Risk Management – HospitalityLawyer.com

How Business Travelers Can Guard Against Polluted Air

BCD Travel — Tue, 05 Nov 2019 16:00:39 +0000

Traveling for business means exposure to potential risks such as political unrest, terrorist attacks, medical crises—and air pollution. As outlined in BCD Travel’s Inform report, Air Quality and Business Travel, only half of the 100 most visited cities worldwide have clean air. Below are tips and tricks business travelers can use to guard against the harmful effects of air pollution.

Before you travel to a destination with unhealthy air pollution:

Familiarize yourself with your company’s virtual meeting capabilities. Maybe you can avoid a trip to a city with poor air quality.
Get to know your company’s travel policy on health and emergency plans.
Monitor the Air Quality Index, weather websites and local media to understand if the risk is particularly high during your stay.
Travelers with a medical history of lung or heart issues should be extra vigilant.
Discuss your planned trip with your doctor.
Carry appropriate medications, such as inhalers for asthma, as well as documentation. You may need a doctor’s letter to get the medicines through customs.
Research whether the air quality in your destination improves certain times of the year, and consider postponing your trip until pollution decreases.

During your business trip to a city with poor air quality

Exercise outdoors early in the morning to lower potential exposure to pollution.
Avoid high-traffic areas where pollution will be worst.
Use mass transportation and ride in enclosed cars.
Consider wearing a personal air quality monitor to assess risks in real time.
Opt for glasses, rather than contact lenses, to minimize eye irritation. Or pack plenty of saline solution.
Consider wearing a pollutant-filtering mask, such as an N95 respirator.
Watch out for repeated coughing, pain when taking a deep breath, tightness in your chest or wheezing. All can be signs that you’re overexposed to polluted air. If you have these symptoms, go indoors immediately.

Get your Travel Risk Survival Kit

Close the gaps between the safety support your business travelers want and what your corporate program provides. Our Travel Risk Survival Kit describes the hazards ahead and offers solutions for overcoming them.

Breathing easier on business trips

BCD Travel’s Inform report, Air Quality and Business Travel, educates corporate travel managers and travelers about bad air hot spots and offers practical tips for protection.

Download the full report

New Jersey Becomes First State To Require Panic Devices In Hotels

Fisher Phillips — Thu, 17 Oct 2019 16:00:07 +0000

New Jersey recently enacted legislation that requires hotels with at least 100 guest rooms to provide panic devices to certain employees. The purpose of the Panic Device Law is to protect hotel employees, often required to clean and cater to rooms on their own, from sexual assault, sexual harassment, and other unsafe working conditions. It also intended to empower hotel employees who may have previously felt helpless and reluctant to report inappropriate conduct due to concerns of retaliation from their employers.

While New Jersey is the first state to enact such a law, which will go into effect in January 2020, it follows a growing trend in cities throughout the country – particularly in Chicago, Miami, Sacramento, and Seattle – that have seen the passage of ordinances requiring panic devices for certain hotel employees, among other protections. Other cities, such as Las Vegas and New York City, have seen the introduction of panic devices in the wake of union negotiations. The introduction of panic devices will likely go beyond major metropolitan areas, however, as executives at some of the largest hotels have reportedly revealed their plans to provide panic buttons to their employees across the country by 2020.

If you have operations in New Jersey, you need to immediately familiarize yourself with this new law and take compliance steps. And if you don’t have operations in the state or one of the other areas with such a law, you should still be aware of this trend, as it not only presents some concepts for best practices in a hotel setting, but may soon arrive in your own area.

Coverage And Scope

The New Jersey Panic Device Law defines hotel to include not just hotels, but also inns, boarding houses, motels, and other similar establishments that offer and accept payment in exchange for rooms, sleeping accommodations, or board and lodging and that retain rights of access and control over their premises. Regardless of the type of “hotel,” the establishment must also have at least 100 guest rooms in order to be subject to the Panic Device Law. If your business has fewer than 100 guest rooms, compliance with the Panic Device Law is unnecessary.

The Panic Device Law defines an employee as one who performs housekeeping and room service functions on a full or part-time basis at a hotel for, or under the direction of, a hotel employer or any subcontractor of the hotel employer. The law therefore covers and protects hotel employees, contractors, and subcontractors, sweeping them together under an expansive definition of an employee.

The definition of an employer is as broad or broader and includes any person, including corporate officers and executives, who directly, through an agent, or another person (e.g., a staffing agency) employs or exercises control over a hotel employee’s wages, hours, or working conditions. Awareness of and compliance with the Panic Device Law is thus essential by directors, managers, supervisors, and anyone else who may exercise sufficient control over hotel employees.

Provision And Use Of Panic Devices

Employers of covered hotels must provide employees that work in a guest room by themselves with a panic device. Employers are prohibited from charging employees for the panic device and must purchase and furnish them at their expense. The Panic Device Law defines a panic device as a two-way radio or other electronic device that can be used by the employee to call for immediate assistance from a security officer, manager, supervisor, or other appropriate person.

Employees are permitted to use their panic device whenever they believe there is ongoing crime, an immediate threat of assault or harassment, or some other emergency in their presence warranting the use of their panic device. Once used, employees may stop their work and leave the area for safety and assistance.

Employers’ Duties When A Panic Device Is Used

Employers are forbidden from taking adverse action against an employee for using a panic device. After a panic device is used, aside from promptly responding to the call, employers must also:

Note an accusation against a guest to for “violence” – which is broadly defined to include sexual assault, sexual harassment, and other inappropriate conduct – toward an employee and put the guest’s name on a list and retain it for five years from the date of the reported incident, along with details of the accusation.
Report any alleged crime by a guest or other person to law enforcement and cooperate in any investigation by law enforcement.
Reassign the employee who activated the panic device to a different work area away from the accused guest’s room for the duration of the accused guest’s stay.
Notify employees assigned to a guest room where a reported incident has occurred of the presence and location of the accused guest named on the hotel’s list and provide them with the option of servicing the accused guest’s room with a partner or declining to serve the accused guest’s room for the duration of the accused guest’s stay.
If an employer later learns that the accused guest is convicted of a crime as a result of the activation of a panic button, the employer may prohibit the guest from staying at the hotel.

Programs For Employees

Employers must develop and maintain programs to educate employees about the use of panic devices and their rights in the event they use their panic devices. The programs should also encourage employees to use their panic devices. Written information may supplement, but not substitute, training programs for employees.

Information For Guests

Covered hotels must also inform their guests about panic devices in one of two ways. They may either require guests to acknowledge a panic device policy as part of the terms and conditions of checking into a hotel, or they may prominently place a sign on the interior side of guest room doors, in large font, detailing their panic device policy and the rights of their employees.

Collective Bargaining Agreements

The Panic Device Law provides a carveout for collective bargaining agreements. If a collective bargaining agreement addresses the issuance of panic devices to hotel employees or addresses employee safety in guest rooms and the procedures for reporting questionable conduct, the collective bargaining agreement controls and hotel employers are not required to provide panic devices to employees.

Penalties For Noncompliance

Hotel employers who fail to provide panic devices or respond as required when a panic device is activated are subject to fines of $5,000 for the first violation and $10,000 for each subsequent violation. The fines are recoverable by the Commissioner of the New Jersey Department of Labor and Workforce Development.

Next Steps For Employers

Covered hotel employers in New Jersey that are not governed by a collective bargaining agreement should begin taking steps to comply with the Panic Device Law and watch for regulations promulgated by the Commissioner, particularly since the Panic Device Law grants the Commissioner with the authority to develop regulations to facilitate its implementation.

Covered hotel employers should budget for panic devices and obtain a sufficient number of them, develop employee training programs, and update your terms and conditions or create signs for guest rooms regarding their panic device policies. Covered hotel employers should likewise review their handbooks and other policies to ensure cohesion with the Panic Device Law.

Hotel employers outside of New Jersey and cities with similar ordinances should be on the lookout for the adoption of similar panic device measures in their localities—or for their inclusion in collective bargaining agreements, if they are not there already. The more widespread introduction of panic devices seems all the more probable in the #MeToo era.

Impacts of Airline Failures on Travelers

Maxwell Leitschuh — Tue, 08 Oct 2019 16:00:08 +0000

The recent failure of the British holiday company Thomas Cook – which owned several airlines, including Thomas Cook Airlines (MT) – highlights how an airline’s financial distress and shutdown can cause serious disruptions for travelers. The scale and impacts of airline failures on travelers can vary depending on what steps the government in an airline’s home country is willing to take to assist affected travelers, but travelers can improve their chances of avoiding these challenging situations by knowing warning signs of an airline’s potential demise.

Signs of Airline Financial Trouble
The exact timing of an airline’s cessation of operations is very difficult to predict, but travelers can discern some obvious signs that an airline is in serious financial trouble. While almost all airlines experience financial losses periodically, reports of missed payments to suppliers or lessors, aircraft groundings, and airlines missing payroll are all indicators that an airline is undergoing severe financial distress that exceeds normal financial issues. Other signs that an airline’s future may be in jeopardy include financial problems with an airline’s parent company, the withdrawal of a major investor, or the breakdown of an attempt to sell the airline. It should be noted, however, that such issues do not indicate that an airline’s bankruptcy is inevitable, as some airlines have experienced these issues and recovered from their precarious financial situations.

Missed payments to suppliers, employees, lessors, and authorities are clear signs that an airline may not be able to maintain its operations. Ensuring such payments is a top priority for an airline’s leadership; missing payments can result in suppliers or airports denying service to an airline, which can cause flight cancellations and other operational disruptions. Lessors may also repossess aircraft from airlines that miss payments. If airlines fail to pay maintenance providers or become unable to afford spare parts, they may be forced to ground aircraft for safety reasons, another sign that an airline may be unable to continue operations for much longer.

Financial problems at an airline’s parent company or the withdrawal of a major investor can also jeopardize an airline’s operations. Notable examples of this trend include the shutdown of Belgian flag carrier Sabena (SN) in 2001 after its parent company Swissair (SR) collapsed, and the shutdown of major Australian carrier Ansett Australia (AN) in the same year amid financial challenges at parent company Air New Zealand (NZ). Air New Zealand ultimately survived the crisis, but Ansett did not. More recently, several subsidiaries of Abu Dhabi’s flag carrier Etihad Airways (EY) have experienced major financial difficulties as a result of their parent company’s challenges. While Etihad itself is highly unlikely to cease operations thanks to strong financial backing from Abu Dhabi’s government, its subsidiaries Darwin Airline (F7), Air Berlin (AB), Niki (HG), and Jet Airways (9W) have all ceased operations in the last three years after Etihad withdrew funding for the carriers.

Travelers should take special notice if an airline they are flying on stops selling tickets, or if a bid to secure a last-ditch loan or investment for the airline fails. While some airlines have gone through such situations and survived, most have ceased operations shortly afterward. Thomas Cook’s failure occurred immediately after a deal to secure additional investment in the company collapsed and the British government rejected the company’s bid for a last-second loan. French carrier XL Airways France (SE) announced Sept. 19 that it was suspending ticket sales; the carrier has indicated that it will cease operations in the coming days unless it can secure a rescue deal.

A country’s bankruptcy laws and a government’s ability to assist financially distressed airlines can also impact airline shutdowns. US law allows bankrupt airlines to continue operating without interruption while they reorganize. Many other countries, however, do not have laws allowing bankrupt businesses to continue operating. The lack of such a law in Switzerland played a major role in Swissair’s downfall in 2001. Some struggling airlines can also turn to their countries’ governments for assistance in maintaining operations in the face of financial challenges, especially if they are one of the country’s main airlines or are state-owned. Some governments, however, are unwilling or unable to assist ailing carriers. EU laws prohibiting governments from providing unfair aid to private companies have played a direct role in multiple airline shutdowns in the past two decades.

Operational and Travel Impacts of Airline Failures
The impacts of airline failures on passengers depend on how prepared authorities are for the shutdown. A well-organized civil aviation authority who is prepared for an airline to cease operations can often accommodate all passengers relatively quickly. An unexpected shutdown, however, can force passengers to fend for themselves, both for getting to their destinations and obtaining refunds for canceled flights.

Civil aviation authorities that know in advance an airline is likely to cease operations can provide significant assistance to passengers. The UK government was aware of Thomas Cook’s likely demise several days in advance and developed a plan to immediately assign almost all Thomas Cook passengers stranded abroad to alternative flights, including special charter flights that authorities had arranged in advance. The UK government followed a similar plan when Monarch Airlines (ZB) ceased operations in 2017. The German government took even more extreme steps when Air Berlin failed in 2017; the government provided the carrier with a loan that allowed it to continue operations for another two months before shutting down in a controlled manner. In cases where governments aid passengers after an airline ceases operations, most of a government’s efforts focus on repatriating passengers stranded abroad; such operations generally do not provide flights to passengers who have yet to start their trips.

Disorganized airline shutdowns can leave passengers on their own to arrange travel back home. When Spanish carrier Primera Air (PF) ceased operations in 2018, the carrier simply stopped all flights, withdrew all staff from airports, deactivated its email addresses and phone numbers, and told passengers to not contact the airline. Passengers who do not receive government-arranged flights after an airline shuts down should arrange alternative transportation as quickly as possible. Alternative flights tend to book quickly after an airline ceases operations, especially if the number of alternative flights is limited. In some instances, airlines will add extra flights or use larger aircraft to accommodate the surge in passengers from a competitor’s demise, but travelers should not count on this, especially in the first day or two after their carrier ceases operations.

A traveler’s ability to get compensation or refunds for their canceled flights after an airline ceases operation depends on local laws. Some airlines will offer passengers refunds immediately after they cease operations or offer to compensate a passenger for tickets bought on a different carrier. In some countries, however, passengers will simply become creditors for the bankrupt airline. In such instances, passengers generally are among the last to receive money from the sale of the bankrupt carrier’s assets, as secured creditors such as banks and other lenders receive priority over customers in most jurisdictions.

Looking Ahead
While the airline industry has experienced some of its most prosperous years, several large airlines have failed. As the global economic conditions that allowed airlines to thrive show signs of change, airline failures are likely to be more common, especially in several major markets including India, Indonesia, and Argentina. The more challenging economic environment, including rising oil costs and an increase in the number of low-cost carriers, is likely to put financial pressure on airlines. The impacts of airline failures can vary considerably depending on how authorities in the airline’s home country react.

About WorldAware
WorldAware provides intelligence-driven, integrated risk management solutions that enable multinational organizations to operate globally with confidence. WorldAware’s end-to-end tailored solutions, integrated world-class threat intelligence, innovative technology, and response services help organizations mitigate risk and protect their people, assets, and reputations.

Europe Seeing Increase in Climate Change Protests

Filip Stojkovski — Tue, 03 Sep 2019 16:00:34 +0000

Climate protests have gained traction in Europe in the past six months. Various eco-activist groups and individuals are protesting perceived inaction by governments and corporations to avert climate-related disasters. Eco-activists, including groups like Extinction Rebellion and Smash Cruises, have staged frequent and intensely disruptive actions throughout Europe in the past several months. These actions have disrupted ground and air transit routes throughout Europe but have so far remained peaceful. These groups are likely to continue to gain support in the coming months and may find individuals willing to engage in more disruptive and potentially violent actions in the medium and long term.

Background of Eco-activism

Mainstream climate activist groups like Greenpeace and more-covert groups like the Earth Liberation Front have been active for several decades. Their actions have included raising awareness, staging protests, disrupting fishing industries, and occasionally acts of arson. Climate activists have been generally committed to nonviolence and bottom-up change, especially because their ideas generally are well-accepted by the population and politicians in Western Europe and North America.

Contemporary Activism in Europe

New actors have emerged on the eco-activism scene over the past year in response to the increased visibility of climate change effects and a growing public perception that government responses are inadequate. These activists have, in a very short time frame, secured a large number of followers and brought substantial attention to the threats posed by climate change. Greta Thurnberg, a 16-year-old climate activist from Sweden, who began protesting outside the Swedish parliament in August 2018 to raise awareness on the need for immediate action to combat climate change, has over 2 million followers on Instagram and has attracted worldwide attention. Extinction Rebellion, a climate movement formed in October 2018, already has 250,000 followers on Instagram and has chapters all over the world. In the world of political activism on Instagram, this number of followers is significant, and has also grown rapidly; they have each amassed hundreds of thousands of followers in less than a year. This demonstrates interest among the population in following these types of accounts.

Both Thurnberg and Extinction Rebellion have directly or indirectly contributed to various climate activism actions. Students from across Europe, inspired by Greta, have protested every Friday since August 2018 under the motto “Fridays for Future” and gained traction when they skipped school for a day to take part in large demonstrations calling for action on climate change. Extinction Rebellion has staged disruptive actions in multiple counties, but primarily in the UK. The UK protests include blocking roads during rush hours and a demonstration in front of the Scottish Parliament when some activists chained themselves to street poles. Other, smaller grassroots organizations have undertaken similar actions. Smasscruiseshit, a small group of activists from Germany, used boats to block a large cruise ship in the port of Hamburg, Germany as they demanded curbs on the emissions caused by the cruise industry. Additionally, thousands in Venice protested the environmental damage caused to the Venetian lagoon by cruise ships.

So far, although disruptive, these actions have not caused significant property damage. Most of the actions are advertised on social media, which allows travelers to be warned in time to avoid disruptions. However, with momentum on the side of climate activists, actions are likely to become larger and more disruptive in the long and medium-term. This larger scale of action will likely cause it to be more difficult for travelers and businesses to avoid disruptive actions undertaken by climate activists.

Future of the Movement

Growing participation and frustration with the lack of results that peaceful activism is producing may undermine climate activism’s commitment to non-violence. The central grievance of many climate activist groups, the notion of a climate catastrophe that could result in food shortages, drought, and tens of millions of ecological refugees, has strengthened and encouraged the activists’ perceived need to act attention and more visibility. This resolve could lead eco-activists to undertake more drastic actions such as engage in sabotage, arson, and usage of improvised explosive devices against governments and large corporations, especially corporations that cause significant pollution and or contribute to the perceived climate catastrophe. More radical elements of the climate activism movement would commit to these sorts of attacks to draw more attention and visibility to their cause. Such attacks would become more likely if demands for more climate protection are not met. Travelers should avoid all protests as a routine security precaution and to mitigate associated disruptions. Those in the Europe should follow alerts for demonstrations and activities that might cause disruptions to supply chains. It would also behoove companies to monitor disruptive climate activism events in countries where they have assets.

Risk Mitigation Measures for LGBTQ Personnel

Katherine Harmon — Thu, 01 Aug 2019 16:00:01 +0000

Discussing sexually sensitive subject matter with students or employees ensures their awareness of and mitigates associated risks. Different countries present different societal attitudes on issues such as public displays of affection, projection of sexuality in dress and mannerisms, and LGBTQ concerns; traveler safety and health depend on those travelers receiving accurate and timely information about their destination. As a result, travel and risk managers need to be comfortable having a conversation with their travelers that involves human sexuality. These conversations must be handled delicately to avoid violating privacy, causing offense, or being insensitive to private issues. That said, there are compelling global security and health concerns that make this aspect of duty of care imperative for organizations.

Start the Conversation
The reality is that many areas of the world still heavily discriminate against the LGBTQ community and criminalize expressions of sexuality. Travel and risk managers do not necessarily need to know the sexual preferences or sexual identities of their travelers to counsel them about the cultural and societal attitudes present at their destinations. Presenting a comprehensive overview in a matter-of-fact manner can side-step the need to pry into a person’s personal life while also setting up an environment conducive to deeper conversations and questions as necessary.

Understand LGBTQ Health Risks
Healthcare options may be especially limited for transgender individuals, who may need specialty medical care at their destination. These individuals may struggle to find needed medications or obtain a refill should they run out. Anti-hormone transition drugs suppress levels of testosterone to allow estrogens to take prominence but may have adverse effects on the heart. LGBTQ individuals may encounter challenges finding medical care and may be dissuaded from providing a complete medical history in areas that present a high threat for LGBTQ patients.

Most countries restrict the amount of medication travelers can enter with according to the length of the stay. In many instances, a maximum of 90 days of prescription medication may cross borders.

For expatriates, having a doctor’s note on letterhead, with the patient’s full name, medication name, dosage, and reason are required for refills and importation of prescription medication to many countries. The reason (diagnosis) may be especially challenging if traveling to a conservative country with a known low tolerance for the LGBTQ community and may present security challenges.

Surgery of any kind increases the risk of blood clots during flight. LGBTQ patients who have recently undergone surgical procedures should ensure adequate time between surgeries and flights. Some hormone therapies (especially estrogens) also place patients at risk for deep venous thromboses (DVT): blood clots that form in the legs and may become life-threatening if the clot or part of the clot travels to the lungs.

In more socially liberal countries, unconscious bias from healthcare workers may lead to substandard care. LGBTQ individuals need to be prepared to encounter these attitudes and be able to advocate for their care and proper treatment. Risk managers and travelers should research cultural tolerances and potential biases to determine if an advanced arrangement with a “preferred” treatment center is necessary.

Key Takeaways
Ensuring the safety of your LGBTQ personnel and students starts with a conversation. Transgender travelers require a duty-of-care policy that helps them prepare for the challenges they may face abroad. Ensuring the safety and health of these unique travelers is a corporate responsibility.

Developing a New Approach to Harassment Prevention in the Era of #MeToo

Samuel Lillard — Tue, 30 Jul 2019 16:00:49 +0000

Based upon 25 years of litigating harassment claims, and more than 20 years of training managers on harassment avoidance, I have reached a simple, and perhaps obvious, conclusion – that is, the “traditional” anti-harassment training used by most employers simply do not work. Whether training occurs online or in person, it almost always starts with a legal definition, a discussion of the different types of harassment, and ends with various “common” scenarios for employees to ponder. Despite providing such training year in and year out:

in the last 10 years, Title VII filings involving harassment have increased by nearly 700%;
nearly 50% of women report experiencing some form of harassment at work at least once;
according to a recent NY Times poll, nearly 1/3 of men reported doing something at work within the past year that would qualify as objectionable behavior or harassment; and
on October 15, 2017, Alyssa Milano tweeted a request to reply if you have been sexually harassed or assaulted, and she received over one million mentions – by the next day.

And one can hardly forget the steady stream of business executives, entertainment moguls, and political leaders scandalized their organizations with outrageous details of men behaving badly. So where have employers, and those who work with them to get it right, gone wrong? Why are the herculean efforts of HR departments calming the rising tide of harassing behavior?

The answer is that we are focusing too much on what not to do under the law (and what we have to do to have a potential defense to liability), rather than providing employees and their managers with tools on how to create positive work relationships and foster psychological safety in their work groups. To be sure, harassing behavior is more than the product of a bad employee; it is symptomatic of a toxic work environment. In such environs we often find:

An obsession with making the numbers, where outcomes are uncritically adopted;
Recruitment, promotion, and reward systems focus on individuals’ “strength of personality” or interpersonal aggressiveness while ignoring emotional intelligence;
Short-term planning governs operations;
Executives give higher priority to personal friendships than to legitimate business interests; and
Fear is a dominant, desired workplace emotion, whether deliberately engineered or inadvertently created.

Although there can be much discussion on the cultural causes of sexual harassment, what is clear is that workplace harassment allowed to ferment is the source of serious liability to business. It can be a sales dropping, share price lowering, brand tarnishing business killer. The #Metoo movement is a paradigm shift and call for a new approach to tackle this problem.

The good news is that we have a number of innovators who are solving parts of the problem, and their work can be brought together to form a new training regime that works to prevent harassment. I commend to you Professors Christine Pearson and Christine Porath and their work, “How incivility is damaging your business and what to do about it.” Leonardo Inghilleri’s work on training empathic skills to hospitality employees, and of course Google’s Project Aristotle and its steps for developing effective teams.

So, what is working? Training that includes protocols which teach employees and more importantly managers on how to foster good working relationship in their workgroups. We recommend revamping sexual harassment avoidance training to include 6 protocols.

Developing an employee “how can I help you” culture;
Techniques to project empathy or at least the appearance;
Routine steps to handling any employee concern;
Managing the unexpected;
Using the most respectful language possible with random acts of kindness; and
Bystander training.

A prevention program built around these principles will help employers to do more than just comply with the law – it will reinforce the notion that everyone plays a critical role in preventing workplace harassment (or any other kind of misconduct for that matter) and creating a successful workplace culture. It will also empower employees with the tools to step in and stop it. These, in turn, will help employers to achieve their business goals – from decreasing harassment occurrences to improving performance and morale. It is hard to argue against such benefits. It is clear, change is rapidly occurring and this next generation workforce is not silent.

Hospitality Cyber Threats Are Alive & Well – Lessons From Recent Incidents

Sandy Garfinkel — Tue, 16 Jul 2019 16:00:33 +0000

The data incident involving the Starwood guest database was one of the most significant data security incidents in recent years. Publicly announced on November 30, 2018, the details revealed in the days and weeks following the announcement contain some striking reminders and new lessons for the hospitality industry. Here are some of the key facts of the incident:

Marriott acquired Starwood in September of 2016, but Marriott continued to operate Starwood’s guest database separately from Marriott’s until a few weeks after the breach incident was announced.
The unauthorized intrusion into Starwood’s database occurred in 2014, but was not discovered by Starwood nor by Marriott later during the course of its acquisition of Starwood.
The guest information compromised in the incident included name, address, phone number, email address, passport number, preferred guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preference, and in some instances, payment card numbers and expiration dates. It was ultimately reported by Marriott’s forensic assessment provider the 383 million records were affected.

These facts underscore several crucial considerations for hotel companies regarding how guest data is collected, secured and retained. Some of these considerations aren’t ones that our industry normally associates with data security concerns. Here are some of the key takeaways:

Data Security/Privacy is a Critical Due Diligence Consideration. In any merger or acquisition there are due diligence checklist items for the surviving entity. In the case of the Marriott/Starwood transaction the security breach of Starwood’s database was not discovered prior to closing, but had it been, the implications for the deal could have been extremely significant. At the very least, action could have been taken to remediate the compromise at that time. In this day and age, cyber due diligence should be part of any merger or acquisition.
Retention of Large Amounts of Personal Information Carries Risk. Personal data is valuable for many reasons, but that value has to be balanced against the risk that accumulated caches of personal data become rich targets for data thieves. For example, there were over 5 million unique unencrypted passport numbers and more than 20 million encrypted passport numbers that were compromised over the course of the Starwood data incident. The value to Starwood and Marriott of retaining that passport information is unclear, but the liability of replacing more than 25 million passports is enormous.
With GDPR and CCPA, the Definition of Protected Data Has Expanded. Before the effective date of the General Data Protection Regulation (GDPR) in May of 2018, most of the data involved in the Starwood incident would not have enjoyed any special protection. Under U.S. state law in most jurisdictions, even today, a person’s name, address, phone number, and email address are not considered Personally Identifiable Information or “PII.” However, GDPR and the new California Consumer Privacy Act (CCPA) (effective January 1, 2020) have greatly expanded the scope of protected personal data to include virtually any item of information that can be used to identify an individual. A name, address, phone number or e-mail address are indisputably “personal data” under the GDPR.
Guest Reservation Systems Are Vulnerable On Both Ends. In branded hotels, franchise agreements always require that the hotels utilize the brand’s reservation and management system, including brand-mandated hardware, software, portals and connections. This arrangement gives data thieves multiple targets from which to select when seeking to steal guest information. The Wyndham data incident of 2008/2010 was the first notable attack on a brand’s central guest information database. While most hotel guest information data incidents in the past decade have occurred at individual hotels or discrete groups of properties, the Starwood incident proves that a brand’s guest information database is still vulnerable.

2018 also saw a rash of low-tech social engineering attacks against individual hotels, and this type of attack has continued into 2019. Criminals commence these attacks by posing as brand systems support personnel and making phone calls to hotel employees. The employees are asked to provide their login credentials for the reservation management system.

Cybercriminal: Hello, I’m calling from [brand] system support. We’re having difficulty with the reservation process on your end, and we need to check it. Can you please log in for me?
Employee: Sure. [Logs in]
Cybercriminal: We’re still having an issue. Can you please give me your username and password so I can try it on our end.
Employee: No problem. My username is … and my password is …

Using the stolen credentials, the criminal remotely accesses the reservation management system and retrieved information about recent guest bookings, including guest names, addresses, phone numbers, reservation dates, and partial payment card information. Although the systems typically show only partial credit card number, in some cases the criminals are able to unmask the obscured numbers.

The criminal then calls guests with future reservations:

Cybercriminal: Hello, I’m calling from [hotel name] regarding your reservation from to [check-out date]. We’re having a problem processing your credit card. The last four numbers are [XXXX]. Could you please provide me with your full credit card information, including security code, so we can get that taken care of.

Because the criminal has accurate information about the reservation, the guest is more likely to fall for the scam. Once the guest has supplied the card information, the criminal quickly racks up fraudulent charges. Fortunately, most guests don’t trust these calls, but they are bad for the reputation of the hotel and brand. Depending on what information is exposed, the unauthorized access to the reservation management system may legally be considered a data breach that requires notification to affected individuals and regulators.

To help protect your organization from these types of social engineering attacks:

Change employee passwords at frequent intervals.
Alert employees to this type of attack and train them in how to respond.
If possible, implement multi-factor authentication for any access to the reservation management system.
Audit which employees have access to the reservation management system and disable access for employees who have no business need for it, including employees who have been terminated or who have changed roles.
Protect partial payment card information so obscured numbers can’t be unmasked.

This article is part of our Conference Materials Library and has a PowerPoint counterpart that can be accessed in the Resource Libary.

HospitalityLawyer.com® provides numerous resources to all sponsors and attendees of The Hospitality Law Conference: Series 2.0 (Houston and Washington D.C.). If you have attended one of our conferences in the last 12 months you can access our Travel Risk Library, Conference Materials Library, ADA Risk Library, Electronic Journal, Rooms Chronicle and more, by creating an account. Our libraries are filled with white papers and presentations by industry leaders, hotel and restaurant experts, and hotel and restaurant lawyers. Click here to create an account or, if you already have an account, click here to login.

Travel Risk Mitigation

Dale Buckner — Tue, 02 Jul 2019 16:00:27 +0000

BUSINESS TRAVELER OVERVIEW

SAFETY AND SECURITY
Global Business travelers may enjoy the fact that the hotel provides a complimentary breakfast and reliable Wi-Fi, but what they value most is a better sense of security when they travel on behalf on their organizations, according to a joint survey conducted by American Global Business Travel and the Association for Corporate Travel Executives. Security and safety concerns are growing at a significantly faster rate than worries about other topics including work-life balance issues, traveler-centric technologies and alternative suppliers.

DUTY OF CARE
There is also a growing awareness on the part of organizations in the United States of the legal, moral and ethical obligations they owe their employees under the complex and sometimes vague principles of Duty of Care. Corporate security, travel managers, human resources, and other key stakeholders must understand the notion of Duty of Care in the context of business travel in order to ensure that their companies are making reasonably informed, good faith, rational efforts to protect their employees as they travel.

The elements of a comprehensive traveler safety program that meets Duty of Care best practices will vary among organizations, depending on size, number of traveling employees, destination risk ratings, medical concerns and a variety of other topics. However, there are elements of a successful program that apply to every organization.

BEST PRACTICES
Key stakeholders within the organization must meet on a regularly-scheduled basis to examine existing travel polices to determine if any improvements need to be made. A thorough examination of the plans may reveal vulnerabilities, including resource gaps. In some cases, plans may need to be expanded. Other companies may lack any substantial travel safety procedures, and entirely new plans must be developed. Plans and policies should cover both routine travel and emergency incidents, including accidents, medical emergencies, natural disasters, emergency evacuations, and violent incidents.

The ability to track personnel as they travel is another vital component of the traveler safety program. Many travel management programs rely on multiple third-party Company Managed Travel Providers (CMTP) to book travel and provide situational awareness of employees. A common problem with this system is that it only tells the company where the employee is supposed to be, not where they are. Travelers are often forced to make last-minute changes to their itinerary, and will often book their own travel, without notifying the CMTPs of the changes. Providing the traveler with a GPS-based personnel tracking system may be an option for those companies looking for a more effective way to maintain accountability of their travelers.

A risk assessment should be conducted prior to every trip, regardless of destination. The assessment should not focus solely on the country’s Risk Rating. As attacks in the UK, Belgium, France, Canada and the United States have shown, all countries are susceptible to acts of violence, not just those with a High or Elevated Risk Rating. Additionally, definitively assigning a Risk Rating can be difficult, as risk is largely based on individual perspective and context. Employees should be encouraged to take an active role in the risk assessment and travel planning process so that they fully understand any known or suspected risks associated with their destination. Providing education and training to employees is another critical component of the system.

The purpose of the training program is to develop the employee’s skills and knowledge, so they can perform their duties with minimal or no interruptions because of risk, security or medical-related issues. Providing training to employees empowers them to make informed decisions regarding their personal security and safety, helping keep them safe while adding another layer of liability reduction for the company. Elements of a successful training program include general traveler safety and security information, conflict avoidance and response, emergency planning, and worst-case scenario procedures.

Should all mitigation efforts prove unsuccessful, and a traveler is involved in a critical incident, a comprehensive safety system helps ensure that they are provided with timely support and realistic options that work to minimize harm and distress, provide critical support, and brings the employee home safely. The ability of the organization’s Crisis Management Team to move quickly to provide support such as personnel accountability, crisis notifications, and the activation of emergency response systems such as medical support and evacuation cannot be overstated.

GLOBAL GUARDIAN SERVICES OVERVIEW
MEMBERSHIP OVERVIEW
Global Guardian utilizes a subscription-based pricing model. Clients pay an annual membership fee to have Global Guardian as their designated travel security and duty-of-care provider and to access its 24-hour Operations Center, team of security advisors and intelligence analysts, global tracking and monitoring platform, network of highly-vetted security providers, and comprehensive suite of security, medical, and aviation services. This subscription also includes all of Global Guardian’s non-custom and basic travel intelligence products and emergency incident notifications.

GLOBAL TRACKING AND MONITORING
Global Guardian tracks and precisely locates clients anywhere in the world. The company uses special purpose cellular and satellite tracking beacons and smartphone applications that provide real-time GPS position information for clients, allowing them to call for immediate assistance in the event of an emergency. Linked to an extensive network of highly skilled in-country security teams, Global Guardian’s 24-hour Operations Center monitors clients as they travel and can direct security assets to respond as needed in real-time. Global Guardian also monitors local and regional current events and provides clients with information about their security and safety situation while they travel.

EMERGENCY RESPONSE
Global Guardian maintains emergency security response teams in over 91 countries. These teams are notified to the presence of client travelers in their area and stand by to respond immediately to address client emergencies. All support is coordinated and closely directed by Global Guardian’s 24-hour Operations team to ensure rapid and high-quality response to a wide range of potential situations.

INTELLIGENCE SUPPORT
Global Guardian provides its clients with detailed travel intelligence products, real-time security alerts, and highly customized intelligence and due diligence products in support of any unique information requirement. Non-customized support and security incident alerts are included in the proposed package.

GLOBAL GUARDIAN AIR AMBULANCE – AIR MEDICAL TRANSPORTATION AND REMOTE MEDICAL SUPPORT
Global Guardian Air Ambulance, a division of Global Guardian, provides its clients with best-in-class air medical transportation
membership programs. These programs provide true no-cost air medical transportation to members who are injured or become ill while traveling. Unlike insurance, members have no deductibles or no claims forms, are not subject to complex restrictions for use and choose their US or Canadian destination hospital.

Global Guardian also provides emergency medical support through board certified, US-based emergency physicians that are available around-the-clock to travelers through the Global Guardian Operations Center. These physicians conduct remote diagnosis and ongoing treatment management of travelers’ injuries or illnesses, and direct patients to vetted local medical facilities as needed.

GLOBAL TRANSPORTATION AND SECURITY SERVICES
Global Guardian offers a full range of personnel-based security support to its clients. Such support includes secure transportation, security agents, full-scale executive protection details, and event and facility security management. All services are fully customizable to meet client need and are closely coordinated by Global Guardian’s 24-hour Operations Center at-all-times.

EMERGENCY AND CUSTOM AVIATION
Global Guardian supports its clients with comprehensive customized aviation capabilities. Be it for emergencies or customized specialty aviation needs, Global Guardian’s aviation team can access a wide range of aircraft operating around the globe to ensure the right assets are available when needed.

PHYSICAL, CYBER SECURITY, COUNTER INDUSTRIAL ESPIONAGE ASSESSMENTS, POLICY DEVELOPMENT AND TRAINING
Global Guardian provides detailed physical and cyber security and vulnerability assessments, security and travel safety policy
development, and highly customized training programs for its clients.

Facility assessments are conducted domestically and abroad and are aimed at helping clients identify threats to their employees and operations. Such assessments are often paired with cyber evaluations of client site network security. Following an on-site assessment, Global Guardian prepares comprehensive deliverables detailing its findings and makes recommendations for how best to strengthen the security culture and physical and cyber infrastructure on site. Global Guardian can then assist in implementation of those recommendations.

One of the most common recommendations is the improvement or whole-cloth development of security and travel safety policies in support of a client’s workforce. If requested, Global Guardian’s team will work closely with to determine its objectives in policy work, and craft highly customized products that exactly mirror its requirements and corporate culture.

Lastly, no facility security plan nor safety policy is complete without some measure of training on how that plan and policy are implemented. As with its policy development work, Global Guardian prepares and executes highly customized training programs closely tailored to client objective and culture. Such courses include general travel safety, active shooter preparedness, and policy specific training.

GLOBAL GUARDIAN SENTRY – VIDEO SURVEILLANCE MONITORING
Global Guardian Sentry, a division of Global Guardian provides video monitoring and Virtual Guard services in support of client facilities, operations and residences. Global Guardian’s 24-hour Operations Center is staffed with highly trained surveillance analysts who can assess potential threats and respond in real-time to minimize unauthorized activity at client sites. Specific services include event driven, interactive video monitoring, active threat emergency response monitoring, and virtual guard tours. On request, Global Guardian will conduct no-cost testing of any existing camera systems to ensure compatibility and then provide facility specific service options and pricing.

This article is part of our Conference Materials Library and has a PowerPoint counterpart that can be accessed in the Resource Libary.

Repeat Offenders: Commonly Cited OSHA Standards in the Hospitality Industry & How to Avoid Them

Aaron Gelb — Sat, 29 Jun 2019 16:00:04 +0000

The law has always been clear that there is no statutory limitation on the length of time that a prior OSHA citation may serve as the basis for a Repeat violation. OSHA historically looked back only three years for past violations, but the Obama Administration extended it to five years. However, the look back period is merely a policy that OSHA does, from time to time, ignore when it suits its agenda. Indeed, the language in the Field Operations Manual, regardless of the stated time period has always qualified that it is not a rigid deadline:

Although there are no statutory limitations on the length of time that a prior citation was issued as a basis for a repeated violation, the following policy shall generally be followed.

Extending the look back period policy was just one of several actions OSHA took early during the Obama Administration to deliberately seek and cite more Repeat violations. David Michaels, Obama’s Assistant Sec’y of Labor for OSHA, complained frequently that OSHA’s enforcement teeth were not sharp enough. Without being able to change OSHA’s civil penalty authority, OSHA changed numerous policies and practices with the specific intent to find and cite more Repeat violations, because Repeat violations carried 10 times higher penalties than Serious and Other-than-Serious violations. In other words, finding ways to characterize more violations as Repeat was a way to raise OSHA penalties without being granted any new authority from Congress—so that is precisely what OSHA did.

In addition to expanding the look-back period to 5 years, the Obama Administration’s OSHA also broke down barriers between individual establishments, so that a violation at one location of a multi-establishment company could be used as the basis for a Repeat violation at any other location in fed OSHA state within that organization. OSHA also became more proactive in how it selected targets for inspections, which made it more likely for an employer to be visited multiple times during the look-back period.

Those policies were “successful,” in that the percentage of OSHA violations characterized as Repeat doubled during the Obama Administration. Citations characterized as Repeat now make up more than 5% of all OSHA citations.

That trend continued even after Congress gave OSHA new penalty authority, increasing the max price tag for a Repeat violation from $70,000 per violation to approx. $130,000. As a result, we are seeing more $100K+ and $1M+ OSHA enforcement actions than ever before.

In light of OSHA’s Repeat violation philosophy, particularly in the context of the Second Circuit’s ruling in the Triumph case, employers need to be extra vigilant in defending against initial citations if the cited standard presents a risk of future Repeat violations, even if the initial penalty is very low. Paying the fine for a Serious or Other-than-Serious citation today may seem like no big deal if it carries a relatively small fine, but if can easily lead to a Repeat citation in three or four years (or eight years now that OSHA knows its look-back period is unlimited) could turn that initial violation into a costly burden.

Employers also need to understand the numerous other ways that Repeat violations can harm employers beyond just the 10x higher penalties. First, even under the Trump Administration, OSHA is continuing to issue inflammatory and embarrassing press releases about OSHA citations in significant cases, which includes most enforcement actions involving Repeat violations. So reputational harm can come to an employer just for being alleged to have committed a Repeat violation. Worse still is falling into the dreaded Severe Violator Enforcement Program (SVEP). The qualifying criteria for SVEP include Repeat and Willful violations in certain categories, but the data shows the vast majority of employers “sentenced” to SVEP are there because of Repeat violations.

Even more reason to fight the initial violation, regardless how low that initial penalty may be.

Finally, a Repeat citation could increase insurance premiums and disqualify contractors and subcontractors from government and private contracts. There are potentially costly consequences for accepting a citation that has a high potential to become a Repeat citation. Therefore, employers should strongly consider contesting OSHA citations if a settlement cannot be reached that mitigates the risk of future Repeat violations.

Contesting a citation, however, is a post-hoc solution. The best way to avoid a Repeat citation is to understand the hazards most commonly found in your workplace, develop a program to regularly inspect for and correct them, and track your efforts to comply the applicable requirements.

In the hospitality industry, the most frequently cited OSHA standards include Hazard Communication, Electrical Safety, Wiring Methods and Components, Lockout/Tagout, Fire Extinguishers, Respiratory Protection, Walking/Working Surfaces, Bloodborne Pathogens, Protective Equipment, and Exit Routes.

OSHA Penalties
Below are the maximum penalty amounts adjusted for inflation as of Jan. 23, 2019. (See OSHA Memo, Jan 23, 2019).

Type of Violation	Penalty
Serious Other-Than-Serious Posting Requirements	$13,260 per violation
Failure to Abate	$13,260 per day beyond the abatement date
Willful or Repeated	$132,598 per violation

State Plan States
States that operate their own Occupational Safety and Health Plans are required to adopt maximum penalty levels that are at least as effective as Federal OSHA’s.

This article is part of our Conference Materials Library and has a PowerPoint counterpart that can be accessed in the Resource Libary.

Avoiding a Foodborne Fiasco

Rimkus Consulting Group — Tue, 25 Jun 2019 16:00:29 +0000

Introduction

The Centers for Disease Control and Prevention estimates that 48 million people or 1 in 6 Americans experience a foodborne illness every year as a result of consuming contaminated food or drink and roughly 128,000 people in the US are hospitalized due to foodborne illness. There are many different pathogens or disease causing microbes that can cause illness. Currently, there are 250 known pathogens that are responsible for 20% of the reported foodborne cases and the root cause of the remaining 80% of all cases are many unknown pathogens. Additionally, chemical contaminates such as pesticides can cause foodborne illness. In the US, the top five pathogens that cause foodborne illnesses are norovirus (58%), salmonella (10%), Clostridium perfringes (10%), and campylobacter (9%). However, salmonella infections are responsible for the most hospitalizations and for the most deaths out of any of the foodborne pathogens.

What is a Pathogen?

Foodborne pathogens can cause several different types of illness. Salmonella and noroviruses can cause illness by consumption of live pathogens that replicate and grow in the intestinal tracks which is called a foodborne infection. An organism like Bacillus cereus (a pathogen found in rice and grains) can cause illness through foodborne intoxication through the production of toxins and the live bacteria does not need to be consumed. These microorganisms typically do not make the food look, taste or smell bad so it impossible to determine if the food is contaminated.

For a pathogen to grow and proliferate, certain conditions must be met. The first one condition is that the pathogen or its toxin must be in the food. Many raw foods have naturally occurring background levels of pathogen contamination. These pathogens can thrive when the temperature and the nutrients are suitable for the pathogenic growth. Foods that are high in protein such as eggs, meat, fish, and milk can provide appropriate nutrient levels for pathogens. Additionally, foods that are slightly acidic (pH levels 4.6-7.6) also support microbiological growth. Additionally, foodborne pathogens grow best in foods that have a temperature of 70-104° F. It is essential that hot foods must be kept hot and cold foods must be kept cold to prevent growth. Common food service foods that have a higher risk of foodborne illness are rice, cooked or raw animal products, cooked or raw vegetables, raw seed sprouts, raw shell eggs or water cooled hard boiled eggs, cut melons, and garlic and oil mixtures.

Once a pathogen has been allowed to proliferate in a food, foodborne illness can set in following consumption of the contaminated food. Most foodborne illnesses can occur with 2-24 hours following consumption of the contaminated food but symptoms have been reported as far out as 30 days post-contaminated food consumption. The time of onset of foodborne illness symptoms can be pathogen dependent. The most common symptom is diarrhea but symptoms can include vomiting, cramping, fever, and flu like symptoms.

Prevent the problem before it happens

To avoid potential problems in foods, it is very important to control or eliminate pathogens in food products. HACCPS or hazard analysis and critical control points are your quality assurance and risk assessment steps. They include coming up with preventative measures; evaluating critical control points and preventing, eliminating or reducing risk; evaluating and establishing critical limits such as cooking temperatures; monitoring CCP’s with temperature measurements; corrective action; record keeping systems; and verification.

SOPs and employee education are essential in preventing foodborne illnesses. The SOPs should address everything from where the product can be ordered from to how it is received, how it is stored, how long it is stored, how it is prepared, where it is prepared, by whom it is prepared, how it is transported and how it is served. Comprehensive SOPs go a long way to not only preventing foodborne illness, but also defending claims. However, that is only if they are adhered to. Employee training should be conducted on a continuous basis and management should continually verify SOPs are being followed. There are also several training certifications in food handling such as those offered through ServSafe and Learn2Serve. These can be done online and provide management with valuable education in developing safe food handling protocols.

Summary

While a foodborne illness outbreak can be devastating to a restaurant there is no restaurant that in a single night can serve as many individuals as a hotel during a large conference banquet or buffet. Many foodborne illness claims originate from that exact setting. Often times there are numerous individuals who become ill. The assumption is that there must have been some adulterated food item they all consumed that made them sick. It could not possibly be a coincidence… but it could be something other than a foodborne illness! Reaction time and record keeping is crucial in defending these claims.

This article is part of our Conference Materials Library and has a PowerPoint counterpart that can be accessed in the Resource Libary.

Authors

Allison Stock – Principal Consultant/Toxicologist & Epidemiologist, Rimkus Consulting Group
astock@rimkus.com
504-832-8999

Dr. Allison Stock is an internationally known toxicologist and epidemiologist with 25 years of toxicological, epidemiological, regulatory, and environmental experience. Her background is supported by experience in the federal and state government and industry (small and Fortune 500 companies).

Dr. Stock specializes in human health risk assessments combing both toxicological and epidemiological data. She has expertise in petrochemicals, oil and gas, environmental permitting, property transfer, environmental, social, and health impact assessments, inhalation toxicology, renal toxicology, toxicological and epidemiological risk assessment, communicable and foodborne illnesses such as Legionellosis, E. coli infections, and Salmonellosis, rapid needs assessments, emergency response, ambient and indoor air exposure assessments including mold, particulate matter, and asbestos, occupational health and safety plans, drug and alcohol intoxications, and stakeholder communications.

Kari Jacobson – Shareholder, La Cava & Jacobson
kjacobson@lacavajacobson.com
(813) 209-9611

Kari Katzman Jacobson is a shareholder of La Cava & Jacobson, P.A. Born in Miami, Florida in 1967 she graduated from the University of Florida with a B.A. in 1989 and from the University of Miami School of Law with a J.D. in 1992. Ms. Jacobson began her career as a prosecutor, and then went on to defend self-insured companies, insurance companies and those whom they insure.

Ms. Jacobson was admitted to The Florida Bar in 1992 and has been admitted to the U.S. District Court, Middle District of Florida since 1994. She is a member of The Florida Bar Association; American Bar Association, Hillsborough County Bar Association, Collier County Bar Association and the Claims and Litigation Management Alliance. She is also a member of The Federation of Defense & Corporate Counsel. She is A.V. Peer Review Rated by Martindale-Hubbell.

Ms. Jacobson is certified by the Florida Supreme Court as a Circuit Civil Mediator. Her practice is primarily concentrated in the areas of general liability, premises liability, negligent security, construction litigation, professional liability, trucking and commercial freight defense litigation claims.