Why is the hospitality industry such a frequent target? What makes this industry uniquely vulnerable to information threats? This article will examine those questions and suggest certain measures that hotel and restaurant companies can employ to try to mitigate the risks to information that they own or possess.

Multiple Parties Are Involved In The Equation

Hotel companies and many restaurant companies face unusual problems when it comes to cyber security and vulnerability to data theft/loss due to traditional ownership/management/franchise structures as well as the way hotels and restaurants tend to operate.

For branded hotels (and many branded restaurants) there are typically at least three parties are involved in a functioning hotel business: the franchisor or “brand,” the owner (or owners’ group) and the operator a/k/a the management company. Each of those entities plays a particular role in the function of the hotel as a business, and each may have its own computer systems or stored information:

Franchisor

• Owns the “flag” of the brand and in exchange for use of its marks and marketing services, can impose its own standards for hotel features, including the process for booking rooms;
• Typically mandates that the owner install a particular hardware/software suite to handle the reservations functions;
• Maintains ownership and control of that system through contractual means; and
• Typically claims ownership of guest data that is input into the reservations system by hotel employees or others.

Owner

• Typically not the brand; could be individuals, investor groups or major asset holding companies, including investment funds, insurance companies, banks;
• May have varying degrees of involvement in operational issues that include guest or employee data; and
• May own separate “point of sale” payment card systems for food/beverage/retail outlets situated within the hotel; and

Operator

• If independent from Owner, will usually have a management agreement with the Owner that establishes an agency relationship with Owner for purposes of all day-to-day hotel operations;
• Third party operators are usually the formal employers of hotel personnel and maintain all employee data (including Social Security Numbers);
• May collect guest data prior to inputting same into the reservations and management system owned by the franchisor, if the hotel is branded; and
• May obtain and maintain payment card information associated with group bookings.

Sometimes the complex relationship between franchisors, owners and operators requires that information be shared, or that separate computer systems be tied to each other. For example, as indicated above, major hotel brands require all of their franchised hotels to utilize the brand’s reservations and management computer system when booking or checking in all guests. Thus, hotel owners and operators are forced to have their own on-site personnel utilize the computer system of another company when transacting business with guests. In addition, hotels, like restaurants and other consumer businesses, often permit interfacing between their own computer systems and those of third party vendors or credit card processors.

All of this means that hotel and restaurant systems are to some extent dependent upon the security measures and practices of other entities which the hotels and restaurants do not control. A classic example of this is the Wyndham Worldwide breaches which occurred 2008 and 2010, where hackers were able to penetrate Wyndham’s central reservations database through a hack of a single franchised hotel, and then use the Wyndham system’s connections to dozens of other individual franchised hotels to steal hundreds of thousands of sets of credit card data.

The Hospitality Industry Does Business By Payment Card

Credit and debit card data has long been a preferred target of data thieves. Payment by card is the mainstay of most hotels and restaurants.. Therefore, hotels and restaurants represent a tantalizing treasure chest of data for cyber criminals to try to crack open.

The Wyndham Worldwide series of data breaches, where the brand’s reservations system was the subject of the attacks, were certainly notorious in the world of hotel data incidents, but statistically most credit card data theft in hotels occurs due to malware affecting point-of-sale (“POS”) systems, rather than the brand reservations systems for guest room bookings. Of the twenty-one most high-profile hotel company data breaches that have occurred since 2010, twenty of them were a result of malware affecting point-of-sale systems in hotel restaurant, bar and retail outlets. This is also true for the recent restaurant data breaches affecting Wendy’s, Arby’s, Landry’s and Noodles & Company, which were all the result of malware affecting point-of-sale systems in several locations.

Cyber criminals, through a variety of methods, are able to infect POS systems with credit card data-scraping malware that captures personal account data at some point during the payment process. This malware is often capable of moving between connected systems and may infect groups of hotels and restaurants that are either related by common brand or by a common third party operator and may often operate for several months or even years before being detected by the operator.

Some hotel credit card compromises are not high-tech in nature. Many hotels still tend to receive faxed credit card authorization forms for company bookings or group bookings, and often the faxed paper forms, which contain credit card numbers and expiration dates, are kept in a non-secure manner, such as in binders behind the hotel front desk. These paper forms are susceptible to being lost or stolen, and while many state breach notification laws do not expressly cover loss or theft of paper data, a growing number of state laws do. For example, the data breach laws of California, Hawaii and Alaska all protect data in any form, including paper, that contains personally identifying information.

In addition to these “paper” breaches, the hotel industry is also vulnerable to identity thieves targeting guests who may be unfamiliar with the area or the hotel. The thieves use various schemes including calling hotel guests, posing as the front desk, to ask for updated credit card information or leaving fliers for pizza delivery with phone numbers directed to thieves who take down the guest’s credit card information.

Employee Turnover and Fluidity Contribute to Security Problems

In the hospitality world there tends to be a high degree of movement of employees in and out of particular locations. Hotel operators will transfer their skilled employees to other locations where they may be needed. Employees in less skilled positions tend to come and go frequently as well. Hotel or restaurant owners may decide to change third-party operating companies, and the new operator will bring in its own management-level employees to manage the location. Maintaining a consistently trained workforce can be a challenge for both the hotel industry shares with the restaurant industry.

In recent years many information security industry experts have identified a company’s employees as its most vulnerable point from a data security perspective. A fluid workforce means that it is more difficult to train employees in the secure receipt and treatment of personal information, in complying with privacy and security policies, in protecting and changing user access credentials, and in being alert for social engineering attempts. Keeping up with which employees have access to different levels of information is also challenging when there are frequent changes of personnel at particular job levels. Only certain job functions within a hotel setting require access to guest or employee personally identifying information, and hotel companies (as well as companies in other industries) are not always as careful as they should be about controlling access by job grade/description and making sure access is eliminated when an employee moves out of a particular position or is terminated.

How Can Hospitality Companies Better Prepare for and Combat Cyber Threats?

While hospitality companies have unique problems that tend to make them more vulnerable to threats of compromise and theft of personal information, there are ways that these companies can prepare for and mitigate against such risks, and there are lessons to be learned from looking at prior data security incidents. In analyzing recent breaches, it is likely that utilization of the following practices could have mitigated or prevented such incidents.

• Contractual Risk-Shifting and Secure Handling Requirements: Franchisors, owners and operators, in their dealings with each other and third parties such as vendors and contractors, can help to control the risks inherent in sharing systems or information with others. Requiring specific cyber incident indemnification, where negotiating leverage permits, is useful to protect hotel companies from the economic consequences of a breach incident caused by or contributed to by another party. In addition, contract provisions requiring compliance with minimum information security standards (e.g., compliance with Payment Card Industry Data Security Standards a/k/a “PCI-DSS”) or mandating third party compliance with a hotel company’s own security policies can reduce the risk
  of cyber incidents.
• Employee Policy Enforcement and Training: Despite the fluidity of management and staff employees that is attendant to operating a hotel or restaurant, operators can and should consistently update their employee policies on data security and rigorously train employees who have access to data or systems. Where employees do not require access to personal information to perform their job functions, that access should be terminated. Policies concerning use of mobile devices, external information storage devices and internet usage should be enforced. In addition, to protect against identity thieves, employees should be trained on how to advise guests on potential risks and how to identify suspicious behavior and when to report suspected identity theft or data breaches.
• Guard Guest and Customer Card Data: Considering that POS malware attacks are a very common type of cyber incident affecting hotels and restaurants, operators and owners should take extra care in selecting their POS system vendors and credit card processors. Agreements with those entities should be vetted and, if possible, modified to add protection and minimum data handling standards for the outside vendor. Compliance with PCI-DSS not only helps to ensure that data security software, hardware and practices are safer, but also helps to protect against fines and penalties which may be levied against hotels by the credit card industry for noncompliance with PCI-DSS when a breach occurs.

Authors

Sandy Brian Garfinkel Mr. Garfinkel is a member with the law firm of Eckert Seamans Cherin & Mellott, LLC. He maintains a busy and diverse business litigation practice with a particular emphasis in the hospitality industry. As part of his work in the hospitality world he regularly assists hotel management and ownership companies in preparing for and responding to breaches of data security. He is also the founder and chair of the firm’s Data Security & Privacy Practice Group.Mr. Garfinkel can be reached at 412.566.6868 or at sgarfinkel@eckertseamans.com.

Malgorzata “Gosia” Kosturek Ms. Kosturek focuses her practice on hospitality law and general corporate law. She assists clients in numerous types of corporate transactions, including acquisitions, mergers, and financings, primarily in the hospitality industry. She is also a member of the firm’s Data Security & Privacy Practice Group. Ms. Kosturek can be reached at 412.566.6180 or at gkosturek@eckertseamans.com.

Slip and falls are the number one cause of accidents in hotels, restaurants and public buildings according to the Bureau of Labor Statistics. Injuries from a seemingly incidental fall here or trip there are estimated to cost some $70 billion annually according to the National Safety Council.

In fact, the Centers for Disease Control has determined over one million people each year are injured in slip and fall accidents and unbelievably more than 70 percent of these slip and fall injuries occur on flat level surfaces. And it’s not just hotel or restaurant guests that are impacted: the National Safety Council estimated compensation and medical costs associated with just employee slip and falls is approximately $7 billion annually.

We’ve all seen people trip, and yes sometimes if it’s someone we know, a little stumble can even be a bit funny but really these kinds of accidents are no laughing matter. OSHA has reported slips, trips and falls are 15% of all accidental deaths and are second only to motor vehicle accidents as the cause of death and account for over 17,000 deaths each year.

The most common causes of slip and falls are obvious, and it would seem because of this, easy fixes, but those don’t always happen. We will take a closer look at some of the most common causes for slip and fall accidents and steps that can be taken toward preventing them in the future.

Common causes of slip and fall accidents (and how to help avoid them in the first place)

First, it’s important to examine some of the most common causes (direct and indirect) of slip and fall accidents. Direct causes are such things as spilled liquids, food, cracked or broken tiles, worn mats, cracked or broken sidewalks, uneven steps, ice and snow, potholes, and physical obstacles. Indirect causes include inadequate or dim lighting, and missing handrails or guardrails, among other things. Some of the most common causes include:

• Wet Floors. Food or beverages, rain, snow, and ice can be deposited on the floor or tracked into buildings. In reviewing housekeeping, maintenance, and cleaning policies, floors should be cleaned during non-peak hours and the premises inspected on a consistent and routine basis. Audits should be conducted, and performance tracked and retained. Cleaning/Checklists should be filled out and retained for a sufficient period of time. Caution/warning signs need to be placed in close proximity to the actual spill or wet area. These signs should be sufficient in number and placed in a timely manner so as to provide adequate warning.
• Ice and Snow. A business is responsible for the sidewalks, parking lots and landscaping on their property. Walkways may include areas outside the sidewalks immediately surrounding the building. In most cases, the law does not require a business owner to remove snow and ice off the property. However, if the weather causes an unusually heavy accumulation of snow on the roof, and that snow then melts and drips off onto the sidewalk and freezes on the ground, the business owner could be held responsible for an injury resulting from the ice created by the melting and refreezing. Regular inspections of the property, gutters and downspouts will help identify potential problems.
• Misplaced Physical Objects. Misplaced mats, furniture, door stops, moldings, fallen merchandise, power cords or wiring can all be the source of a slip and fall injury. A number of hotels and/or restaurants have made it the responsibility of the surveillance teams to monitor various areas of the property and notify the proper internal group to address any perceived problems.
• Congested Means of Ingress and Egress. Business owners must ensure adequate means for patrons to enter and exit the building or premises without severe congestion. Heavy amounts of congestion through obstructed areas could cause a business owner to become liable for injuries stemming from the congestion. To address these concerns building maintenance coordinates with the event planers in scheduling on-going maintenance so as have minimal impact on visitors.
• Inadequate Lighting. Dim or inadequate lighting can result in liability by hiding hazards such as steps, curbs, potholes or uneven pavement (and it can also invite criminals to assault or steal from patrons).
• And a Note about Sidewalks. In some jurisdictions, the property owner is responsible for maintaining the sidewalk adjacent to its property. In other jurisdictions, the business owner and governmental entity share the responsibility for maintaining the sidewalk.

Preventative steps can help avoid slip and fall accidents

In addition to safety training, take time to survey a property – note potential hazards and take immediate action to eliminate these hazards. These steps include:

• Maintaining floors, sidewalks, aisles, and walkways at regular intervals and documenting the inspections.
• Provide regular training for employees regarding safety measures and protocols with immediate reporting.
• Create safety protocols and instruct employees in slip and fall safety – create and retain incident reports. Instruct employees on procedures for assisting customers who have fallen – emergency assistance police and rescue.
• Conduct regular maintenance of outdoor areas including sidewalks, play areas, and parking lots and, monitor and repair landscaping, potholes, and lane markings, and remove any obstacles.
• Maintain records of maintenance including actions to remove and repair conditions. Make sure governmental inspections are all passed and maintain proof of passing scores.
• Conduct regular safety surveillance of mats, carpeted floors, lighting, litter, fallen merchandise, and uneven or buckled flooring.
• Maintain proper liability insurance with periodic policy reviews.
• Improve safety through constant monitoring, setting benchmarks, and examining policies and procedures.

Beyond these day-to-day safety procedures and protocols, staff training, and monitoring/inspections to ensure the safety of your grounds, there are some “big picture” planning principles that can be implemented. For example, it’s important to measure (and record) the slip resistance of all floor surfaces (both wet and dry) on the property.

A number of hotel, restaurant and resort companies have started to address slip and fall concerns by conducting floor slip resistance testing, which establishes baseline benchmarks using a tribometer set to ASTM requirements in order to establish both dry and wet coefficients of friction for inside and outside walking surfaces. They then monitor the findings and conduct routine audits to ensure compliance with standards (and promptly take any corrective action as required). It is critically important to establish this baseline, in case of future claims geared toward improper flooring.

Also, when considering the installation of new flooring, take the opportunity at the initial design and material selection stage to ensure that appropriate design and materials are used, with safety top-of-mind. With respect to existing floors, if your internal floor slip resistance testing demonstrates a below standard coefficient of friction, steps will need to be taken to replace or apply various treatments to bring the flooring up to standard. Implementing a science-based, measurable, benchmarked, and audited program can go a long way in limiting liability and capturing value for your organization.

What to do if a slip and fall accident occurs

Unfortunately, even when all of the necessary safety precautions are in place, slip and fall accidents can still happen. Hotel or restaurant owners and operators need to understand it starts at the top. Safety is a culture and that means from the CEO on down. It is every single employees’ duty to improve safety. Training staff is critically important in building a culture of safety. Part of this training includes (periodically conducting drills on these slip and fall protocols) to make sure everyone is prepared and trained for what to do in the event an incident occurs, as the likely first responders to slip and fall incidents:

• Offer assistance – immediately call for medical attention, police, and other first-responders, as appropriate.
• Gather documentation – prepare a comprehensive incident report, including witness statements and contact information, and a statement from the injured party.
• Secure video surveillance footage and/or take photographs of the scene and the claimant (if they allow you).
• Report the incident to risk management, legal and the insurance carrier.
• Follow-up with claimant within 24 hours. Let them know of your concern, and find out if they sought medical attention. Also have a corporate representative contact them within a few days, and maintain records of all contact (and outcomes). If the area of the fall is defective, make sure building operations and risk management are aware of the hazard so that it can be repaired as soon as possible.
• Preserve evidence, i.e. a mat, floor tile, etc. DO NOT conceal evidence. It can result in additional damages from a separate cause of action for spoliation of evidence.
• Monitor for and keep record of social media postings by the claimant/plaintiff.

Slip and falls may still happen, so what’s next?

Even with the best of intentions, and with industry leading policies and procedures, proper vigilance and pro-active maintenance and repair, slip and fall accidents will still occur. For property owners in the hospitality industry, it is crucial to develop world class legal protocols designed to limit liability and manage slip and falls when they do happen.

All strategies begin with an initial assessment or audit. Where are we experiencing incidents? How often are they occurring? What can we learn about each incident? After collecting this data the next step is to establish benchmarks. Benchmarks should be established by specific measurement where practical. Gathering data from insurance carriers or brokers and other similar players within the industry are helpful in evaluating how your business compares to others in the same industry. Then implementing a program of constant monitoring followed up by auditing those results will create a culture of safety that will produce measureable cost savings. This culture of safety may involve creating custom models designed to address specific concerns or more broad applications to address systemic problems.

In the final analysis, creating a culture of safety will produce a significant reduction in litigation costs. Even though slip and falls may be a cost of doing business in the profitable and visible hospitality industry, the safety of guests, staff and other visitors does not have to take a back seat to profit.

David Willis, a trial attorney with more than 25 years of litigation experience, focuses his national practice in the defense of corporations in the areas of complex tort, commercial, and employment law. He represents both public and private corporations in the areas of hospitality, specifically the food and beverage industry, franchise, health care, transportation, and environmental law. David has extensive multi-jurisdictional trial experience and has tried to verdict over 50 cases in state and federal courts.

Eckert Seamans’ practice reflects virtually every industry and segment of the country’s business. Clients include Fortune 500 companies, financial institutions,newspapers and other media, hotels, health care organizations, airlines, and railroads. The firm also represents numerous federal, state, and local governmentaland educational entities. In order to provide access to legal resources that enhance our ability to serve clients’ needs around the world, Eckert Seamans is a memberfirm of SCG Legal, a global network of over 145 independent law firms located in 82countries. For more information about the firm, please visit www.eckertseamans.com

co-authored by Sandy Garfinkel and Eric J. Zagrocki

Hotel owners and operators may be surprised to learn that that under many states’ laws, hotel guests who stay for lengthy amounts of time may be deemed to have become tenants rather than hotel guests.  These hotel companies may be in for a surprise if it ever becomes necessary to ask the guest to leave the property because of nonpayment, inappropriate conduct or a myriad of other issues that may arise with a long term guest.  Once a guest is considered to be a tenant in the eyes of the law, the process of formal eviction under a state’s landlord-tenant statutes, rather than simple ejection from the property under more favorable hotel-guest provisions, may have to be followed, and that process can be time-consuming and costly.

When dealing with a long term guest, rights and duties of the guest and the hotel will vary depending upon the applicable state law, and states vary widely in how they treat this situation.  Although an exhaustive review of all state laws will not be provided in this article, a few specific examples illustrate the story.

Under New York state laws, a “tenant” is defined to include an occupant of one or more rooms in a hotel who has been in possession for 30 consecutive days or longer, but is not a “transient occupant.”  There is no precise standard in New York for determining whether a person is a “transient occupant.”  Rather, the answer depends upon the entire context of the situation, including whether there is evidence that the person has a permanent residence elsewhere and that the period of his or her stay at the hotel is not intended to be permanent.  A number of other states use the “transient occupant” (also sometimes called “transient guest”) concept as part of their analysis on this topic.

In New York, once a hotel guest has become a “tenant,” he or she may not be removed from occupancy of the hotel room unless specific eviction procedures are followed.  For example, a written eviction notice must be personally served on the tenant at least 30 days before the hotel may do anything to recover possession of the room.  Other guests may find it odd that legal eviction notices are posted on adjoining hotel rooms.  If the tenant does not voluntarily leave by the end of the notice period, the hotel must file a petition with the courts seeking ejectment and possession of the room, which requires notice to the tenant, as well as a hearing.  Weeks and months may pass while this process takes its course.

In contrast, Texas treats this situation very differently.  There, no statute exists which defines when the status of a hotel guest may transform into that of a tenant.  That question turns instead upon whether the guest can establish that he or she has “exclusive possession” of the room.  Texas courts have held that “exclusive possession” does not exist where the hotel continues to exercise control over the room during the guest’s occupancy.  “Control” may include the fact that hotel personnel clean and maintain the room and that the hotel maintains a key to the room, among other things.  If a guest cannot establish exclusive possession of the room, then statutory eviction procedures need not be followed for the hotel to eject the guest and recover possession of the room.

Louisiana takes yet a different approach.  There, if at the time a guest checks in, a departure date has been established, then the guest will acquire no additional rights to stay beyond that date so long as the hotel provides a written notice to depart at least one hour prior to required checkout on the last day of the stay.  Although not entirely clear, failure to give the notice to depart by the mandated date and time may result in the guest acquiring additional rights to a longer possession of the room.  

Hotels can take some practical steps to try to avoid the formation of a landlord/tenant relationship with their guests.  Establishing a definite termination date for the stay helps to defeat a presumption that the guest intends to “reside” at the hotel rather than merely stay there temporarily.  Documenting that the guest has another permanent residential address provides another piece of evidence that may be useful to defeat a claim of tenancy.  Some other best practices include:

• Do not permit guests to receive regular mail deliveries at the hotel;

• Do not agree with the guest to suspend room cleaning service or other activities that require entry into the room by the hotel and which thereby indicate that the hotel maintains control of the room;

• Avoid treating a long term guest differently than short term guests by agreeing to special rates and privileges or by foregoing any regular hotel policies or practices at the long term guest’s request;

• Charge and collect payment from the guest in the same manner as the hotel does for other guests;

• Refrain from providing long term guests with special facilities or amenities that are unavailable to shorter term guests; and,

• Reserve the hotel’s right to relocate the guest to another room at any time.

By developing these types of policies and procedures in dealing with long term guests, and by training hotel staff in how to follow them, hotels can minimize the possibility that someone will go to bed as a guest one night and wake up as a tenant the next morning.  

Sandy Garfinkel has a diverse litigation practice, which focuses primarily on business litigation with a particular emphasis in the hospitality industry.  He represents hotel and resort management companies, owners and developers in dealings and disputes involving franchisors, vendors and guests.  He also advises those companies concerning compliance with electronic data security laws and industry standards, and in responding to breaches of data security. Sandy may be reached at sgarfinkel@eckertseamans.com or 412.566.6868.

Eric Zagrocki is experienced in a broad range of real estate and corporate matters.  He concentrates his practice in the area of commercial real estate and has represented sellers, purchasers, developers, lenders, landlords and tenants in a wide variety of matters relating to the purchase, sale, leasing and finance of commercial real estate. Eric can be reached at ezagrocki@eckertseamans.com or 412.566.1987.

This article is intended to keep readers current on developments in laws impacting the hotel and hospitality industry, and is not intended to be legal advice.