Hard Rock & Loews Hotels Breaches Stress Critical Need for Better Data Protection
With the onslaught of high profile breaches so far this year, encryption alone has proven it is no longer enough to protect sensitive information, especially…
July 19, 2017 at 09:32 AM
4 minute read
The original version of this story was published on Law.com
With the onslaught of high profile breaches so far this year, encryption alone has proven it is no longer enough to protect sensitive information, especially against next level threats like ransomware. The recent Hard Rock Hotels & Casinos and Loews Hotels breaches highlight the important need for better data protection across all industries—especially those that utilize personally identifiable information (PII) data, such as hospitality and retail. Businesses today have become increasingly reliant on vendors to streamline internal operations, outsource tasks, manage employee productivity, and more.
In the case of Hard Rock Hotels, the attacker gained unauthorized access to a third-party reservation system to attain unencrypted credit card payment information, as well as some guest names, addresses and phone numbers. This breach serves as an example of the dangers third party companies can pose to enterprise data that is not properly protected, and opens up a larger discussion around traditional encryption.
Ermis Sfakiyanudis, president and CEO of Trivalent, sat down with Inside Counsel to discuss how companies can get ahead of data breaches. “The only way to get ahead of data breaches is to address them as a likely probability, rather than an impossibility. Only then will enterprises begin to embrace next generation protection that secures data at the file level, rendering it useless to unauthorized users—even in the event of a breach,” he said.
“Most of the recent breaches prove that breaches happen to organizations in virtually any industry—hospitality, retail, healthcare, etc. In this case, guests' PII data, such as names, addresses and credit card information, was stolen in an unexpected hack,” Sfakiyanudis. “No matter what industry an organization is in, they have critical data that needs to be protected. The rising number of data breaches proves that traditional security methods are no longer enough to protect sensitive data from next generation threats.”
Today, industries that process, store and transmit consumer PII data have a responsibility to keep this information safe because a potential breach doesn't just impact the organization—it puts consumer safety at risk. Every time a consumer swipes their card or makes a purchase, they are trusting that organization to keep their personal information safe from unauthorized users and hackers. Industries like retail and hospitality use PII data for guest purchases/accommodation bookings and reward programs, and they are often targeted by hackers for this information, but virtually every organization acquires, uses and stores PII.
“Companies are relying on the third party to properly secure sensitive information stored on any device or database managed by the third-party company,” explained Sfakiyanudis. “To ensure that third-party companies are not the weakest link, and only have access to the files they need when they need them, companies need to think beyond traditional security and encryption to keep their sensitive data protected at all times.”
This breach have proven that traditional encryption alone is not capable of protecting data. Hackers are always finding ways around encryption, and organizations must accept that their systems may require a security upgrade. Next generation threats, such as ransomware and malware, are on the rise and encryption alone cannot protect against these threats.
He said, “The only way to prevent these threats is through data-centric security protection as part of a defense in depth security architecture. Enterprises need to protect their data at the file level so it remains useless to anyone but authorized users—even in the event of a breach.”
So, how can companies get ahead of data breaches? According to Sfakiyanudis, organizations must think about data protection proactively, rather than reactively. Recognizing that their organization will be breached, company leaders must develop a defense-in-depth approach to protecting critical information, preparing them to handle any threats as they arise.
Sfakiyanudis shared some best practices for enterprises to get ahead of data breaches. Many organizations do have some type of incident response plan to follow in the event of an attack – these plans are only effective if they are fluid and constantly updating as organizational practices and staff change. Additionally, organizations should charge their security teams to be up-to-date on data protection technology and next level threats and empower them with the tools to ensure the organization is doing everything possible to protect its information.
“If company leaders make data protection a constant priority, that vigilant approach to information security will flow down through the rest of the organization,” he said. “If data security is something that is top of mind for everyone within an organization, companies are much better prepared to keep their data safe and act swiftly in the event of a breach.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllSEC Penalizes Wells Fargo, LPL Financial $900,000 Each for Inaccurate Trading Data
US Reviewer of Foreign Transactions Sees More Political, Policy Influence, Say Observers
Pre-Internet High Court Ruling Hobbling Efforts to Keep Tech Giants from Using Below-Cost Pricing to Bury Rivals
6 minute readPreparing for 2025: Anticipated Policy Changes Affecting U.S. Businesses Under the Trump Administration
Trending Stories
- 1Trailblazing Broward Judge Retires; Legacy Includes Bush v. Gore
- 2Federal Judge Named in Lawsuit Over Underage Drinking Party at His California Home
- 3'Almost an Arms Race': California Law Firms Scooped Up Lateral Talent by the Handful in 2024
- 4Pittsburgh Judge Rules Loan Company's Online Arbitration Agreement Unenforceable
- 5As a New Year Dawns, the Value of Florida’s Revised Mediation Laws Comes Into Greater Focus
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250