Is Data Security a Priority for Hotels?

17 05 2010

In a recent Hotel News Now article Hotel data breaches the result of basic failures within the industry,” the editor discusses the many headlines that have recently focused on the hospitality industry. Whether, it’s Wyndham Hotels & Resorts, Radison Hotel & Resorts or the Westin Bonaventure Hotel & Suites in Los Angeles, hotels have been hit hard by data breaches. The article goes on to state that the hotel industry is lacking in very basic security measures that could have otherwise prevented these occurrences, including password resets and remote access. The first article in a five-part series, the editor points to a study conducted by The Center for Hospitality Research in association with the Cornell Hospitality Report dated September 2008. The report, “Hotel Network Security: A Study of Computer Networks in U.S. Hotels,” states, “many hotels have flaws in their network topology that allow for exploitation by malicious users, thereby resulting in the loss of privacy for guests.”

The results of the survey found that about one out of five hotels still uses an antiquated hub-based network, an arrangement that is inherently flawed in terms of security. Also, hotels are providing unsecured wi-fi connections that are not encrypted and are subject to hacking. In fact, just six of the 39 wireless properties were using encryption. So, how can hotels secure their customers’ private information and communications? While the article suggests a series of steps (all good measures), additional security measures should be taken. Between hotel suppliers, customers and employees, secure communication should be established both internally within the hotel and external to other business partners. A complete solution from encrypted ad hoc information and file transfer to an enterprise-wide solution that goes beyond the four walls of the hotel is necessary to provide the most secure infrastructure possible.

Have you experienced a security breach while staying at a hotel?


What Would a $140 Million Loss Mean for Your Business?

14 05 2010

A recent Computerworld article, “Heartland breach expenses begged at $140M — so far,” discusses the devastating effects of the Heartland Payments Systems Inc. data breach, costing the company $139.4 to date. In Heartland’s case, credit card data was compromised from the company’s network last year. The 139.4m includes settlement money from class action law suits, data breach fines and ongoing litigation fees. Moreover, no price can be placed on the damage done to its reputation. Consider it a precautionary tale.

How can you prevent this from happening to your organization?

Security measures such as firewalls are not enough to prevent a data breach and while FTP might be a “free” file transfer solution, it’s not secure. The key to ensure a data breach doesn’t happen to your business is B2B Managed File Transfer and Communications.

  • Ensure security throughout the entire file transfer process
  • Verify that only authorized customers and partners can send data into your network
  • Protect your mission-critical data in and out of the DMZ
  • Verify authorization before data is passed through your internal firewall
  • Secure ad hoc communications including large files and attachments

How protected is your network?

The Law of the Land – States Without Data Breach Laws Face Serious Problems

12 05 2010

There are currently four states in the US that lack any data breach legislation.  Alabama, Kentucky, New Mexico and South Dakota make up this list.  It is great to see that so many states are currently pursuing legislation and have legislation in place to make data breaches less dangerous for those involved.  However, with four states still lagging behind in this area, many companies are still not liable for notification because of location.  For instance, many companies that would normally have to report any sensitive data loss or breach in their business may not have to with their corporate headquarters located in these areas.

Kentucky recently suffered a data breach with the Our Lady Peace hospital compromising thousands of patients’ personal information.  The hospital did notify the patients, which was very positive in a state where it is not made mandatory.  However, it’s clear that breaches can occur anywhere and thus, everywhere needs to have some laws in place.

I’m certainly not calling out states to force companies to reveal data breaches, but when someone’s data is in the wrong hands, it’s important for them to know so that they can take the necessary action to prevent any problems.  This has nothing to do with company integrity.  This is about people who may suffer a fate of financial downfall or complete identity theft with the loss of their data.

States without data breach laws are soon to follow as their ranks shrink.  With Mississippi enacting data breach legislation this year, it is becoming apparent that data security is necessary in this increasingly data-filled world.

As we continue to discuss Data Breach Laws in our “Law of the Land” blog series, look for your own state to learn more about what laws are in place.

The Law of the Land – Data Breach Laws in the US

30 04 2010

As data security continues to become more of a priority for countries worldwide, the US has begun developing more and more legislation each day.  Most laws are state-by-state, with only a few federal laws in place.  We will be covering these state laws more in-depth in an effort to provide a better understanding for everyone.  To begin, let’s take a look at some recently passed laws in Mississippi and California.


A bill has just passed in the California Senate that will expand data breach notification laws in the state.  After already passing SB-1386 in 2003, the state is looking to expand this law.  SB-1386 requires any person, business or government agency that comprises data that is not their own to notify those who have been affected by the data breach.  Under this law, the breached person or organization does not have to reveal the amount of information affected, what was affected and various other specifics.

SB-1186 is the proposed law that would make this information necessary within the notification of those affected.    It would also require breaches of 500 or more records would need to be submitted to the state attorney general’s office.  This bill has just passed the California Senate and is awaiting deliberation in the House.  This bill has already been presented once and was vetoed by Governor Schwarzenegger.


Mississippi became the 46th state to pass data breach legislation earlier this year.  By passing House Bill 583, the state requires “any person who conducts business in this state” to notify the “owner or licensee” of the data that they manage of the breach.  This does not require any specific information to be included in the notification, but it is also the first piece of data breach legislation that the state has deliberated over.  The state allows a delay of notification if authorities believe that it will hinder a criminal investigation.

These are the two most recent states deliberating and passing data breach notification laws.  After California’s landmark SB-1386, 46 states have followed suit.  This leaves Alabama, Kentucky, New Mexico and South Dakota as the last four states without legislation.  We will be discussing the laws state by state as time goes on.  Keep an eye out for your state in the future!

Thoughts about the “Study: Frequent password changes are useless” article on Yahoo News

17 04 2010

I recently read the article Frequent password changes are useless

After giving this some thought, a couple of things struck me as being very important but easily overlooked. Both are related to this paragraph,

“Rather, frequent password changes are simply a waste of time and, therefore, money. According to the Microsoft researcher’s very rough calculations: To be economically justifiable, each minute per day that computer users spend on changing passwords (or on any security measure) should yield $16 billion in annual savings from averted harm. No one can cite a real statistic on password changes’ averted losses, but few would estimate it’s anywhere approaching $16 billion a year.”

The article says “frequent password changes are simply a waste of time” and it does not define frequent. By frequent do they mean daily, weekly, monthly? I would not think that changing passwords once a quarter would qualify as frequent.

Note that that $16 billion is not for each company! It’s for the national aggregate. If your company only looses $1 million, that’s simply a small piece of the aggregate pie; but, for many companies, it could mean bankruptcy or, potentially, years of expensive, personal data breach litigation. If memory serves correctly, defense against this type of litigation depends heavily on having taken every ‘reasonable’ precaution. If one of those reasonable precautions is deemed to be frequent changes of passwords, then never changing passwords or changing them only once per year could mean additional loss of millions in court battles. Oh, one must also remember the fines and penalties if data protection laws are violated and loss of credibility in the market place when it’s your company that gets compromised.

Something to think about.

“You Can’t Handle the Truth!”

20 01 2010

This iconic quote from the film A Few Good Men is brought to mind when discussing data breach notification laws.  But, as Tom Cruise demands, we want the truth!

So, what’s the big deal about data breach notification?  Your information is compromised and someone tells you, right?  Wrong.  While we would like to think that all companies are responsible enough and have the ability to bring such awareness, that is not always the case.  Without proper legislation to ensure that all data breaches are given decent exposure, you may very well have been compromised without even knowing it.

According to this nifty little graphic and article from CSO Online, there are still 6 states in the US without any legislation regarding data breach notification.  Furthermore, Wisconsin, Ohio and Florida are the only three states with specified deadlines for notification.  So, what’s being done?

In short: not a lot.  But, there’s hope.  We have to look to the bottom (geographically) to see who’s on top!

Florida seems to be setting the standard as far as data breach notification laws are concerned.  The notification deadline policy reads: without unreasonable delay, within 45 days for owners of data, within 10 days for those who don’t own data.  Civil and criminal penalties can be assessed upon a failure to be prompt about notification.  I believe that this solid number makes all the difference because it gives a tangible time line for such issues when they arise.  Urgency becomes necessary, not just preferred.

So, how do we get the truth that we demand?

Well, for starters, President Obama’s appointment of a cyber-security “czar” will hopefully begin to bring correct perspective to the problems that arise within data security.  Also, demanding better legislation from your Representatives and Senators could bring about some action.  Ultimately, it’s up to the corporations to become accountable.  One thing is certain, as customers become more and more aware, the gap between responsible and irresponsible companies will widen.  And that, as a customer, is where you hold the power.

How Colleges are Becoming Data Breach Gold Mines

15 01 2010

Image Courtesy of Fleming College

In the past few weeks, there have been four separate US collegiate data breaches announced.  The total number of records compromised was around 200,600.  From a successful phishing attempt to a malicious file sharing software installed on network machines to a malware assault and a direct hack into a university library system server, all of these breaches swiftly pilfered large amounts of data with ease.

So, why colleges?  What do universities have that make them so susceptible to massive data breaches?  The answer is in the body.  The student body, that is.  A university’s main source of income is people.  The best way to track these moneymakers is to contain their information.  As anyone who has ever filled out a college application knows, they receive every minute detail about one’s past and present, right down to mother’s maiden name and father’s yearly income.

Employees in universities need access to this information as well, since each department, whether it’s the health clinic or the registrar, deals with students.  The amount of users with access to it all is exponentially larger than an average organization containing such data.

The end result is a gold mine for data breaches.

As a college student, I know that we tend to have money trouble as it is.  To have our information then stolen by someone who plans to use it for monetary gain is just icing on the stale cake of financial problems.

So, as always, what’s the solution?  Well, it may be easier than we think.

For instance, instead of simply password protecting student information, perhaps encryption could help contain the information within the database.  Any hacker could phish a password, but to run into detailed encryption upon entry would deter many of them.  Also, the use of a secure and compliant file transfer solution would eliminate any holes during correspondence with the database and its users.  Whether in rest or in motion, the data could maintain security only accessible by the sender and receiver.

As we move forward, colleges should aim to secure all of their critical data and make 2010 safe for students everywhere.  Also, avoiding tuition hikes would be nice.  Just sayin’.