Today’s Wall Street Journal reports on the loss of credit card data of nearly 250,000 hotels.com customers by its auditor, Ernst & Young. For over a year, an urban legend about hotel key cards containing credit card data (and even social security numbers!) has swirled prompting even the AH&LA to issue a statement last year to debunk the myth. While the efforts have been largely successful, questions persist with even some lawmakers expressing concern that key cards compromise their privacy.
The Journal report, however, highlights the need for even greater oversight on the part of hotels with regard to parting with and storing of confidential client data. Why Hotels.com needed to give credit card data on their customers to their auditors is somewhat of a mystery. That auditors, who supposedly epitomize proper observance of safeguards in business should treat such information carelessly is less than acceptable. Coming after a series of lapses such as the Choicepoint (the world’s largest commercial data broker) episode from early last year, hotels should ensure that all software related to storing customer data that is retained is automatically encrypted – most companies already do that. The key is to ensure that no outside agency gains access to it unless it is the subject of a subpoena.