – the current state of hotel security

In the hospitality sector, a positive guest experience means return stays and an enhanced reputation. A negative experience, however, can have financial and legal repercussions.

Security plays a huge role in this experience, though most actions are invisible to the guest. This is by design - hotels want their guests to be concerned with the purpose of their visit, not about their personal safety or the security of their belongings. The unfortunate truth, however, is that the industry is subject to a host of traditional and emerging risks, which, if not anticipated and addressed, may put guests, employees and belongings at risk.

Vulnerabilities include threats such as assaults and theft, as well as emerging dangers such as identity theft and cyberattacks.

"More recently, especially at international and larger, urban hotels, security has actually become more visible as the threat of terrorism continues to be an issue," says Chad Callaghan, principal for Premises Liability Experts, LLC.

Travellers expect their hotel rooms to be their sanctuary; a place where they can store their personal belongings and sleep without fear. A quality hotel room door and interior deadbolt are essential to providing this sense of security, but technology also plays an increasingly important role.

From automatic close-and-lock systems to highly sophisticated electronic keycards, hotel door-safety technology has come a long way throughout the years. Although there are a variety of keycard locking systems such as mechanical hole cards, barcodes, wired embedded cards and smart cards among others, the vast majority of respondents to 'A Survey of the Current State of Hotel Security' said they use either magnetic stripe (71%) or RFID proximity cards (21%).

In 2012, at the Black Hat security conference in Las Vegas, a security flaw in an electronic lock company's programmable keycard locks was demonstrated. Cody Brocious, a Mozilla software developer, discovered that hackers could gain access to millions of rooms using easily accessible hardware and a little programming know-how. In an interview with Forbes, Brocious explained, "It wouldn't surprise me if a thousand other people have found this same vulnerability and sold it to other governments."

Callaghan notes that with the advancement of lock technologies, hotels should consider that upgrading to RFID will allow more security so long as the lock and keycards employ advanced encryption better aimed at security. It was with this in mind that respondents were asked, "Have your keycard locks ever been hacked into or attempted to be hacked into?". Although the majority said no (73%), a comparatively high percentage (27%) did have experience of hacking.

Respondents were then asked, "Have you upgraded your door-lock systems in the past two years?". 56% had undergone upgrades, 25% had not and 19% did not know. There is likely a direct correlation between door-lock hackings and the high percentage of door-lock upgrades over the past couple of years.

According to Tom Ferguson, VP practice leader, casualty risk consulting at AIG, "If this same question would have been asked five years ago, the percentage of positive responses would likely have been much lower."

Caught on camera

Advancements in surveillance technology have proven valuable for preventing and solving crime. Video surveillance played a huge role, for example, in identifying the individuals responsible for the bombing at the Boston marathon in 2013. So it is not surprising that the vast majority of respondents currently use some form of the technology (88%).

Use of surveillance technology, however, is not without risk. It can be perceived as an invasion of privacy and potentially increase the hotels exposure to liability. It was with this in mind that respondents were asked how they addressed video surveillance privacy concerns of guests and employees.

Some of the most common responses included using cameras in public areas only; following data privacy standards including signage and guest/employee notifications; keeping recordings for a limited amount of time; and notifying employees of the use of surveillance in the employee handbook.

One way to attempt to reduce the potential of privacy litigation is through proper storage and use once a surveillance video has been recorded. Failure to establish and adhere to standards could unnecessarily expose a hotel to liability. For example, if a hotel that normally keeps a video for only a week decides to hold on to it for a longer period of time, it could increase their risk by conceivably having the video used against them in a case alleging invasion of privacy for circumventing their internal policy.

Liability might be attached because the video was not stored according to the hotel's standard business practice. In general, the shorter the time the video is kept, the less opportunity for privacy implications. Survey respondents seemed to agree. When asked, "How long do you keep surveillance videos?", 71% maintained records for less than a month.

While shorter may generally be better, experts warn that other factors also need to be kept in mind when establishing a policy on surveillance video storage.

According to Lance Ewing, IPG leader, AIG, "A rule of thumb, followed by some hotels for how long to keep surveillance videos is to keep them for the same amount of time the state allows for bodily injury suits." It is recommended facilities check with legal counsel regarding laws, including special obligations that may arise if litigation is reasonably foreseeable, and industry standards relating to this issue.

Installing surveillance cameras around the hotel pool, clubhouse and cabanas can help provide security, monitor activity and discourage bad behaviour. It can also create privacy concerns and be a source of potential liability in bodily injury cases. With this in mind, respondents were asked, "Do you use security cameras in swimming pool areas?" Although the vast majority claim to use surveillance technology, far fewer use them in swimming pool areas, with 71% responding in the negative.

If actively monitored, surveillance cameras can allow an immediate response to an ongoing crime. This can prove an effective deterrent, but also requires a substantial investment in security personnel costs. One reason many in the industry may choose not to utilise video surveillance technology is they may believe their liability will increase if cameras are installed without real-time dedicated monitoring and an immediate response to an incident.

"A hotel should first determine the purpose of surveillance at a particular location," Calaghan says. "If the reason is due to prior criminal activity in the area, then customers will likely have an expectation that the area is reasonably monitored and that security will respond if needed."

This leads to the question of "do the benefits outweigh the risk?". It appears more than half of respondents think so. When asked, "Do you have designated personnel monitoring surveillance cameras 24/7?", 36% said yes. While surveillance technology can pay huge dividends in hotel security, it can also lead to potential liability if the device is not properly operated and maintained.

Respondents were asked, "How often do you check video surveillance systems to make sure they are working properly?" All of the respondents checked on at least a weekly basis, with 57% responding daily and 43% weekly. Outdated surveillance technology may be less effective and increase the potential for liability. Respondents were asked, "When was the last time you upgraded surveillance technology at your properties?"; 43% said that they upgraded within the past one to three years, 36% had done so within the past year and 21% within the past five to ten.

Data defence

Hotels are no longer only responsible for the safety of their guests and employees, but also for protecting their personal identifiable information. Information collected and stored from customers during the normal course of business such as names, addresses and credit-card numbers could be a potential gold mine for cybercriminals. Information collected by hotels is not much different than information collected by retailers, which recently experienced some of the largest data breaches in history.

Since those breaches, there has been much discussion among retailers and financial institutions about moving away from the outdated and less-secure magnetic-stripe credit card to a more secure chip-enabled card. "Hotels are using much of the same technology as retailers that may force them to have to change," Ewing explains.

The hospitality sector has been no stranger to significant and costly breach events. According to Advisen data, the services sector is more likely than any other segment to experience a cyberincident. Just recently, a hotel management and development company with a portfolio of more than 150 properties announced it is investigating a suspected credit/debit-card breach. How an organisation prepares and responds to a data-breach incident may influence the severity of the loss from a financial and reputational risk perspective.

With this in mind, survey respondents were asked, "What safeguards do you have in place to protect your customer's personal identifiable information? Some of the responses included using third-party IT solutions; contractual provisions with vendors; internal policies around data and privacy protections; employee training; PCI compliance audit; management reviews and audits; use of encrypted software; and implementation of a data-breach response plans. In the past couple of years there has been much discussion over the costs associated with migrating IT functions to the cloud and whether the technology is more or less safe than storing it in house. Answers to such questions have yet to be determined, but will likely be on a case-by-case basis. However, with 53% of respondents claiming that they have migrated IT functions to cloud services, it appears that in the hospitality industry the IT cost-savings provided by technology is proving hard to resist.

The physical safety of hotel guests is arguably the most important responsibility of a hotel. Providing a safe environment not only reduces the potential for liability, but is also important in maintaining a quality reputation. Employing security personnel at properties is one way hotels can help ensure the safety of their guests. Respondents were asked, "Do you have security personnel on duty 24/7 at all properties?" Only 27% responded yes.

Effective preparation and training significantly increases the chances of a positive outcome in an emergency situation - 87% of those canvassed claimed to have a disaster-response/business-continuity plan (BCP). Of that number, 83% said they provided training to key personnel.

Ferguson believes the stats identify some key risk concerns: "In this day and age, for a company not to have a BCP in place, or to have a BCP but not train personnel on it, significantly increases their reputational, economic and organisational risk," he says.

Based on the overall finding of this survey, hotel owners should consider ensuring all levels of management and security are knowledgeable and operating on the same page, including franchisee operations. Advancements in technology not only create more exposures but also play an increasingly important role in responding to security breaches. The development of specific programmes can only be as good as the effective implementation and training of all staff into their purpose and proper response.