Cyber Liability Myths Exposed
By Brad Durbin - Petra Risk Solutions
In today’s e-commerce society, operating your hotel without cyber liability coverage is like attempting to drive your car blindfolded on a Southern California freeway during rush-hour traffic.
Here are three common myths and misconceptions I’ve heard repeatedly when discussing cyber liability insurance coverage with hotel owners and operators.
Myth #1 – “I use the online reservation system offered by my franchise. They’ll cover me if their system is hacked and my guest’s personal information is compromised.”
This is by far the most common misconception among hoteliers about their exposure and responsibility for a data breach. It’s easy to see why. You are using your franchisor’s reservation system, which is offered as part of your franchise agreement. Why wouldn’t they cover you if their system is hacked?
The answer is in your contract. While some franchise agreements are more favorable in this area than others, most contain special provisions regarding the use of their online reservation systems. These provisions typically state that the hotel will be responsible for defending the franchisor and holding them harmless, regardless of whether the data breach came from within the online reservation system.
The exposure is even greater for non-franchised properties using third party reservations system providers or wholesalers. I have yet to come across a contract for these services that could be viewed as favorable for the hotel in the event that the reservation system is breached.
Myth #2 – “If a hotel guest’s credit card information is stolen at the property level, my Payment Card Processing company will cover me under their policy.”
Most hoteliers erroneously assume that their Payment Card Processing Company (PCP) will have their best interest in mind in the event of a data breach. I’m not sure why. No business, regardless of how great or longstanding your relationship with them has been, will volunteer to pay significant attorney costs and consumer notification fees for you unless they are contractually obligated to do so. Not surprisingly, most PCP contracts are heavily weighted in favor of the PCP provider regardless of where the data was taken from or if the PCP company is to blame.
Your liability is even greater for a data breach that can be traced back to the hotel property level. If this happens, the Payment Card Industry (PCI) mandates that you conduct a forensic accounting audit of all your records. These audits can cost $20,000 – $25,000 for a single location, limited service property. This amount does not include fines typical for any non-compliance issues discovered during the audit.
Myth #3 – “Cyber liability coverage is a waste of money.”
Most states have laws requiring you to notify EVERY GUEST in your database upon discovery of a breach (e.g. California Senate Bill 1386). Analysts estimate that the average cost for this notification is approximately $30 per record. Multiply this by the number of records in your system, or the number of guests who have stayed at your hotel over the years, and you can see just how financially devastating these claims can become.
For a typical limited service franchised property with $2,500,000 – $5,000,000 in annual room revenue, a cyber liability policy with a $1,000,000 limit can usually be obtained for less than $7,000 annually… an extremely fair price point considering the risks and hefty costs associated with a data breach.
When a hotel data breach occurs, guests won’t know or care that another company may be responsible. They will come directly to the hotel for a remedy. The ENTIRE FINANCIAL BURDEN for notification costs, legal defense, and monetary settlement of all related claims may be borne directly by the hotel - if it does not have an appropriate cyber liability insurance policy in force.
To protect your hospitality assets, select and obtain cyber liability coverage that will address PCI fines, consumer notification costs, credit monitoring, and any government or regulatory action levied against your business in the event that a data breach is discovered. Not all cyber policies include coverage for these areas, so it’s important for you to work with a qualified hospitality insurance broker.
Securing proper cyber liability insurance coverage is a cost effective method for hoteliers to help mitigate the risks associated with owning and operating a hotel in today’s digital society.
Brad Durbin is a Hospitality Insurance Specialist with Petra Risk Solutions. For questions about Hotel Cyber Liability or any other Hospitality Risk Solutions, contact Brad at firstname.lastname@example.org.