From: Gary Gibb, President and Co-Founder, AutoClerk Inc.
Subject: Data Security, 2 Feb 2007, Letter #3

Data theft and the efforts required to secure oneself against it in a networked world are enormous distractions from your proper business. It is easy – too easy – to postpone action on this matter until a time when there is a lull in routine. And too dangerous. The incidence and severity of these crimes, as well as the magnitude of their financial consequences, increase measurably every month. If defensive measures are not already well under way, you must begin today.

AutoClerk asks that you join us in our ongoing initiative to deter and prevent cyber crime
for the good of our guests and our industry. Improving your hotel's data security will better
protect confidential guest information, including credit card information, which is the target of professional cyber-criminal organizations. Listed below are specific precautions that you can take to better prevent a security breach. *A security breach can have a serious financial impact on your business.*

AutoClerk is not a security company and its employees are not security professionals. The
precautions listed below are only first steps in making your network more secure. It does
not make your network Payment Card Industry (PCI) compliant. For further details on PCI
compliance see www.visa.com/cisp . AutoClerk urges you to acquire the services of a fully
accredited security assessor organization. For a list of such organizations see www.visa.com/cisp, click on "View all CISP downloads" and then select "Qualified Data Security Company List".

AutoClerk recommends that an AutoClerk technician perform an inspection of your hotel's
AutoClerk installation. If your network is accessible through a broadband connection to the
Internet, this inspection can be performed remotely. If your network is not broadband accessible then one of our technicians can visit your hotel for an on-site inspection. In either case, we ask that your network administrator and a representative of your hotel's management be made available to our technician to assure that every computer is inspected and to assist with any updates that might be needed. To schedule an inspection, please contact me directly at 925-871-1801, or mobile 925-324-1729, or send an email to compliance@autoclerk.com.

*The responsibility for the safety of your hotel's data rests with you and your network
administrator, not with AutoClerk, so you must be confident that your network
administrator is a trusted and competent party.* Your network administrator holds the master
keys to your hotel's network security and data integrity. All other users of your hotel's computer network should not be granted administrative rights, and thus all other users of the computer network should be restricted from installing unauthorized software. Only the trusted network administrator should have the appropriate network permissions to install hotel management authorized software. AutoClerk recommends that you conduct a background and resume check on your network administrator.

In order to keep hotel management and the hotel's network administrator informed, AutoClerk
offers the following list of precautions to be considered:

1) Guest Data Deletion- Erase all AutoClerk guest data that does not reside on the
\autoclerk directory of the hotel's server (dedicated or non-dedicated) with the one
exception being those backups that are both compressed and encrypted that are stored on
the hard drive of AutoClerk station #1, or stored on removable media, which are typically
100mb or 250mb, or 750mb zip disks. Truncate or erase as much guest credit card
account data as possible. Credit card magnetic stripe data (also called track data) should
never be stored at all. Upon request AutoClerk provides credit card utility programs to
assist in the truncation of credit card data and the removal of legacy magnetic stripe data.

2) Server Lock Down- Lock down your hotel's dedicated server to restrict direct access
to data to only those with administrative privileges. (see [www.myautoclerk.com/autoclerk/portals/0/spiderlock.pdf] for technical details on how to implement a lock down). Dedicated servers should be placed out of harm's way in a vented, safe and secure location. For those hotels with non-dedicated servers (running on AutoClerk station #1) consider switching to a dedicated server configuration for better security and system dependability. A dedicated server network can better support strong enterprise-level, anti-virus and anti-spyware enforcement with ongoing updates, while keeping user stations restricted to nonadministrativeaccess. A dedicated server does not need to be running Microsoft Server
2003. Other less expensive operating system (OS) software products will often suffice,
such as Microsoft Windows XP-Pro or Small Business Server 2003. Be sure to check
www.myautoclerk.com before purchasing new equipment.

3) OS Encryption- Enable Windows OS encryption of \autoclerk server directories: data,
profile, spool, and archive. If Central Reservation System (CRS) interfaces are installed
then encrypt those directories that are used for CRS communication. To be prepared for
data recovery of an encrypted directory be sure to save a password-protected copy of the
OS encryption certificate. The encryption process should be done under the same login
name of the user account (typically user autoclerk) that will be running AutoClerk's
server executable and interfaces. The encryption process, when first initiated, can take
many hours to complete and it requires that all users be logged out of AutoClerk. The
exact amount of time required depends on the size of the hotel's AutoClerk dataset and
the speed of the hotel's sever.

4) Drive Scrubbing- After erasing files with guest data, or after running an AutoClerk
credit card utility program, or after performing OS encrypting of files, be sure to empty
the Windows recycle bin and then run a drive scrubber to purge sensitive data from the
physical surface of the drive. There are many scrubbers in the marketplace, for example,
www.cyberscrub.com  (a commercial product) and www.heidi.ie/eraser/  (a freeware product).

5) Change passwords- Change all passwords on a regular basis, including but not limited
to i) Windows OS passwords, especially the password for user "autoclerk", and ii)
AutoClerk program clerk ID passwords, and iii) Remote access passwords such as those
in PC Anywhere (PCA), and iv) AutoClerk's configuration menu access password. All
stations running PCA in host mode should have their passwords changed and PCA restarted
in order for the password to take effect. All passwords should have a minimum
length of seven alpha and numeric characters. Terminated employees should have their
AutoClerk clerk IDs removed immediately upon termination. Change AutoClerk's
configuration access password if the terminated employee knew the password. Only
hotel employees with the "need to know" should be granted access to AutoClerk, and
only hotel management employees with the "need to know" should be granted access to
AutoClerk's configuration menu.

6) Remote Access via 3rd Party Software- Delete any unknown or untrusted PC Anywhere
(PCA) user accounts. Enable PCA session encryption on all accounts and deny
connections from remote users requesting a lower level of encryption. For hotels with
dedicated servers, enable PCA options to "lock console" upon normal or abnormal PCA
end-of-session. Delete any unauthorized remote communication software that might be
used by hackers to gain data access, for example, vnc, gotomypc, carbon copy, and ftp
utilities.

7) Manage Internet Access- Restrict or severely limit clerk Internet access from the hotel
systems that handle your customers’ information. Clerks surfing the Internet and opening
email attachments can easily infect your network with viruses and other malicious
software that can compromise the integrity of your computer network. A compromised
network can result in hackers breaking into your network and stealing data which can
have a serious negative financial impact on your business. Only web sites approved
by hotel management should be accessible for Internet access, thereby preventing
clerks from visiting potentially dangerous web sites. Consider implementing junk or
spam email screening software that can automatically filter out many dangerous email
attachments. For Internet surfing, use Mozilla Firefox. Security experts report that in
general Firefox is more secure than Microsoft Internet Explorer (IE) because IE has more
published exploits, and, by default, Firefox does not support ActiveX scripts. ActiveX
scripts are commonly used by hackers to compromise computer systems. See [www.
agnitum.com/news/securityinsight/december2005issue.php] for more information.

8) Restrict IP Access- Configure your network router/firewall to only allow remote IP
access from trusted sites such as the fixed IP address of your home office or other defined
and known location.

9) IP Scanning- Regular and rigorous IP network scans should be performed and results
analyzed to identify potential vulnerabilities in your network, see AutoClerk security
letter dated July 26, 2006 for details. Copy of letter can be obtained on [www.myautoclerk.com].

10) Network and Internet Segmentation- Internet access provided to guests (in public
spaces or in guest rooms) should be on a separate network segment and should not be
part of any network connected to the hotel's AutoClerk server. Likewise, any wireless
Internet access provided to guest or employees should also be on a separate network
segment and should not be part of any network connected to the hotel's AutoClerk server.

11) Incident Response Log- Develop and maintain an Incident Response Log that tracks
activity taking place on the network. Seemingly insignificant pings on the system can be
a precursor of an upcoming attack by hackers. The log should indicate the response of
the incident.

12) Local AutoClerk Stations, No Wireless- Local AutoClerk stations at the hotel should
not use wireless technology.

13) Remote AutoClerk Stations, Only Terminal Services - Remote AutoClerk stations
should only use Microsoft Terminal Services. Your hotel's network infrastructure may
need to be upgraded to properly support terminal services, for example Windows XP-Pro
does not support terminal services in background sessions. Call AutoClerk to schedule a
re-installation of remote stations under terminal services. You will likely see a significant
speed increase when running remote stations via terminal services.

14) Current Versions Only- Run only the most recent Microsoft operating systems (for
example, stations should be using Windows XP-Pro) with latest operating system service
pack upgrades installed on an on-going basis. Protect all PCs with up-to-date antivirus,
anti-spyware, and anti-malware protection. Verify that your hotel is running
the most current and AutoClerk- approved production version of the AutoClerk property
management system.

15) Data Media Disposal- If old computer equipment is upgraded or old removable backup
media (such as zip disks) are replaced by new media then before discarding old hard
disks (or old media) be sure to thoroughly erase all data on the item before discarding the
item. Proper erasing is more than just erasing a file in a directory. It is best to do a low
level reformat and a scrub of the magnetic surface and then a physical destruction of the
media by drilling a hole through the magnetic surface. Zip disks can be taken apart to
expose the magnetic disk which can then be cut with scissors.

16) No VOIP- Voice-over-IP (VOIP) phone lines should not be used for credit card modem
processing.

17) Console Locking- Configure dedicated server consoles to lock automatically after 1
minute of user inactivity on the mouse or keyboard.

18) Security Vulnerability Log- Develop and maintain a Security Vulnerability Log for
keeping track of how security vulnerabilities are being dealt with over time.

19) Managed Services Provider- Enter into a Managed Services Provider (MSP) contract
with an IT service firm. MSP costs are low and fixed, billed monthly, and in return you
get unlimited remote maintenance and support for your computer network. It moves you
away from a reactive model (time and materials) to a proactive model (MSP). The shift
is very significant. An IT service firm that works under the time and materials model will
generate revenue when their clients (you) have IT problems. However, an IT service firm
that operates under the MSP model will lose money when you have IT problems because
they offer a fixed fee contract. MSP firms will work to ensure your IT systems are
operating as efficiently and effectively as possible. It's in their best interest to keep your
systems up and running.

20) Security Scanning- Run a host security scanner (e.g. Microsoft's Baseline Security
Analyzer, MBSA), and fix anything it red-flags. MBSA is an easy-to-use tool designed
for the IT professional that helps businesses determine their security state in accordance
with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems.

21) AutoClerk Password Policy- Be familiar with AutoClerk's password policies. AutoClerk has a very strict policy regarding passwords. Should anyone from the hotel (including general manager and owners) request an administrative OS system password from an AutoClerk employee then the AutoClerk employee will respond, as follows:

"Windows operating system (OS) user names and passwords are implemented by the hotel's network administrator, NOT AutoClerk. The hotel's network administrator takes orders from hotel management, NOT AutoClerk. For data security purposes, I am not permitted to disclose Windows OS user names and passwords that have administrative permissions. If I do so then my job is at risk. Please be advised that there is always a trade off between security and convenience. I apologize for any inconvenience to you or your guests. If you wish to dispute this policy then I ask that you speak with my supervisor. If you wish to obtain the password or change the password then please contact your hotel's network administrator. Our
records indicate it is <network administrator on record>."
In order to facilitate better and more timely communication of critical data security-related information, between AutoClerk and hotel management, please fill in the form below and fax back this page attention: Gary Gibb, fax #925-284-3423.

Email address for AutoClerk security notices:_____________________________________________

Does hotel have a dedicated AutoClerk server PC? (please circle one) Yes No Unknown

Do you request an AutoClerk technician to inspect your AutoClerk PCs? (please circle one, prices quoted are valid until June 30, 2007)

Yes, in person (cost is $150 per hour plus travel expenses)
Yes, not in person, use broadband remote access (cost is $25 per PC)
No, I decline

________________________________________