Due to the number of high-visibility customer data thefts and losses that have occurred over the past couple of years, Congress has been under increasing pressure to enact protective legislation. 

In response, Senators Arlen Specter (R-Pa.) and Patrick Leahy (D-Vt.) introduced the �Personal Data Privacy and Security Act� in late 2005.  This legislation is intended to assist consumers to better protect the privacy of their personal information in the face of recurrent data security breaches across the country.  It is still in Committee right now (S.1789), but when this legislation is eventually brought before Congress for a vote, it is expected to pass into law.  Once that occurs, it will have a profound impact on the way that customer data will be handled going forward�especially in the hospitality industry.

The legislation states that affected business entities must be able to prove that they are doing the following: 

• Regularly assess, manage and control risks to data privacy and security consistent with the size, complexity and scope of its business 

• Publish or otherwise make available the terms of its program to the extent that such terms do not reveal information that comprise data security or privacy

• Provide employee training to implement its data privacy and security program; 

• Conduct tests to identify system vulnerabilities 

• Ensure that if service providers not also subject to these laws are retained, those service providers are capable of maintaining appropriate safeguards for personally identifiable information and are subject to contract requirements consistent with the legislation

• Periodically assess its data privacy and security program to ensure that the program addresses current threats, and  

• Implement a data privacy and security program no later than one year after the date of enactment 

The Specter-Leahy legislation is largely based on similar laws that have been passed in the State of California, which is generally thought to be the most proactive state when it comes to consumer protection. One of the key features of the legislation is a requirement that any business engaging in interstate commerce that involves collecting, accessing, transmitting, using, storing or disposing of �personally identifiable� information in electronic or digital form on 10,000 or more U.S. persons to apply rigorous data privacy and security safeguards. This is a big change from the past when bona-fide data brokers such as ChoicePoint were the only companies held to such a high standard.

Companies that knowingly or unknowingly violate the data privacy and security program requirements, or those that cannot produce supporting evidence to the contrary, are subject to civil penalties of up to $5,000 per violation per day while such violations persist.  In addition, the U.S. Attorney General can bring civil action in U.S. district court on behalf of the residents of that state.  Recently, the Federal Trade Commission forced ChoicePoint to pay a $10 million fine, the largest civil penalty ever levied, as part of the settlement of an investigation into their security practices.

This legislation will impact virtually all hotel chains and most large independent operators because they conduct interstate commerce, and store personally identifiable information (e.g., credit card numbers) on at least 10,000 customers.  At a minimum, hospitality companies will be held accountable for documenting and maintaining all data security procedures that are in place to protect guest information from identity thieves.

You may think that since your property management system vendor handles all of your customer data, you can�t be held accountable for whether they safeguard it or not.  However, provision No. 5 above clearly states that you are in fact responsible for the actions of your service providers as well.

Beside the legal dimension, there are two other significant exposures.  First, individual consumers can initiate civil lawsuits with large potential penalties if lost or stolen customer data ultimately results in the theft of their identity.  Second, the national media has been quick to seize upon any customer data loss news.  Consequently, you might find yourself on the front page of the Wall Street Journal�and not in a good way.  The bad publicity alone could be very costly.

Hackers are everywhere, and they are constantly looking for new and creative ways to access customer data.  Yours has probably already been attacked multiple times without your knowledge.  To make matters worse, if any security weaknesses are eventually found and exploited, word of this will spread, and you will become an on-going target for other hackers�perhaps even more dangerous than the ones who came before.

The bottom line is this: if it is unclear as to whether the proper controls and procedures currently exist at your company, a complete review of the way your guest data is handled is highly advisable before it is too late.  There are a number of relatively simple things that can be done to not only lessen the likelihood that you will be attacked in the first place, but also demonstrate good-faith efforts to mitigate risk.  This becomes important if an incident does occur, and auditors later ask, �What did you do to prevent this?�

Your first step should be to conduct a compliance assessment, which is effectively a gap analysis intended to ascertain and document where your organization stands today relative to the �Interagency Guidelines Establishing Standards for Safeguarding Customer Information,� the benchmark the federal government is using to measure compliance.  The assessment is not a formal audit where the results are shared with any outside entities. The findings are yours to keep and act upon as you see fit.  Once this has been done, a custom program can be developed intended to address all seven of the key areas of focus set forth in the legislation. Considering what�s at stake, this is relatively inexpensive insurance.
.