Do you know the risks you are taking? What should you do about cyber security, data theft and privacy? What does the Modern Slavery Act mean for businesses?
There has always been an explicit driver for risk management but responding to risks in today’s complex and changing market requires a new focus.
We are seeing five key trends in the market, which include the following:
Successful risk taking, comes from understanding the exposure and implementing effective mitigation strategies. Key questions for Boards to consider include:
Four of the most significant risks we currently see facing the hotels sector facing the hotel sector are ‘Big data’, modern slavery, cyber security and data privacy.
Hotel business models are being challenged by the emergence of well-established as well as new online entrants, disrupting the traditional patterns of planning and reservations.
Data is a key resource for responding to threats and making the most of the opportunities. In particular, the ability to analyse the vast amount of information that hotels have access to about their customers, can be used to improve business decision-making as well as customer experience. However, hotels often lack the right customer data, in the right format, with the ability to analyse it. Even where data does exist, the systems required to enable effective analysis are not available.
The answer to these challenges starts with a better understanding of the data required to optimise business decisions and performance:
Corporate Social Responsibility (CSR) is increasingly used to achieve competitive advantage with many organisations choosing to report voluntarily, providing insight, ensuring transparency and demonstrating how they operate ethically and sustainably.
As new legislation is introduced, such as the Modern Slavery Act, businesses are likely to be subjected to increased scrutiny by their stakeholders.
Management must confirm that slavery and human trafficking is not taking place in their operations and their supply chain or else they risk reputational damage or civil proceedings in the High Court.
All obligated businesses need to publish a ‘slavery and human trafficking’ statement which includes:
How often do you read or hear news stories about cyber security and data privacy issues? Is it something that you pick up on once or twice a month, or maybe more frequently?
The simple truth is that cyber security and data privacy problems can be big news and newsworthiness drives awareness levels. The public, law makers, regulators and judges are all sighted on the risks. These people provide “adverse scrutiny” to entities when things go wrong and they are fully aware of the fact that some of the world’s biggest, richest and more powerful entities have been humbled by poor approaches to security and privacy.
Awareness levels are only going one way and we are rapidly approaching a tipping point, when entities realise that they have no choice: they have to do much more to tackle the security and cyber risks they face and to live up to the expectations that society places in them. If the full roll call of entities that have been humbled in the news is considered, the conclusion seems to be obvious: security and privacy issues are not being accorded the priority they deserve.
2015 was a really bad year for the hotel industry. It emerged to prominence as a massive risk area, due to a series of high profile breaches affecting payment cards. Just before Christmas 2015 the Federal Trade Commission in the United States concluded long running proceedings against a hotel. This case has established a need for the development of comprehensive information security programmes, annual security audit cycles and post-incident investigations in the hotel sector. Looking at this from the customer’s side, security experts are now advising travellers to be on heightened alert when using hotels. Hotels have been propelled to the forefront of the mind and it is inevitable that this will play out in further legal and regulatory problems over time.
Legal and regulatory problems bring their own special range of issues. Locking horns with regulators, litigants and judges is the last thing that business needs. Judicial and Regulator design of business models has to be avoided at all costs. In landmark EU litigation in 2014, the way global web search operates in Europe was redesigned by the European Court of Justice, in a case that has delivered into law the so-called “right to be forgotten”. The security of mobile phone operating systems has just been re-designed by a District Court in Los Angeles, massively inflaming the passions of the technology sector and security experts alike.
But legal and regulatory problems are just one arc of the consequences of bad security and privacy. Businesses need to think about trust, confidence and brand health and reputation. These points are commonly understood, but some business people point to share prices, saying that prices don’t dip much, or for long, after big security and privacy problems. That may be the case at the moment, but the absence of share price volatility does not mean that value is not being eroded.
Moreover, if share prices do not dip, that points to another problem, namely defects in market behaviour. That is a dangerous place to go, because the classic response to market imperfection is the expansion of regulation: regulation is seen as the antidote to market imperfection. Businesses that trumpet the share price issue, merely bring-on the risk of more red tape and bureaucracy, as well as serious penalties and sanctions risk.
Trust, confidence and brand health may operate in a different timeframe to share prices. The absence of share price volatility does not mean that trust, confidence and brand health are not being eroded. If that is true, then the logic points, perhaps, to a convergence in the future of value erosion. Entities that are damaging their trust, confidence and brand health today may pay in share price in the future. In other words, suffering security and privacy failure might be like a cancer, where the harm is hidden from view until it is too late. This returns the focus to legal risk.
The EU will soon adopt the General Data Protection Regulation (GDPR).
This is a landmark piece of legislation that will radically change our perceptions on how personal data should be handled in business. The GDPR will also have global effect. This is not just law-making for the inside of Europe’s borders.
The purpose of the GDPR is to put people back in control of their personal information and to improve how entities look after personal information while it is in their custody. This reminds us that entities do not have rights of ownership over personal information. They are simply acting on licence. People are the owners of information about themselves. Part of the rights of ownership is the right to privacy. One of the principles of privacy, is that information shall be secured from events that affect privacy.
Hence, in a narrow sense the GDPR is legislation for privacy and security. In an expansive sense, it is legislation for transparency and quality in the handling of personal information. This means that entities have to tell people what they are doing with their data, which includes coming clean if there is a breach of security.
This law is being adopted because the EU lawmakers have lost trust and confidence in the ability of entities to handle personal information properly.
They see the constant and repeated failures of privacy and security as being symptomatic of a failed market, which can only be cured through tough regulation. The toughness is represented by the powers that the regulators will get to intervene and re-design business models and to impose financial penalties and the rights that people will gain to recover compensation if they are upset by the way their information is being handled.
The financial penalty power will enable the regulators to impose fines on entities of up to 4% of group annual worldwide turnover. Modest compensation for low level distress will probably be no less than £1,000 per person, with no upper cap. If the litigation risk is modelled by reference to some of world’s largest data breach cases (those affecting personal data), which have exceeded 100 million people on a number of occasions, the financial exposure is £1e+11 (100 million people affected x £1,000 per person), i.e., too big for the calculator app on an iPhone to present in digits.
What we are talking about is a potentially ruinous legal risk for big businesses operating in Europe. Surely when the penny drops, we will see share price volatility.
When looking at legal risk, businesses should not forget the evidential value to lawyers of past wrongful behaviour.
A serious historical privacy or security breach in one country may be legally significant at some point in the future in another country. If your point of view is that a US Federal Trade Commission fine of $20m is loose change for a big multi-national and therefore non-significant, which is a view that some business people hold, perhaps your point of view may change when you appreciate that the historical failure may be sufficiently relevant enough to help fix you with £1e+11financial exposure in Europe at some point in the future. For good and bad, security and privacy is built on a web of interdependencies and one of them is the foreseeability of harm in a legal sense that follows from past failures.
Therefore, when judging legal risk, entities would be wise to reflect on the fact that there is now global legal connectivity as far as failure events are concerned.
There is much more to security and privacy than compliance and risk.
There is also the economic interest in gaining commercial advantages from the use of personal data. Gaining better customer insights and providing them with personalised services are now recognised by many in the hotel industry as core business goals.
In order to properly bring together the interests of economic advantage, risk management and compliance with legal obligations, entities need to develop an appropriate Vision for their desired end state. That Vision will take account of the entity’s “special characteristics” and the points of view of all necessary stakeholders. Once a Vision has been set, a strategy to deliver the Vision can be developed and appropriate structures can be put in place.
When the lessons of failure are examined (failure of data handling projects, such as Single Customer View systems, and failure in the sense of security and privacy breaches), it becomes obvious that the absence of an appropriate Vision is at root cause.
People responsible for security and privacy in hotels ought to ask themselves whether their entities have appropriate Visions for desired end states. If not, they should bring together the stakeholders to discuss ways to take things forward.
Joint Global Data Protection Leader; Global Legal Services Leader; UK Data Protection National Lead, PwC United Kingdom
Tel: +44 (0)7711 588978