No Time to Share: Protecting Member Data Is Industry Responsibility

Recent headlines have brought home the risks faced by business that store customer data. Retailers have had credit cards information stolen, insurance company files have been hacked; and the federal government reports that some 21.5 million current and former employee records were breached. When the worst happens, costs, such as credit card monitoring for affected clients, mount rapidly and can include fines from the Federal Trade Commission and even state agencies.

joe replinger
Joe Reiplinger

When it comes to data security, however, incursions from hackers aren’t the only concern, say industry experts contacted by the Resort Trades. Far more mundane happenings can affect your business’ ability to survive. “The most likely occurrence is actually systems failure,” says Joe Reiplinger, a partner at CCS Technology, which provides information-technology to many timeshare clients, including TimeshareProPlus.com. “We think of things like fires, but an employee who inadvertently deletes files could also cause a catastrophe if backups aren’t occurring regularly.”

ed klein
Ed Klein

According to a Forrester Research Study, 24 percent of companies say they have experienced a full data disaster. While a backups and off-site data storage may allow you to eventually recover lost files, a business continuity plan ensures that downtime is minimal. “It’s my impression that this industry is below average in data security, data recovery and business continuity,” says Ed Klein, chief technology officer for SPI Software. “It’s important to understand the difference between disaster recovery and business continuity, and to address them both.”

Disaster Prep
Where your data is stored can affect your ability to recover quickly in the case of equipment failure, natural disaster or employee error. Cloud-based storage can be accessed from anywhere with an Internet connection, and software-as-a-service (SAAS) solutions are also cloud-based, not hosted on company servers. Merlin Software relies on this type of technology to protect its clients. “Data is housed in a global, Level One data center,” explains

Mike Pnematicatos
Mike Pnematicatos

Mike Pnematicatos, Merlin’s chief architect. “From a physical perspective, anything that you store on site will have a much lower level of data security. I suppose we could have an issue if an atomic bomb fell on the data center, but if that happened, well, never mind the data.”

According to Reiplinger, an important aspect of a cloud-based system is the convenience of the data being automatically stored off site. “The technology does it for you,” he says. “No one has to take backup tapes or USB drives home with them. You’re not relying on employees to follow procedures.” It’s also important to pay attention to data storage capacity, as both cloud-based and hardware solutions can run out of room.

When choosing a vendor to assist with business continuity in case of a data emergency, be clear about expectations for both the amount of time it will take to recover from an incident and the how far back or how recently you’ll be able to restore to. “If there was an inadvertent deletion of important files, you need to be able to go back far enough to recover the data,” Reiplinger says. “If the system goes down that day, you also don’t want to lose all the data you have entered since the night before.”

Klein agrees, saying, “You have to decide, can we take two hours or two days to recover from a disaster? Then you have to ensure that you have the proper solution in place to meet those tolerance levels.”

Under Attack
The need to protect against natural disasters, computer failures and employee errors isn’t the whole story, of course. A 2013 National Small Business Association survey revealed that 44 percent of respondents had been victims of at least one cyberattack, at an average cost of $8,700 for each breach. That means you also need to ensure that the consumer data you collect and store is safe from nefarious forces.

Dave Heine
Dave Heine

There are a myriad of laws mandating that certain precautions be taken. States are following the federal government’s lead and adopting their own laws. TimeshareProPlus.com, for example, is EU Safe Harbor Compliant, and follows provisions of the Health Insurance Portability and Accountability Act, which can involve penetration testing and security audits. “We take protecting client data very seriously,” says Dave Heine, president.

That’s something more timeshare businesses need to do, Reiplinger says. An under-appreciated aspect of data security is employee training. “Technology can prevent a lot from happening, but it can’t protect you from everything if users are uneducated and do bad things.” Employees must know not to open suspicious emails and to protect passwords and devices.

SPI Software includes permission-based roles, meaning that employees are limited in the types of data they can access or edit based on their job functions. An audit log provides further protection by documenting who has accessed data by time and date stamp.

Merlin’s protections include the same types of firewalls and encryption that banks use, and similar controls with multiple levels of access. “The system, however, can only do so much if an employee were to give away their user name and password,” Pnematicatos adds. “However, the system tracks every download, so in a case where a top-level user went bad, we were able to report what they had downloaded and report on the particular data when it occurred.”

Vendors need to be carefully monitored to ensure that any data they have access to is protected. Make sure that contractors are given access only to the systems and applications they need to complete their assignments.

Also, companies, no matter their size, should ensure that critical security patches are downloaded and installed. News accounts of the Office of Personnel Management breach we mentioned earlier indicated that the agency had failed to install security patches in a timely manner.

Another idea is not to keep data you don’t need. “No one can steal what you don’t have,’ Reiplinger says. For example, purge credit card data from resort rentals or on-site purchases.

“Having systems and plan in place isn’t prohibitively expensive,” he adds. “With 70 percent of small and medium business that suffer a major data loss having to close their doors within the next two years, you can’t afford not to.”

 

Richard Corso
Richard Corso

13 Steps to Data Security

Richard Corso, CEO of SPI Software advises that resorts begin by following this road map in protecting their data and ensuring business continuity.

  1. Evaluate your risk level and understand the implications of each type of security breach.
  2. Follow best practices and keep them realistic enough that they are followed.
  3. Implement tiered data protection and security.
  4. Implement both logical (passwords, encryption, firewalls, virus protection, antispyware, etc.) and physical (restricted access) security.
  5. Require regular and frequent password changes.
  6. Transfer data securely (encryption, VPN).
  7. Secure and test backups and archives.
  8. Have a written disaster recovery plan and test it regularly.
  9. Use common sense. For example, sharing your password with a coworker defeats the purpose! Make sure that venders and the after-hours cleaning crew can’t access your server.
  10. Adopt the philosophy of “It is not ‘if’ we get hacked, but ‘when.’” You will act a lot differently.
  11. Stay current on security issues, legalities, liabilities, and hacker strategies.
  12. Continuously train staff on security protocols and why they are vitally important.
  13. Hire expert consultants to provide counsel and support as needed.