Introduction
With the advent of the era of big data, while people enjoy the convenience and intelligence brought to life by the information age, they also have deeper concerns about their own information security. User accounts were stolen, network vulnerabilities caused user information leakage, hotel opening record information leakage, illegal acquisition, trading, and exchange of citizens’ personal information and other illegal and criminal activities frequently occurred… From 2016 to 2017, security incidents in the hotel industry Data breaches have increased by nearly 70%. The personal information leakage and theft of hotel industry customers need to be resolved urgently.
This essay focuses on the problem of hotel guest information theft and uses the knowledge of relevant laws and regulations to analyze two cases: FTC v. Wyndham Worldwide Corp. and Hua Zhu Hotel Group information leakage incident. It mainly discusses the following major issues: Why do hotels frequently occur information theft? What are the relevant legal obligations of hotels in protecting guest information? How should hotels effectively protect guest identity information?
This paper is mainly divided into four parts. First of all, this article briefly introduces the relevant laws of hotel information theft in China and in the United States. Then, through the description and analysis of two specific cases: FTC v. Wyndham Worldwide Corp. and Hua Zhu Hotel Group information leakage incident, this article discusses the main reasons for the theft of hotel information, the legal obligation of the hotel to reasonably protect the personal information of customers and compared with American law, Chinese law related to identity protection need to be improved. Finally, this essay provides some management suggestions on how hotels can effectively protect guest identity information from the view of a hotel manager.
Historical law background
Federal Laws Related to Identity Theft
There are two main federal laws related to identity theft. One is the Identity Theft Assumption and Deterrence Act. While not exclusively aimed at consumer identity theft, the Identity Theft Assumption Deterrence Act prohibits fraud in connection with identification documents under a variety of circumstances.1Certain offenses under the statute relate directly to consumer identity theft, and impostors could be prosecuted under the statute. For example, the statute makes it a federal crime, under certain circumstances, to knowingly and without lawful authority produce an identification document, authentication feature , or false identification document; or to knowingly possess an identification document that is or appears to be an identification document of the United States which is stolen or produced without lawful authority knowing that such document was stolen or produced without such authority. It is also a federal crime to knowingly transfer or use, without lawful authority, a means of identification of another person with the intent to commit, or aid or abet, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law.
The other is the Fair Credit Reporting Act. While the Fair Credit Reporting Act (FCRA) does not directly address identity theft, it could offer victims assistance in having negative information resulting from unauthorized charges or accounts removed from their credit files.4 The purpose of the FCRA is “to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information.”5 The FCRA outlines a consumer’s rights in relation to his or her credit report, as well as permissible uses for credit reports and disclosure requirements. In addition, the FCRA imposes a duty on consumer reporting agencies to ensure that the information they report is accurate and requires persons who furnish information to ensure that the information they furnish is accurate.
State Laws Related to Identity Theft
Every state has different and specific laws related to identity theft according to different situations. All states have a law regarding identity theft or impersonation. There are 29 states’ laws offering specific restitution for identity theft and 11 states having programs to help victims prevent future identity theft.7 For example, Under state law, identity theft is generally charged under Florida statute 817.568, which makes it illegal for a person to “willfully and without authorization… fraudulently use, or possess with the intent to fraudulently use personal identification information concerning another person without first obtaining that person’s consent.” The sentence a defendant can receive for a conviction of this crime depends on the circumstances. The general charge is a third-degree felony, punishable by five years in prison and a $5,000 fine.
Laws related to identity theft in Chinese Hospitality
The situation of identity theft or leakage in China’s hospitality industry is not optimistic or even worse. In August 2008, the ‘Best Western’ online reservation system of the world’s largest hotel chain was hacked. The data of the 8 million customers who have stayed in the group may have been leaked. In 2012, Jinjiang Inn was exposed to leaking accurate information of 50,000 customers. For preventing identity theft, Chinese government has also strengthened relevant legislative work. The following are the main laws regarding identity theft.
The Consumer Protection Law stipulates that the customer has already formed a contractual relationship with the hotel when checking in and providing personal information. On the surface, only the residents pay the fee and the hotel provides accommodation. But in fact there are some additional conditions based on this contract, including that the personal privacy information provided by the guest should be protected by the hotel. If losses are caused to consumers due to information leakage, the hotel shall bear civil liability for compensation.
The “Regulations on the Administration of Public Security in the Hotel Industry” issued by the Ministry of Public Security also set out detailed regulations on hotel guests’ check-in, monitoring, and information security. It clearly states that the hotel and its staff shall not provide any unit or individual with relevant information and video surveillance data of the hotel staff. If providing information about accommodation personnel to relevant departments, units or individuals, registration should be carried out.
Article 253-1 of the Criminal Law violates relevant state regulations by selling or providing citizens’ personal information to others, and the circumstances are serious, to be sentenced to fixed-term imprisonment of not more than three years or criminal detention, together with a fine or a fine; if the circumstances are particularly serious, Sent to fixed-term imprisonment of not less than three years but not more than seven years, and a fine. Anyone who violates relevant national regulations and sells or provides citizens’ personal information obtained in the course of performing duties or providing services to others shall be severely punished in accordance with the provisions of the preceding paragraph. Whoever steals or illegally obtains citizens’ personal information by other means shall be punished in accordance with the provisions of the first paragraph. If a unit commits the crimes mentioned in the preceding three paragraphs, the unit shall be fined, and the person in charge and other persons directly responsible shall be punished in accordance with the provisions of the respective paragraph.
Description and Analysis for Specific Two Cases
FTC v. Wyndham Worldwide Corp.
The case arose out of a suit brought by the FTC against Wyndham, a global hotel company, for failing to adequately safeguard its computer network, allowing hackers to access customer information, resulting in the compromise of more than 600,000 credit card records and financial losses in excess of $10 million.
In June 2012, the Federal Trade Commission filed suit against The Wyndham Hotel. It claims Wyndham misrepresented its security measures to prevent computer hackers. In a news release, the FTC alleged that Windham had imposed an “unfair and deceptive” lack of protection on consumer data. This led to a series of violations against Wyndham Hotels and three of its subsidiaries. The lawsuit describes three attacks on the hotel chain and its franchisees that began in 2008. The attack first compromised 500,000 credit card numbers stored by the company, then compromised 50,000 and 69,000 accounts elsewhere.
The key to the FTC’s complaint is Wyndham’s failure to take the usual safety measures. The US Federal Trade Commission said Wyndham did not need complex passwords, could not implement network Settings that did not separate the company and hotel systems, and used “incorrect software configurations”. This results in sensitive payment card information being stored without encryption. The Federal Trade Commission’s complaint compares these failures to Wyndham’s privacy policy. It said that Wyndham strove to “recognize the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to our central reservation centers, visitors to our Web sites, and members participating in our Loyalty Programs,” and promised the use of strong encryption and firewalls.11Wyndham argued that, among other things, the FTC lacks authority to regulate data security standards of commercial entities. The lower court ruled in the FTC’s favor, and Wyndham appealed to the U.S. Court of Appeals for the Third Circuit. On August 24, 2015, the Third Circuit affirmed the district court, upholding the FTC’s data protection authority. The result is that for the first time, the United States has what amounts to a data security regulator.
Hua Zhu Hotel Group information leakage case
At 6 am on August 28, 2018, a post appeared in a Chinese forum claiming to sell all the hotel data of Huazhu. This data is priced at 8 bitcoins, which is equivalent to approximately RMB 370,000. The data breach involves the personal information and house opening records of 130 million people. After media reports, the poster stated that the price would be reduced to 1 bitcoin for sale. Hua Zhu Hotels Group owns five brands: “Xiyue Hotel”, “All Seasons Hotel”, “Starway Hotel”, “Hanting Hotel” and “Hi Inn Hotel”, with more than 1,900 establishments in more than 200 cities across the country Store. Data includes Hanting Hotel, Grand Mercure, Xiyue, Manxin, Novotel, Mercure, CitiGo, Orange, All Season, Starway, Ibis, Elan, Haiyou. The hotel data sold is divided into three parts: 1. Huazhu official website registration information, including name, mobile phone number, email address, ID number, login password, etc., totaling 53 G, approximately 123 million records; 2. Hotel check-in registration identity Information, including name, ID number, home address, birthday, internal ID number, a total of 22.3 G, ID information of about 130 million people; 3. Hotel room opening records, including internal ID number, associated with the room number, name, card number, Mobile phone number, email address, check-in time, departure time, hotel id number, room number, consumption amount, etc., total 66.2 G, and approximately 240 million records. The police verified that the suspect used hackers to steal data fromHuazhu Group’s hotels and sell it on overseas websites, but the transaction was not successful. The case is still being further investigated. The police will investigate and deal with the entities responsible for failing to implement cybersecurity measures in this case.
Analysis of these two cases
The first discussion is about the reasons for the theft of hotel information. Hotels are frequently targeted by data thieves. Through the analysis and summary of these two cases, I think this is mainly attributed to the following factors. First of all, the business volume of bank card transactions and other information in the hotel industry is relatively large, which is convenient for hackers to embezzle identity information. For example, in the Hua Zhu Hotel case, the hacker stole the database which contained mailing addresses, guest names, phone numbers, payment card numbers, and so on. Secondly, hotels often connect their internal computer systems with other systems such as PMS, CRS, and so on. Thirdly, there is frequent turnover of employees, and employee security training is not in place. The Huazhu security incident may fall into this category. Programmers have insufficient security awareness and rely too much on external public service facilities, leading to the use of core server information within the enterprise by hackers. Finally, the hotel does not pay enough attention to the protection of guest information. In the Wyndham case, the FTC claimed that Wyndham: failed to use readily available security measures, such as firewalls, failed to reasonably limit third-party access to company networks and computers, and so on.
The second analysis is related to hotel liability for guest information. In America, hotel operators are responsible for using enhanced security measures to protect guests. This contractual obligation covers all aspects of the guest’s private life, from protecting their person and property to protecting their images and personal or confidential data. It is the responsibility of every hotel to protect customers from identity theft. Thanks to the EU’s General Data Protection Regulation, keeping visitor data can make hotel take on international responsibilities. Hotels must take reasonable care to ensure the safety and privacy of guests.13 In China, the “Consumer Rights Protection Law” stipulates that the customer has already formed a contractual relationship with the hotel when checking in and providing personal information. On the surface, it seems that the guest pays the fee and the hotel provides accommodation, but in fact there are some additional conditions based on this contract. Including the personal privacy information provided by the guest should be protected by the hotel. If losses are caused to consumers due to information leakage, the hotel shall bear civil liability for compensation. The “Regulations on the Administration of Public Security in the Hotel Industry” issued by the Ministry of Public Security also set out detailed regulations on hotel guests’ check-in, monitoring, and information security. It clearly states that the hotel and its staff shall not provide any unit or individual with relevant information and video surveillance data of the hotel staff. If providing information about accommodation personnel to relevant departments, units or individuals, registration should be carried out.
In other countries, hotel also have some liabilities for guest information. For example, in European law, Directive 1995/46 generally regulates the handling of personal data, that could be used by the authorities without the guest’s consent only due to the matter of national security, defense, public safety, criminal procedures, financial and monetary process of inspection supervision, and protection and rights of other persons (Article 12). In any other case, the hotelkeeper will be liable for the information (data) about the guests that reached third party. In the German law, the hotelkeeper made such violation when releasing the entire schedule of the rock star visiting his hotels (Born & Dreyer, 2002, 115), so non-proprietary damage for discomfort had to be compensated to that singer, who had to replace the hotel due to the invasion of fans.
The last analysis is an opinion or thinking that Chinese law related to identity protection needs to be improved. Compared with American laws related to identity theft, Chinese law related to identity need to be improved. Chinese hotels lack accountability for information leakage, and Chinese laws and regulations impose little punishment on hotels for leaking guest information. In the United States, if a large company’s improper behavior causes losses to the public, a law firm will take the initiative to contact the victim and file a class action lawsuit. The victim only needs to sign the authorization. For the moment, if a large number of incidents of leaking guest information occur in our country, it is not clear how the victims defend their rights and how the lawyers intervene.
Management Suggestions
No matter where the hotel is located, it is the duty of the hotel to protect the information of the guests. There are some suggestions on how to effectively protect guest information. The “2017 Data Breach Investigation Report” released by Verizon of the United States shows that of the tens of thousands of security incidents investigated, internal threats accounted for 25%, and 75% were caused by external attacks. There are only two ways to steal hotel guest information: one is from the outside, such as deciphering the hotel firewall. The other is leaked from the inside, such as stealing from the hotel staff. For preventing identity theft from external threats, the hotel firstly should strengthen information security protection by hiring professional data security team. Data security is no longer limited to firewalls, intrusion detection, and anti-virus levels, but needs to build a comprehensive information security protection system from inside to outside. It is difficult to face the intrusion of external hackers by relying on the hotel’s own protection. Hotels should cooperate with professional information security agencies and set up a dedicated professional information security protection team to protect hotel information security. Secondly, the hotel guest information data should be encrypted. Encryption is an effective way to protect data. Some confidential data, business and customer information must be protected from unauthorized access and illegal copying, and these can be achieved through encryption. Hotels should set up automatic encryption of corporate internal files. If the encrypted file is copied outside the company without permission, it will be displayed as garbled and unusable. This will ensure core data security from the source. Third, hotels should conduct systematic safety tests on a regular basis. The hotel should regularly assess the security of the system and take corresponding protective measures to prevent the leakage, loss and theft of consumer personal information. Lastly, in order to better protect the security of enterprise data, data management personnel must regularly back up data. When backing up data, you must clearly mark the data content, backup time, and backup personnel. If corporate data is damaged or lost, the hotel can restore it immediately to better serve guests.
For preventing identity theft from external threat, the hotel firstly should strengthen training related to identity theft. Every employee should understand the related risks and threats and the role they can play in mitigating these risks and threats. Hotels should create a safety culture. A strong sense of corporate security is an important part of protecting the organization from attacks and data leakage. Secondly, the hotel should control certain behaviors of its employees. Important documents can only be issued after approval. Regardless of whether it is sent to internal colleagues or external partners, employees’ operations are in compliance with the regulations. All operations and file content must be auditable and traceable. Thirdly, the hotel should conduct authority management. Set blocking strategies for different departments, different personnel, file outsourcing, enterprise equipment, software, network, etc. Only allow people with authority to do things with authority to protect corporate information security. Finally, Hotels should strengthen information security awareness training and popularize knowledge of security laws. Some employees are unaware that it is illegal to transmit several pieces of data or think that such behavior is not serious. In view of the imperfect internal management mechanism and other issues, the hotel should conduct a comprehensive training work on the internal popularization of employee information security knowledge. The hotel should hold information security awareness training at least once a year, organize employees to participate, introduce information security common sense and legal interpretation. Each department of the hotel should set up security officers and confidential officers to coordinate internal security work and confidentiality matters