Identity theft is rapidly becoming a widespread concern for leaders of all 

industries in this age of advanced technology. 

A December, 2005 Reuters report found a series of cases in which personal 

information about a company’s customers or employees was stolen or missing, including incidents at the Bank of America Corp. and The Boeing Company. 

The hospitality industry is also no stranger to these data invasions. 

David Bleser, vice president of Hospitality Safeguards Inc. and the vice chairman of the loss prevention committee for the AH&LA;, stated during his presentation at last week’s Hospitality Law Conference in Houston that there have been over 30 incidences of identity theft in the hospitality industry that he worked with in 2004. Of these cases approximately 40 percent were due to documentation of sensitive data printed by the hotel which was exposed in areas accessible to the public and on bulletin boards in the back of the hotel. Sixty percent of the cases were due to access and theft by corporate/hotel staff. In several cases, individuals were able to obtain credit card information and other personal information about the guest by simply making several phone calls to either the hotel or to central reservations 

If hotel operators weren’t already concerned about thwarting identity theft at their properties, proposed legislation now on Capitol Hill will make them think twice. 

The Personal Data Privacy and Security Act proposed July of last year passed through a full Senate Judiciary hearing in November and is currently on its way toward final approval. If the legislation is given the green light, hotels could be held more responsible for maintaining and documenting mandated data security procedures. 

A Case Study 

November of last year, Marriott Vacation Club International (MVCI), the vacation ownership division and subsidiary of Marriott International, discovered that backup computer tapes containing data including addresses and in some cases, credit card information pertaining to approximately 206,000 associates, timeshare owners and timeshare customers was missing from the corporate office in Orlando, Fla. 

According to spokesman Ed Kinney, the announcement of the loss was delayed in order to begin an internal investigation to search for the tapes, determine how they disappeared and to prevent a recurrence. Although the tapes require specialized equipment to access content, MVCI says it took precautionary steps to monitor for unusual activity or possible misuse of the data and notified the appropriate authorities. 

“To date there has been no incidence of reported misuse of the information by those affected,” says Kinney. They have not yet discovered any specific personnel in house or otherwise who were responsible for the

disappearance of the tapes. “The investigation will be ongoing until they exhaust all options,” he says. “The Secret Service and local law enforcement authorities are working on it.” 

Consequences of I.D. Theft 

According to a Federal Trade Commission study from 2003, (the most recent statistics available), identity theft cost Americans $5 billion dollars and American businesses $48 billion. 

Securing data and developing a strategic response plan if and when it occurs is not only a primary technology concern but a personnel concern for the hospitality industry. Costs associated with potential legal defense, customer notification, crisis management and lost business could add up to millions of dollars per breach. According to Dorian Cougias, CEO of Network Frontiers, a network technology consulting firm based in San Francisco, “75% of all ID theft is conducted by employees in the hotel industry.” 

And the pricetag of I.D. theft doesn’t end there. Costs associated with potential legal defense, customer notification, crisis management and lost business could add up to millions of dollars per breach. 

Finding Solutions 

To combat the rise of identity theft, the major credit card companies developed their own set of guidelines for merchants and payment processors to protect the most common target of identity thieves: consumer credit card information. These guidelines, referred to as the Payment Card Industry (PCI) security standard, are intended to serve as “best practice” requirements that all processors of credit cards should follow to ensure that consumer information is properly protected. 

Late last month RSA Security Inc, technology solutions developers for digital and Internet security, announced the introduction of their new RSA Key Manager software, which enables businesses to effectively manage the lifecycle of encryption keys. Data encryption and key management are most often the areas in which 85% of affected companies audited fail to meet the PCI standard, according to the research firm First Data Corporation. Key management is essential to encryption strategy; if a key is compromised, the data protection offered by the encryption is ineffective. 

According to Komal Lahiri, product marketing manager at RSA Security, “The RSA Key Manager provides application programming interface that is integrated at the application level (this could be POS system or PMS (Property Management System) or any other application that provides the integration capabilities. RSA Key Manager is designed to solve the encryption key management problem in a centralized, easy-to-use and scalable manner.” 

Accor North America, which operates more than 1,200 upscale and economy hotel properties including Sofitel, Novotel, Ibis, Red Roof Inn, Studio 6 and Motel 6, implemented the RSA Key Manager and RSA ClearTrust access management software to address the PCI requirements for data security. 

Harvey Ewing, senior director of IT security at Accor North America, says “RSA Key Manager software enables us to efficiently manage encryption keys generated enterprise wide, irrespective of operating system or backend database, providing us with unprecedented flexibility in our integration of encryption to existing applications and infrastructure.” 

Accor deployed the software at the point of collection through to the back end data bases (data cycle) – at each individual hotel. RSA provided software at the front end (at the P.O.S system). From the moment the guest’s card is swiped at the front desk to the back end where the data is encrypted (CRM reservation system), the data is protected from beginning to end. Sensitive information is secured with the key management software which requires specific conditions for authorization to log into the system. The software allows Accor to integrate encryption with applications to their current infrastructure in addition to

providing programs that interface with new applications. Accor says it expects to complete installation over the next 6-8 months across its 1,200 properties. 

Michael Squires, spokesperson for Northwind, a hospitality operations software supplier, says more regulatory power could be held by the federal government if the Personal Data Privacy and Security Act is approved. The legislation would require prompt notification when security breaches occur and would set minimum standards for data security. For hotel operators, that means more accountability when it comes to maintaining and documenting mandated data security procedures. 

“Hotels should be proactive in preventing and in creating a response plan for I.D. theft,” says Bleser. “Our experience shows by having a proactive plan in place it can have a significant and positive affect on the hotel’s bottom line.”