Plotting a Clear Path to CCPA Compliance in Hospitality

The recent Marriott International data breach affecting about 5.2 million guests and the one just one year before shows how the connection between California Consumer Privacy Act (CCPA) compliance and cybersecurity can profoundly impact businesses in the hospitality sector. Under CCPA, Marriott could face breach-related fines totaling $750 per victim. With the Attorney General (AG) starting enforcement in July 2020, hospitality sector businesses must have solutions implemented and working.

CCPA requires that covered businesses put mechanisms in place for consumers’ right to access, delete, opt-out, and the other requirements of the California privacy law. Civil penalties from the AG can start at $2,500 per violation and go as high as $7,500 if deemed willful intent. It can mean an astronomical collective fine when extrapolated by thousands of customers under the same violation. This creates a complex web of changes for hospitality sector businesses like hotels and restaurants with:

  • Data collection/retention development policies and technologies
  • Internal and external access polices
  • Breach notification policies and audits
  • Mobile and website updates
  • Cloud strategy integration
  • Crucial workflow and systems creation for managing data rights requests
  • WIFI networks, application access, guest booking system and records integration

The result is a heavy burden of process, policy and technology implementation to meet CCPA regulations on top of the cybersecurity needs of data privacy and protection. One reason is because hotels and restaurants are often a mix of legacy and new technologies that make updates, data tracking, and security more cumbersome. We can see this in Point of Sale (POS) systems, back-end systems and network integration.

Required changes for CCPA compliance must be transparent to end users in how personally identifiable information (PII) data is routed, stored and accessed for easy removal requests or safeguard auditing. These policies and IT infrastructure changes become even more complicated with hospitality enterprises where individual branches are connected to the organization’s national or international network. This means that guest and patron PII data may be sent to the cloud before ending up in a data center database where other branches have access.

What’s needed is a broader cybersecurity and CCPA compliance data cloud strategy to ensure data safety both locally and beyond the branch’s individual network to the cloud. Data trails may go back years with sensitive payment information, passport data and contact details.

This requires data security and CCPA compliance mechanisms that enable automated requested PII access/retrieval, deletion and customer email verification notice via IT system software and hardware.

Third-party suppliers also present challenges in meeting CCPA requirements where personal data privacy safeguards and CCPA compliance may be unknown. Hospitality businesses must implement protocols and systems for consistent monitoring and audits of a supplier’s security and CCPA compliance measures. The overall task of meeting CCPA requirements may seem large, but a holistic approach can make reaching that goal cost-effective and easier.


Read through the full article here:

Company News
Jon Mendoza, CISO
Post by Jon Mendoza, CISO
June 16, 2020