Your owners’ personal information…protecting it from malfeasance is getting trickier than ever. Resorts experiencing a security breach – whether the compromise involves cyber or physical data – risk losing their owners’ trust and may be exposed to legal proceedings.
As president of Timeshare Pro Plus (TimeshareProPlus.com), which offers title transfer software accessed exclusively online, Dave Heine was recently tapped for his expertise. Speaking to several timeshare homeowner groups recently, Heine’s task was to help attendees better understand how to provide advice and guidance to managers at their home resorts to ensure their properties’ compliance with protection of personal privacy.
“After many years of working in the title business and designing software for the various processes involved in transferring titles, I believe that safeguarding non-public and personally identifiable information starts with understanding the rules.”
Rule Number One
Fortunately for those of us living in a developed, democratic society, such as the United States, there are rules to safeguard a citizen’s right to privacy. We have the right of the individual to be protected against intrusion into our personal life or affairs, or those of our family, by direct physical means or by publication of information. “This is Rule Number One,” Heine points out. “We’re grateful for this right, but also understand the responsibility that comes along with safeguarding it for our customers who have entrusted us with so many personal details.”
“Unfortunately for those of us handling personal customer information – including names, email addresses, mailing addresses, phone numbers, fax numbers and so forth – we’ve got to realize there are evil-doers out there who can spend many hours each day figuring out how to steal any information that could be used to personally identify someone. The risk is even greater when personal information is coupled with non-public data including social security, driver’s license, state issued ID, credit card, debit card or other financial account numbers.”
According to Heine’s research, the consequences for a business can be formidable. The loss of customer loyalty could be among the most damaging of them all.
Take a look at a few examples:
• Wells Fargo: In March and April of 2013, cyber-attacks jammed online and mobile banking and left some customers unable to log in to their accounts.
• Target: In January 2014, hackers stole credit card data of 40 million Target customers and personal information of another 70 million customers.
• Home Depot: In September 2014, a cyber-attack in exposed 56 million credit card numbers. The company expects to pay $62 million to cover costs of the attack.
• JP Morgan Chase: In October 2014, a breach affected about 76 million households and seven million small businesses. There’s no report that non-public personal information was compromised, however.
• Anthem Blue Cross: Anthem set off alarm bells across the insurance industry. According to Anthem, the attack exposed personal information of approximately 80 million individuals, including member names, member health ID and Social
Security numbers, dates of birth, addresses, telephone numbers, email addresses and employment information.
“Just think about it,” says Heine. “Think of the extensive resources they no doubt had at their disposal and, yet, they were compromised. How much more vulnerable might your resort be?”
Well, most of us can relax a little on that account. First, most resorts rely on third-party technology that has built-in safeguards and security. Heine points out his own patented software, for example, with its native security system and use of well-vetted services such as those of DocuSign.
Rule Number Two
‘Rule Number Two’ is follow-through. What are the steps a resort needs to take to protect consumers? “Information can be found in a plethora of places,” observes Heine. “From the least obtrusive trash can or recycle bin to desktop computers, servers, laptops, mobile electronic devices, USB/Thumb drives, CDs and DVDs.”
Identify and know where to find any personal information in your possession. “Half the battle is just understanding where the data is, so that you can establish company policies, processes and procedures for its collection, storage, protection and disposal. Adopt a clean desk policy,” he urges. “Secure all documents, portable devices and electronic media in a locked, secure desk or file cabinet. Force cell phones, tablets and other electronic media to auto-lock after being idle for a few seconds. [And, yes, we know this is inconvenient; but it will have been worth the additional hassle if a device is ever lost or stolen.]”
Heine also recommends only requesting information that is actually needed. “For example,,” he says, “While many resorts collect all nine digits of a Social Security number, they should consider whether only the final four should be required for their records.” He also has some advice from the individual’s point of view:
• Safeguard your checking account and bank routing numbers so persons using check printing programs cannot duplicate your checks.
• Phishing emails are designed to get you to “click” a button in the body of the email and then to provide requested information on the website it leads you to; or to install malware through opening attachments.
• Freezing credit bureau inquiries keeps stolen identity information from being used to fraudulently open new accounts.
• Ransomware, an installed infection on your computer, locks up files followed by a request for a fee to provide a code to restore your files; these thieves require bitcoin for payment of fee rather than a traceable credit card.
According to the Federal Trade Commission, there are five general principles to keep in mind for your resort to maintain a sound data security plan:
• TAKE STOCK. Know what personal information you have in your files and on your computers.
• SCALE DOWN. Keep only what you need for your business.
• LOCK IT. Protect the information that you keep.
• PITCH IT. Properly dispose of what you no longer need.
• PLAN AHEAD. Create a plan to respond to security incidents