Has Hyatt Hotels Learned Its Lesson From Series of Breaches?
Especially following another point-of-sale data breach for the hotel chain, continued negative publicity can reduce the public's trust in a brand.
October 26, 2017 at 01:16 PM
5 minute read
Hyatt Hotel. Photo by Diego M. Radzinschi.
A recent data breach at Hyatt Hotels has led the hotel chain to apologize and once again strengthen its cybersecurity.
The most recent incident, in which data at 41 properties was stolen at point-of-sale systems, follows earlier breaches in 2015 that reportedly impacted some 250 hotels. And while Hyatt Hotels has formally apologized for the incident and said it will ramp up security, some are wondering whether the company has learned from it.
“Every breach is a lesson that there is more that can be done,” Robert E. Braun, an attorney at California-based Jeffer Mangels Butler & Mitchell, told Legaltech News.
This breach occurred at point-of-sale systems, which Braun described as “the common factor in most hotel data breaches.” He noted, “We don't know what Hyatt did in response to the first breach, but they presumably would have audited their third-party systems and received confirmation that their vendors had taken the appropriate steps to protect their systems.”
Braun also said the company “should have—and may have—reviewed its procedures and policies so that they can avoid breaches where possible, and in the case of a breach, discover and react to them promptly.” Though in this case, he added, “it does appear that Hyatt discovered the breach fairly promptly.”
The hotel chain discovered the most recent breach in July, and it was announced to the public earlier this month. It took place at the hotel locations between March 18, and July 2, 2017, according to a company statement from Chuck Floyd, global president of operations at Hyatt Hotels.
Specifically, the breach involves “unauthorized access” to “payment card information from cards manually entered or swiped at the front desk of certain Hyatt-managed locations,” the hotel company said. It was revealed the breach was caused by using a “malicious software code from a third party onto certain hotel IT systems.”
In response, the company undertook what it describes as a “comprehensive investigation to understand what happened and how this occurred, including engaging leading third-party experts, payment card networks and authorities.” That investigation led to the company implementing “enhanced cybersecurity measures.”
Yet, there are consequences to a company from continual breaches. Braun said these could include:
- Continued negative publicity reduces the public's trust in the brand. That will likely have an impact on loyalty.
- It “suggests” the company “isn't able to identify, quantify and remediate its risks, which can further deteriorate trust in the firm.”
- It also means that more resources will need to be devoted to data security, which can only come by taking away resources from other areas, such as marketing, product development or other key areas.
- Even if the direct costs of a breach might be covered by cyber liability insurance, the secondary costs of lost business and lost trust are difficult to overcome.
“It's important to move beyond a reactive position and get ahead of the issue,” Braun advised. “Companies that have been subject to a data breach need to do more than simply report the breach and fix the individual problem. They need to analyze their risk profile and create a culture of security and privacy. Security issues have more to do with individuals than just technology, and the corporate culture that prioritizes awareness of security will be more effective in avoiding and responding to threats. This goes beyond computer technologies—treating all guest information with care, by all levels of the company, will go further to reduce business and legal risks.”
David Thaw, a professor at the University of Pittsburgh School of Law, further told Legaltech News, “There are many reasons an organization may experience multiple breaches, ranging from gross negligence to being an attractive target for repeated attacks by the most sophisticated attacks.” However, he added, “The most important thing is not to jump to conclusions in the absence of necessary technological details.”
Looking ahead, Braun added that Hyatt should take a “fresh, top-to-bottom approach. Even if the company has conducted a complete risk assessment, it makes sense to start from the beginning, and identify the risks the company must take, those it must avoid at all costs, and how to minimize the remaining risks. These lead to changes in policy to reflect a better understanding of the company's risk profile, and help drive the company to a culture of security.”
Similarly, Nicholas Tella, director of information security at Johnson & Wales University, said support at the company's board level “is critical. Providing proper financial support for the requisite network security tools and the hiring of highly skilled staff—legal and information security—should be part of the company's strategic approach to cybersecurity.”
“To be truly effective, cybersecurity must become part of a company's ethos and fully adopted and implemented by employees at all levels and strictly monitored for adherence by connected partners,” Tella added.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250