A meeting professional’s responsibilities are far reaching, but they haven’t typically required knowledge of the host hotel’s guest-room door keycard system. That’s changed.
A flaw with Dormakaba’s Saflok electronic lock—which are installed on several million doors in more than 13,000 locations (mostly hotels)—makes them relatively easy to hack.
The vulnerability was revealed at a hackers convention in late 2022, but as Wired magazine recently reported, Dormakaba has only fixed 36 percent of the locks to date. Recent versions of the Saflok room-entry systems are relatively easy modernize and make secure: “Hotels will only need to update or replace the front-desk management system and have a technician carry out a relatively quick reprogramming of each lock, door by door,” the Wired article says. However, some older locks can’t be updated and need to be replaced.
Meetings-industry attorney Joshua Grimes, Esq., of Grimes Law Offices, LLC, suggests that planners’ due diligence around this security issue should start with several questions to the hotel: “Ask whether the hotels guest-room lock system is known to have any security flaws. And ask what brand they use, both for guest rooms and meeting space.”
If the hotel uses the Dormakaba’s Saflok system, “the question is what steps the property will take to make sure that the locks are fixed before your meeting. And what happens if they’re not fixed; what is the remedy?” Grimes asks. While planners could try to negotiate cancellation without penalty if the doors aren’t fixed, “I don’t know how practical that is,” Grimes admits. “Most groups aren’t going to learn that the lock issue hasn’t been addressed until maybe two months before the meetings. Are you really going to move?” Then again, maybe you would, he says, if the alternative is having to tell all your guests that you can’t guarantee that the locks on their guest-room doors are secure.
For groups already booked into a property with the not-completely-safe locks, Grimes says that planners need to sit down with the hotel to discuss how the issue can be addressed. Additional security is one option, he notes, and planners should work to have the hotel pick up the cost.
If there is a theft at a property with the Dormakaba Saflok system, Grimes notes that the hotels could be liable. “Hotels traditionally have very limited liability for valuables that are left in a guest room. Almost every state has a ‘limitation of liability’ statute, and a hotel is not responsible for loss above some token value. Those statutes were put in place because if someone claims that there's a theft from a hotel room, it's almost always a ‘he-said, she-said’ situation. However, while hotels have statutory protection, there is usually a requirement that they maintain a working lock on the guest-room door.” And with this widely reported security issue, it’s unlikely a hotel with vulnerable locks would be protected by the ‘limitation of liability’ statute that normally applies.
According to this article in Security Week, both security researchers and Dormakaba say they are unaware of anyone exploiting the system’s weaknesses as of yet. Nevertheless, risk remains. “It's in both the hotel's and the planner's best interests to address and fix hackable door locks as quickly as possible,” Grimes says. “For the hotel, it minimizes potential monetary liability arising from thefts, as well as bad publicity. For the group, it protects against losses to your guests, as well as damage to the group's reputation.”
