Category Archives: Privacy

Hospitality Industry Legal Risks: Hotel “Mobile Applications” Must “Post Privacy Policy” Allowing Guests To “Access And/Or Request Changes To Personal Information”

“…In the case of an online service, “conspicuously posting” a privacy policy requires that the policy be “reasonably accessible…for consumers of the online service…the consumer (must be able) to access or request mobile technologychanges to personal information, (and) the operator of the site will notify consumers of changes, and the effective date of the policy..”

Hotel companies are actively entering the mobile application space as a means of gaining market share and solidifying guest relations. In addition to online travel agents like HotelsbyMe.com, a number of brands including Omni, Choice and Starwood have developed mobile applications. However, as mobile applications gain popularity, hotel companies should consider how privacy and security laws will impact how they can use those applications.

For companies with operations in California, that issue was highlighted on December 6, 2012, when the California Attorney General filed a lawsuit against Delta Airlines for failing to include a privacy policy with a smartphone application. The lawsuit, the first of its kind, alleges that Delta violated California law requiring online services to “conspicuously post its privacy policy” by failing to include such a policy with its “Fly Delta” mobile application.

The California online privacy law

In 2004, California enacted the California Online Privacy Protection Act (“CalOPPA”). This law requires operators of websites and online services to “conspicuously post” privacy policies about the personal information that is collected, how the consumer can access or request changes to personal information, how the operator of the site will notify consumers of changes, and the effective date of the policy.

In the case of an online service, “conspicuously posting” a privacy policy requires that the policy be “reasonably accessible…for consumers of the online service.”

CalOPPA does not define an “online service” or mention “mobile” or “smartphone” applications, likely due to the fact that in 2004, smartphones and mobile applications were just being developed. However, the California Attorney General considers any service available over the internet or that connects to the internet, including mobile apps, to be an “online service.”
For more:  http://www.hotelnewsresource.com/article68597Hotel_Lawyer_on_How_New_Privacy_Law_Enforcement_May_Affect_Your_Mobile_Apps_Used_in_Marketing_.html

Comments Off on Hospitality Industry Legal Risks: Hotel “Mobile Applications” Must “Post Privacy Policy” Allowing Guests To “Access And/Or Request Changes To Personal Information”

Filed under Guest Issues, Liability, Management And Ownership, Privacy, Risk Management

Hospitality Industry Security Risks: Hotel "Electronic Room Locks" Opened With "Hacking Device" Tool Disguised As "Dry Erase Marker" (Video)

[youtube=http://www.youtube.com/watch?v=QyN-8CeNSZg]

A trio of hackers have built a tool that appears to be an innocent dry erase marker, but when inserted into the port on the bottom of a common form of hotel room keycard lock triggers the lock’s open mechanism in a fraction of a second.

The security researchers who spend their days breaking into clients’ systems to find and fix security vulnerabilities often call themselves “penetration testers,” or “pentesters.” But one group of hotel lock hackers just gave the term “pentest” a very different meaning.

The inconspicuous lock hacking device is an adaption of one demonstrated at the Black Hat security conference in July by Cody Brocious, a hacker and software developer for Mozilla, who discovered and exploited a vulnerability in Onity locks, a cheap and popular hotel room lock that the company says are used on at least four million hotel rooms worldwide. Through the port on the bottom of the lock intended for a device that hotels can use to set master keys, Brocious found he was able to read the lock’s memory, including a decryption key stored on the locks that gave him access to their opening mechanism.

2 Comments

Filed under Crime, Guest Issues, Liability, Management And Ownership, Privacy, Risk Management, Technology, Theft

Hospitality Industry Information Risks: Federal Trade Commission (FTC) Sues Hotel Operator Over Guest Account Data Theft That Results In Over $10 Million Of Credit Card Fraud

“… fraudulent charges on Wyndham’s consumer accounts totaled more than $10.6 million following three data breaches in less than two years. The breaches occurred in April 2008, March 2009 and in late 2009…”

The Federal Trade Commission said repeated failures to secure consumer data led to hundreds of thousands of consumers’ payment card information being exported to an Internet domain address registered in Russia.

Wyndham, which operates several hotel brands, including the value-oriented Days Inn and Super 8, is one of a large number of organizations that acknowledged in the past three years that they had been hacked by people seeking either financial gain or intellectual property.

Other victims have included entertainment giant Sony, the International Monetary Fund, Google, Lockheed Martin and Citigroup.

For more: http://www.reuters.com/article/2012/06/27/uk-ftc-wyndham-idUSLNE85Q01Q20120627

Comments Off on Hospitality Industry Information Risks: Federal Trade Commission (FTC) Sues Hotel Operator Over Guest Account Data Theft That Results In Over $10 Million Of Credit Card Fraud

Filed under Crime, Guest Issues, Insurance, Liability, Management And Ownership, Privacy, Risk Management, Theft

Hospitality Industry Information Security: Hotel And Restaurant Guests Face Increased Risks Of "Credit Card Cloning"; Stolen Data Rewritten Onto New Cards And Used Instantly

 “…an unscrupulous restaurant waiter with a pocket skimmer might be able to steal information from hundreds of customers a week, selling that information to those with the means to encode fake credit cards. Battery-powered skimmers can be carried in a pocket…copying information as customers swipe cards to pay for gas or withdraw cash…”

The (stolen) information then can be emailed or downloaded over the Internet and rewritten onto any card with a magnetic strip, such as gift cards or hotel keys. While the victim’s credit card is still in his or her possession, someone could be using a perfect replica hundreds of miles away.

The process, called “cloning,” accounts for much of the growth in credit card fraud during the past few years, officials said. According to a Javelin Strategy and Research report, credit card fraud has increased 87 percent since 2010, culminating in aggregate losses of $6 billion nationwide.

Credit card cloning is easy and lucrative, accounting for its popularity, said Sileo, who founded the Web site Thinklikeaspy.com.

People whose cards are skimmed might not know for weeks or months that their information has been stolen. Once someone realizes it, the account usually is closed quickly. Savvy crooks know to rack up major bills just as fast.

Read more here: http://www.kentucky.com/2012/06/24/2236535/financial-crimes-credit-card-cloning.html#storylink=cpy

Comments Off on Hospitality Industry Information Security: Hotel And Restaurant Guests Face Increased Risks Of "Credit Card Cloning"; Stolen Data Rewritten Onto New Cards And Used Instantly

Filed under Crime, Guest Issues, Liability, Management And Ownership, Privacy, Risk Management, Theft

Hospitality Industry Security Risks: Texas Hotel Guests Have Laptop And iPad Stolen From Room; GPS Tracking Feature Leads Police To Thieves

“…Police say hotel guests returned to their room to find their key card no longer worked. Once they had a new key, they discovered someone had stolen a laptop computer, wallet, a cell phone and the iPad from the room…”

Officers were able to track down an iPad stolen from a room at the Omni Bayfront Hotel to a home on the southside of town early Sunday morning.

The owner of the iPad used a tracking feature on the device to let officers know they could find the iPad at an address on High Meadow Drive. Police say when they arrived at the home they could see people inside and marijuana in plain view.

The people inside refused to answer the door for police at first, but someone inside did answer the victim’s phone when police called.

For more:  http://www.kristv.com/news/hotel-guests-help-track-down-theft-suspects/

Comments Off on Hospitality Industry Security Risks: Texas Hotel Guests Have Laptop And iPad Stolen From Room; GPS Tracking Feature Leads Police To Thieves

Filed under Crime, Guest Issues, Liability, Management And Ownership, Privacy, Technology, Theft

Hospitality Industry Guest Risks: Police Arrest Massachussetts Hotel Guest For "Disturbing The Peace" After Refusing To Cease Loud Noises In Room

“…hotel security personnel stated that they had received multiple complaints relative to loud and unsettling noises coming from one of the rooms in the hotel…”

“…When told the hotel had a right to disinvite guests for bad behavior and excessive noise, the individual continued to verbally disrespect and disparage the officers. Officers arrested (man) and charged him with Disturbing the Peace…”

Officers responded to a call for a person or persons producing excessive amounts of noise at 1 Avenue de Lafayette (Hyatt Hotel). Security personnel further stated that occupants of the room were asked to put an end to the loud noises or face the prospect of being asked to leave the hotel.

Despite repeated warnings, the occupants continued to generate disturbing noises. When told they, the occupants, had to leave, the occupants told hotel security they weren’t going anywhere. Officers proceeded to the room to break the bad news to the occupants.

Upon entering the room, officers observed several empty beer and wine bottles strewn about the room. While officers were in the middle of providing an explanation as to the occupants had to leave, one individual in particular began yelling and complaining about his rights.

For more:  http://www.bpdnews.com/2012/05/17/checking-into-a-hotel-is-one-thing-being-asked-to-check-out-for-bad-behavior-is-another/

Comments Off on Hospitality Industry Guest Risks: Police Arrest Massachussetts Hotel Guest For "Disturbing The Peace" After Refusing To Cease Loud Noises In Room

Filed under Crime, Guest Issues, Labor Issues, Management And Ownership, Privacy

Hospitality Industry Technology Risks: Hotel Internet Connections Pose New Risks For "Malicious Software" Infecting Guest's Computers

The FBI said typically travelers attempting to set up a hotel room Internet connection were presented with a pop-up window notifying the user to update a widely used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available.

The FBI today warned travelers there has been an uptick in malicious software infecting laptops and other devices linked to hotel Internet connections.

The FBI wasn’t specific about any particular hotel chain, nor the software involved but stated: “Recent analysis from the FBI and other government agencies demonstrates that malicious actors are targeting travelers abroad through pop-up windows while they are establishing an Internet connection in their hotel rooms.

The FBI also recommends that travelers perform software updates on laptops immediately before traveling, and that they download software updates directly from the software vendor’s website if updates are necessary while abroad.”

For more:  http://www.itworld.com/security/276162/fbi-issues-warning-hotel-internet-connections

2 Comments

Filed under Guest Issues, Maintenance, Management And Ownership, Privacy, Risk Management, Technology

Hospitality Industry Information Technology Risks: Hotel And Restaurant "POS Systems" Are The #1 Target Of Criminal Data Breaches

If a criminal can breach a system in the restaurant, they also have access to the front desk, the spa and any other connected system. The risk is even greater when hotels are part of a hotel chain with interconnected systems.

Franchise businesses are particularly at risk primarily because franchises tend to have the same POS system duplicated at all locations. If a cybercriminal can figure out a way to breach one, in all likelihood, they can replicate the attack at other locations.

In 2011, Trustwave SpiderLabs conducted 42 percent more data breach investigations than in the previous year. More than 85 percent of these data breaches occurred in the food and beverage, retail and hospitality industries.

Why the focus on these industries? There are several reasons, but the number one is that they all process credit cards. In our investigations, we found that the vast majority of assets targeted by criminals were point-of-sale software systems (75 percent of cases). Think of the scenario of a hotel that maintains a restaurant, a spa, as well as other services all connected to one POS system.  We’ve investigated cases where the criminal breaches the environment at one location and was in turn able to connect todozens of others through the wide area network used by the hotel chain.

For more:  http://www.forbes.com/sites/ciocentral/2012/04/11/restaurants-beware-hackers-want-your-customer-data/

2 Comments

Filed under Crime, Guest Issues, Liability, Maintenance, Management And Ownership, Privacy, Risk Management, Technology, Theft

Hospitality Industry Information Technology Risks: Hotel And Restaurant "POS Systems" Are The #1 Target Of Criminal Data Breaches

If a criminal can breach a system in the restaurant, they also have access to the front desk, the spa and any other connected system. The risk is even greater when hotels are part of a hotel chain with interconnected systems.

Franchise businesses are particularly at risk primarily because franchises tend to have the same POS system duplicated at all locations. If a cybercriminal can figure out a way to breach one, in all likelihood, they can replicate the attack at other locations.

In 2011, Trustwave SpiderLabs conducted 42 percent more data breach investigations than in the previous year. More than 85 percent of these data breaches occurred in the food and beverage, retail and hospitality industries.

Why the focus on these industries? There are several reasons, but the number one is that they all process credit cards. In our investigations, we found that the vast majority of assets targeted by criminals were point-of-sale software systems (75 percent of cases). Think of the scenario of a hotel that maintains a restaurant, a spa, as well as other services all connected to one POS system.  We’ve investigated cases where the criminal breaches the environment at one location and was in turn able to connect todozens of others through the wide area network used by the hotel chain.

For more:  http://www.forbes.com/sites/ciocentral/2012/04/11/restaurants-beware-hackers-want-your-customer-data/

2 Comments

Filed under Crime, Guest Issues, Liability, Maintenance, Management And Ownership, Privacy, Risk Management, Technology, Theft

Hospitality Industry Crime Risks: "End Child Prostitution And Trafficking (ECPAT)" Seeks Hotels' Assistance In Fighting Internet Prostitution

End Child Prostitution and Trafficking (ECPAT) has been trying to enlist the help of hotels in fighting prostitution by agreeing to:

CODE OF CONDUCT FOR THE PROTECTION OF CHILDREN FROM SEXUAL EXPLOITATION IN TRAVEL AND TOURISM

THE SIX CRITERIA

Suppliers of tourism services adopting the code commit themselves to implement the following six criteria:
1. To establish an ethical policy regarding commercial sexual exploitation of children.
2. To train the personnel in the country of origin and travel destinations.
3. To introduce a clause in contracts with suppliers, stating a common repudiation of commercial sexual exploitation of children.
4. To provide information to travellers by means of catalogues, brochures, in-flight films, ticket-slips, home pages, etc.
5. To provide information to local “key persons” at the destinations.
6. To report annually.

http://www.ecpat.net/ei/Programmes_CST.asp

Human trafficking is the second-largest organized crime in the world. The U.N. estimates more than one million children, the majority of them girls, are sexually exploited each year in the multibillion dollar sex industry.

The ease with which traffickers can use the Internet to sell sex has changed the way the sex trade operates. Instead of working the streets, women and girls are increasingly being sold in hotels.

But ECPAT executive director Carol Smolinsky says many hotels have balked at some of the policies the organization asks them to follow.  “When a company signs the code of conduct it has to have a policy against sexual exploitation of children,” Smolinsky says. “Over these years it’s been frankly shocking to me that even the step of having a policy against sexual exploitation has been troubling shall we say for them.”
One of the requirements of the code is that hotels inform their customers of that policy.  “One problem we’re having in our industry is some of the things they’re asking the hotels to do,” says Joe Mcinerney, president and CEO of the American Hotel and Lodging Association. “Putting notices in the rooms… they feel that might be an intrusion into customers thinking that maybe there is a problem at that hotel.”

For more:  http://www.voanews.com/english/news/usa/Nun-Helps-Lead-Fight-Against-Hotel-Prostitution-145761575.html

Comments Off on Hospitality Industry Crime Risks: "End Child Prostitution And Trafficking (ECPAT)" Seeks Hotels' Assistance In Fighting Internet Prostitution

Filed under Crime, Guest Issues, Insurance, Liability, Management And Ownership, Privacy, Risk Management, Training