A data breach encore. A moral hazard issue?

Data breaches, hackings, online invasions etc occur with such distressing regularity that there seems to be a sense of ennui when these incidents occur. The breaches result in more than a loss of privacy as was the case with Ashley Madison, something which Facebook founder Mark Zuckerberg airily dismissed as a given some years ago, but often cause considerable financial harm to companies and individuals.

Whether privacy has gone the way of the dodo or not data breaches present a different set of problems to consumers and businesses alike and ought not to be countenanced much less endured by firms. Nevertheless, some interesting research reported earlier this year in The Conversation suggests that there is an element of moral hazard at work that fails to incentivize companies to take data breaches more seriously and invest in cyber-security.

Benjamin Dean, the author of the article in the Conversation cites the example of Target where "the gross expenses from the data breach were $252 million. When we subtract insurance reimbursement, the losses fall to $162 million. If we subtract tax deductions (yes, breach-related expenses are deductible), the net losses tally $105 million."  That Mr. Dean points out was a rounding error amounting to a mere 0.1% of sales in 2014. In other words, Target had no incentive to step up its cyber-security both due to a de-minimis (to them) loss as well as very little if any customer blowback.


In the hotel space, the latest victim is Hilton Hotels and many of its brands as reported on the website Krebs on Security which focuses on cyber security. The site reports that the data breach was first noticed by Visa in an alert to various banks saying that it occurred sometime between April 21, 2015 to July 27, 2015.  Visa's policy precludes it from naming where the breach occurred but sources at five different banks soon "determined that the common point-of-purchase for cards included in that alert had only one commonality: They were all were used at Hilton properties, including the company‚Äôs flagship Hilton locations as well as Embassy Suites, Doubletree, Hampton Inn and Suites, and the upscale Waldorf Astoria Hotels & Resorts." 

It is not clear yet whether these breaches in the hospitality industry (Choice hotels had one a couple of years ago) stem from the same lack of financial incentive that has been ascribed to Target but its recurrence ought to spur a far more consumer sensitive industry than retail to be more proactive and responsive. After all in retail consumers  merely visit as opposed to staying or living in hotels. A memorable stay can quickly turn sour when on returning home guests find  both their privacy and finances ravaged.

Published by

Vijay Dandapani

Co-founder and president of a New York based hotel company for 24 years. Grew the firm to five hotels in Manhattan and also developed a greenfield project at MacArthur airport, New York. Speaker at numerous prestigious forums including Economy Hotels World Asia, Lodging Conference, NYU, Columbia University Real Estate Roundtable, Baruch College's Zicklin School and ALIS. President and ceo of New York City Hotel Association since January 2017.