A Survey on the Current State of Hotel Security

Transcription

1

2 Executive Summary In the hotel/hospitality sector, a positive guest experience can mean return stays and a good reputation. On the other hand, a negative experience can have both financial and legal repercussions. Security can play a huge role in this experience, although most actions are transparent to the guest. This is by design: hotels want their guests to be concerned with the purpose of their visit, not about their personal security or the security of their belongings. This survey was designed to help identify some of the industry s most significant security challenges and to provide insight into current security practices and trends. The unfortunate truth, however, is that the industry is subject to a host of traditional and emerging risks, which if not anticipated and addressed may put guests, employees, and belongings at risk. Vulnerabilities may include threats such as assaults and theft, as well as new threats such as identity theft and cyber-attacks. According to Mr. Chad Callaghan, Principal for Premises Liability Experts, LLC, More recently, especially at international and larger, urban hotels, security has actually become more visible as the threat of terrorism continues to be an issue. This survey was designed to help identify some of the industry s most significant security challenges and to provide insight into current security practices and trends. Some of these security trends, as identified by respondents, include the use of technology to reduce manpower, increased security presence, utilization of public/private sector surveillance, and outsourcing of security functions, among others. Survey Highlights This survey addresses security issues and trends across five categories: safety technology, surveillance, data security, physical safety, and personnel. The survey was divided into sections based on these categories. Highlights include: 27 percent of respondents have had door locks hacked into or attempted to be hacked into 92 percent of respondents use either magnetic stripe keycards (71 percent) or RFID proximity keycards (21 percent) 56 percent have upgraded their door lock systems within the past two years 27 percent have security personnel on duty 24/7 at all properties 88 percent currently use surveillance technology but only 36 percent have designated personnel actively monitoring it 71 percent keep surveillance videos for one month or less 67 percent purchase cyber liability insurance as part of their privacy and data security risk management program Legal Counsel is most frequently the department responsible for assuring compliance with state laws regarding privacy 87 percent have disaster response/business continuity (BCP) plans Although there is a growing trend in Europe to have a women s only floor for security purposes, none of the respondents of this U.S. focused survey have implemented this practice Page 1 Advisen Ltd.

3 Travelers expect their hotel rooms to be their sanctuary, a place where they can store their personal belongings and sleep without fear. Thefts and Assaults Respondents were asked to provide insight into the number of thefts and assaults that occurred at their facilities over the previous year. In response to the question How many reported room thefts have you recorded in the last year? (Including innkeepers) 47 percent said between 0 and 50, 24 percent said between 201 and 500, 18 percent said between 501 and 1000, 6 percent said between 51 and 200, 6 percent said more than 2001, and 0 percent said between 1001 and (Exhibit 1) Exhibit 1: Thefts within the last 12 months 18% 23% 0% 6% 6% 47% or more Respondents were also asked, Within the last 12 months how many reported assaults have occurred on the properties for which the company has direct accountability? 75 percent said between 0 and 4 assaults, 19 percent said between 5 and 19, 6 percent said that they had more than 20 assaults and zero percent said between 10 and 19. (Exhibit 2) Exhibit 2: Assault with the last 12 months 0% 6% 19% 75% More than 20 Safety Technology Doors Travelers expect their hotel rooms to be their sanctuary, a place where they can store their personal belongings and sleep without fear. A quality hotel room door and interior deadbolt are essential to providing this sense of security but technology also plays an increasingly important role. Page 2 Advisen Ltd.

4 There is likely a direct correlation between door lock hackings and the high percentage of door lock upgrades over the past couple of years. From automatic close and lock systems to highly sophisticated electronic keycards, hotel door safety technology has come a long way throughout the years. Although there are a variety of keycard locking systems such as mechanical hole cards, bar codes, wieg and wired embedded cards and smart cards among others, the vast majority of respondents said they use either magnetic stripe (71 percent) or RFID proximity cards (21 percent). In 2012, at the Black Hat security conference in Las Vegas, a security flaw in an electronic lock companies programmable key card locks was demonstrated. Cody Brocious, a Mozilla software developer discovered that hackers could gain access to millions of rooms using easily accessible hardware and a little programing know how. In an interview with Forbes, Brocious explained, It wouldn t surprise me if a thousand other people have found this same vulnerability and sold it to other governments. 1 Mr. Callaghan notes, that with the advancement of lock technologies, hotels should consider that upgrading to RFID will allow for more security so long as the lock and keycards employ advanced encryption better aimed at security. It was with this in mind that respondents were asked, Have your keycard locks ever been hacked into or attempted to be hacked into? Although the majority said No (73 percent), a comparatively high percentage (27 percent) responded Yes. Respondents were then asked, Have you upgraded your door lock systems in the past two years? 56 percent responded Yes, 25 percent said No and 19 percent did not know. (Exhibit 3) The fact that 19 percent of respondents do not know when they last upgraded their door lock systems highlights a risk that hotel owners should be concerned about. There is likely a direct correlation between door lock hackings and the high percentage of door lock upgrades over the past couple of years. According to Tom Ferguson, Vice President-Practice Leader, Casualty Risk Consulting at AIG, If this same question would have been asked five years ago the percentage of Yes responses would likely have been much lower. Exhibit 3: Have you upgraded your door lock systems in the past two years? 19% 25% 75% Yes No Don t know Page 3 Advisen Ltd.

5 One way to attempt to reduce the potential of privacy litigation is through proper storage and use once a surveillance video has been recorded. Surveillance Advancements in surveillance technology have proven valuable for both preventing and solving crime. Video surveillance played a huge role, for example, in identifying the individuals responsible for the bombing at the Boston marathon in So it is not surprising that the vast majority of respondents currently utilize technology. In response to the question, Do you utilize video surveillance technology? 88 percent responded Yes, 6 percent said No and 6 percent did not know. The use of surveillance technology, however, is not without risk. It can be perceived as an invasion of privacy and potentially increase the hotels exposure to liability. It was with this in mind that respondents were asked how they addressed video surveillance privacy concerns of guests and employees. Some of the most common responses included: Utilizing cameras in public areas only Following data privacy standards including signage and guest/employee notifications Keeping recordings for a limited amount of time (e.g. 30 days) Notify employees of use of surveillance in the employee handbook One way to attempt to reduce the potential of privacy litigation is through proper storage and use once a surveillance video has been recorded. Failure to establish and adhere to standards could unnecessarily expose a hotel to liability. For example, depending on the laws of a state, if a hotel who normally keeps a video for only a week decides to keep it for a longer period of time, it could increase their risk by conceivably having the video used against them in a case alleging invasion of privacy for circumventing their internal policy. Liability could potentially be attached because the video was not stored according to the hotel s standard business practice. 2 In general, the shorter the time the video is kept the less opportunity for privacy implications. Survey respondents seemed to agree. When asked, How long do you keep surveillance videos? 71 percent kept them for one month or less. (Exhibit 4) Exhibit 4: How long do you keep surveillance videos? 0% 0% 7% 7% 14% 7% 24 Hours One Week One Month One Quarter One Year More Than a Year Other (please specify) 65% Page 4 Advisen Ltd.

6 One reason many in the industry may choose not to utilize video surveillance technology is they may believe their liability will increase if cameras are installed without real-time dedicated monitoring and an immediate response to an incident. While shorter may generally be better, experts warn that other factors also need to be kept in mind when establishing a policy on surveillance video storage. According to Lance Ewing, IPG Leader, AIG, A rule of thumb, followed by some hotels for how long to keep surveillance videos is to keep them for the same amount of time the state allows for bodily injury suits. It is recommended facilities check with legal counsel regarding laws, including special obligations which may arise if litigation is reasonably foreseeable, and industry standards relating to this issue. Swimming Pools Installing surveillance cameras around the hotel pool, clubhouse, and cabanas can help provide security, monitor activity, and discourage bad behavior. It can also create privacy concerns and be a source of potential liability in bodily injury cases. With this in mind, respondents were asked, Do you use security cameras in swimming pool areas? Although the vast majority claims to utilize surveillance technology, far fewer use them in swimming pool areas with only 29 percent responding Yes and 71 percent responding No. Monitoring and Maintenance If actively monitored, surveillance cameras can allow for immediate response to an ongoing crime. This can prove an effective deterrent but also requires a substantial investment in security personnel costs. One reason many in the industry may choose not to utilize video surveillance technology is they may believe their liability will increase if cameras are installed without real-time dedicated monitoring and an immediate response to an incident. Mr. Callaghan notes, A hotel should first determine the purpose of surveillance at a particular location. If the reason is due to prior criminal activity in the area, then customers will likely have an expectation that the area is reasonably monitored and that security will respond if needed. This leads to the question: Do the benefits outweigh the risk? It appears more than half of respondents think so. When asked, Do you have designated personnel monitoring surveillance cameras 24/7? 36 percent said Yes, 57 percent said No and 7 percent did not know. While surveillance technology can pay huge dividends in hotel security, it can also lead to potential liability if the device is not properly operated and maintained. Respondents were asked, How often do you check video surveillance systems to make sure they are working properly? All of the respondents checked on a weekly basis at a minimum with 57 percent responding daily and 43 percent weekly. Outdated surveillance technology may be less effective and it may increase the potential for liability. Respondents were asked, When was the last time you upgraded surveillance technology at your properties? 43 percent said that they upgraded with the past one to three years, 36 percent said within the past year and 21 percent said within the past five to ten years. (Exhibit 5) Page 5 Advisen Ltd.

7 Information collected by hotels is not much different than information collected by retailers, who recently experienced some of the largest data breaches in history. Exhibit 5: When last upgraded surveillance technology More than 10 years ago 5-10 years 3-5 years 1-3 years Within the last year Data Security 0.0% 20.0% 40.0% 60.0% Within the last year 1-3 years 3-5 years 5-10 years More than 10 years ago Hotels are no longer only responsible for the safety of their guests and employees but also for protecting their personal identifiable information (PII). Information collected and stored from customers during the normal course of business such as names, addresses, and credit card numbers could be a potential gold mine for cyber-criminals. Information collected by hotels is not much different than information collected by retailers, who recently experienced some of the largest data breaches in history. Since those breaches there has been much discussion among retailers and financial institutions about moving away from the outdated and less secure magnetic stripe credit card to a more secure chip enabled card. Mr. Ewing explains, Hotels are using much of the same technology as retailers which may force them to have to change. Mr. Ferguson points to a San Diego Tribune article highlighting a recent partnership the AH&LA entered into with other organizations on cyber security.3 One of the organizations joining the partnership, the Retail Industry Leaders Association, stated in a press release that the new partnership will focus on improved information sharing, better card security technology and maintaining the trust of customers. The hospitality sector has been no stranger to significant and costly data breach events. According to Advisen data, the services sector (which includes hospitality) is more likely than any other sector to experience a cyber incident. Just recently for example, a hotel management and development company that manages over 150 hotels announced it is investigating a suspected credit/debit card breach. How an organization prepares and responds to a data-breach incident may influence the severity of the loss both from a financial and reputational risk perspective. With this in mind survey respondents were asked, What safeguards do you have in place to protect your customer s personal identifiable information (e.g. credit card, name, address etc.)? Some of the responses included: Using third party IT solutions Contractual provisions with vendors Internal policies around data and privacy protections Page 6 Advisen Ltd.

8 In the United States there is no all-encompassing law or regulatory body responsible for privacy and cyber security. Instead a patchwork of state and federal regulations focus on specific industries or populations, each with their own regulatory body. Employee training PCI compliance audits Management reviews and audits Use of encrypted software Implementation of a data breach response plan Respondents were asked whether or not they purchased cyber liability insurance as part of their privacy and data security risk management program. 67 percent responded Yes, 20 percent said No and 13 percent did not know. In the United States there is no all-encompassing law or regulatory body responsible for privacy and cyber security. Instead a patchwork of state and federal regulations focus on specific industries or populations, each with their own regulatory body. Respondents were asked, Who in your organization is responsible for assuring compliance with federal and state laws regarding privacy? 47 percent said General Counsel, 20 percent said IT, 13 percent Risk Management, 7 percent Compliance and 7 percent Internal Audit. (Exhibit 6) Exhibit 6: Who is responsible for compliance with federal and state privacy laws? Internal Audit Risk Management Compliance General Counsel IT General Counsel Compliance Risk Management Internal Audit IT 0.0% 20.0% 40.0% 60.0% In the past couple of years there has been much discussion over the opportunity costs associated with migrating IT functions to the cloud and whether the technology is more or less safe than storing it in-house. Answers to such questions have yet to be determined but will likely be on a case-by-case basis. However, with 53 percent of the respondents claiming that they have migrated IT functions to cloud it appears that in the hospitality industry the IT cost savings provided by the technology is proving hard to resist. Physical Safety The physical safety of hotel guests is arguably the most important responsibility of a hotel. Providing a safe environment not only reduces the potential for liability but is also important in maintaining a quality reputation. Employing security personnel at hotel properties is one way hotels can help ensure the safety of their guests. Respondents were asked, Do you have security personnel on duty 24/7 at all properties? 27 percent responded Yes, while 67 percent responded No and 7 percent did not know. (Exhibit 7) Page 7 Advisen Ltd.

9 Finally, regarding Exhibit 7: Use of Security other physical safety issues, 93 percent of respondents claimed to have emergency 66% 7% 75% Yes No Don t know lighting in all hotels. Effective preparation and training significantly increases the chances of a positive outcome in an emergency situation. In response to the question, Do you have a disaster response/business continuity (BCP) plan? 87 percent responded Yes and 13 percent responded No. Those who responded yes were then asked, Have you provided training to company personnel on the BCP? 83 percent said that they did. Mr. Ferguson believes the above stats identify some key risk concerns, In this day and age for a company not to have a BCP in place, or to have a BCP but not train personnel on it, significantly increases their reputational, economic, and organizational risk. With all the security challenges associated with running a hotel, respondents were asked, What security issues keep you up at night? The most common response was an active shooter on one of their premises. But how many of the respondents are actually prepared to respond if this were to occur? In response to the question, Does your company have an active shooter (AS) crisis response plan? 60 percent said Yes, 33 percent No and 7 percent did not know. Those who responded yes were then asked, Have you provided training to employees on Active Shooter crisis response? 82 percent said Yes. Finally, regarding other physical safety issues, 93 percent of respondents claimed to have emergency lighting in all hotels. None of the respondents claim to have a women s only floor, which is becoming increasingly commonplace in European hotels. Personnel To create an environment where guests feel safe and their personal belongings are secure, the focus should not be only on external threats but also on those from within. Far too frequently room thefts come from those trusted with access and data breaches come from an insider, sometimes by accident but often with malicious intent. Implementing personnel procedures that help to identify the background and habits of prospective and current employees can serve as a front line defense. Page 8 Advisen Ltd.

10 Respondents also were asked, How frequently do you provide OSHA training? and 40 percent said Annually, In response to the question, Do you conduct criminal background checks on prospective employees? all respondents said they conduct background checks at least periodically, 53 percent said always and 47 percent said Sometimes. Respondents were also asked if they conduct drug tests on their employees. 40 percent said Always, 33 percent said Sometimes and 27 percent said that they never perform drug tests. (Exhibit 8) Union rules could have an impact on the frequency of testing on employees. Exhibit 8: Frequency of Employee Drug Testing 27 percent Monthly, 13 percent As Needed and 7 percent Quarterly. 27% 33% 40% Always Sometimes Never Employees are also entitled to go to work on a daily basis in an environment free of discrimination and violence and under safe working conditions. In response to the question, How frequently do you provide HR training (i.e. discrimination, diversity, workplace violence, ethics etc.)? the majority (60 percent) said Annually, followed by 27 percent who responded As Needed, and 7 percent who said both Quarterly and Bi-annually. Respondents also were asked, How frequently do you provide OSHA training? and 40 percent said Annually, 27 percent Monthly, 13 percent As Needed and 7 percent Quarterly. Conclusion This survey provides an indication of the attitudes and practices currently surrounding hotel security. While this survey does not address every conceivable risk or exposure facing hotel owners, future surveys may address trends such as access control, patrol documentation, meth labs, and legionella. Other areas of concern to hotels is the use of third parties providing higher risk activities on site such as; parasailing, jet skis, adventure outings, etc. Subsequent surveys may provide stronger readings on trends in these important areas. Based on the finding of this survey hotel owners should consider ensuring all levels of management and security are knowledgeable and operating on the same page, including franchisee operations. Hotels consider taking a closer look at those questions were respondents answered No or Do Not Know Advancements in technology not only create more exposures but also play an increasingly important role in the response The development of programs e.g. BCP, etc. are only as good as the effective implementation and training of all staff into their purpose and proper response Page 9 Advisen Ltd.

11 Criminal activities including, but not limited to assaults, thefts, methamphetamine cooking, and data privacy hacking are all areas of concern for hotel owners, management companies and hotel loss prevention professionals Any questions can be directed to Lance Ewing, Industry Practice Group Leader, AIG: or Tom Ferguson, Vice President- Practice Leader, Casualty Risk Consulting at AIG: About the Survey and the Respondents Advisen Ltd and AIG worked together on a survey designed to gain insight into the current state and ongoing trends in hotel security.. Invitations to participate were distributed to 80 risk managers, loss prevention/security and other risk professionals in the hospitality sector. Respondents were identified as hotel operators only and did not include hotels with gaming or other recreational operations (e.g. cruise ships). The survey had an above average response rate of 21 percent, well above the average for similar risk management surveys conducted by Advisen. The majority of respondents (63 percent) classified themselves as Chief Risk Managers/Head of Risk Management Departments, followed by Head of Hotel Security/Loss Prevention at 25 percent, Member of Risk Management Department (not head) at 6 percent and Environmental Health and Safety Staff also at 6 percent. Nearly three fourths of the respondents (73 percent) own less than 50 properties, 13 percent own less than 100 properties and 13 percent own more than 250 properties. 53 percent of respondents also have franchised properties. Of those 53 percent, 78 percent have 50 or fewer franchised properties while 22 percent have more than 250. NOTES 1 Andy Greenberg, Forbes, Hacker Will Expose Potential Security Flaw in Four Million Hotel Room Keycard Locks, (July 2012), Law Offices of Stimmel, Stimmel & Smith, Video Surveillance Tapes: Access to Them and Privacy Issues under California Law, Katherine Poythress, U~T San Diego, New payment security partnership, (February 13, 2014), news/2014/feb/13/banks-retailers-cybersecurity-partnership/ 2 Law Offices of Stimmel, Stimmel & Smith, Video Surveillance Tapes: Access to Them and Privacy Issues under California Law, 3 Katherine Poythress, U~T San Diego, New payment security partnership, (February 13, 2014), utsandiego.com/news/2014/feb/13/banks-retailers-cybersecurity-partnership/ Page 10 Advisen Ltd.

12