• Marriott acquired Starwood in September of 2016, but Marriott continued to operate Starwood’s guest database separately from Marriott’s until a few weeks after the breach incident was announced.
• The unauthorized intrusion into Starwood’s database occurred in 2014, but was not discovered by Starwood nor by Marriott later during the course of its acquisition of Starwood.
• The guest information compromised in the incident included name, address, phone number, email address, passport number, preferred guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preference, and in some instances, payment card numbers and expiration dates. It was ultimately reported by Marriott’s forensic assessment provider the 383 million records were affected.

These facts underscore several crucial considerations for hotel companies regarding how guest data is collected, secured and retained. Some of these considerations aren’t ones that our industry normally associates with data security concerns. Here are some of the key takeaways:

1. Data Security/Privacy is a Critical Due Diligence Consideration. In any merger or acquisition there are due diligence checklist items for the surviving entity. In the case of the Marriott/Starwood transaction the security breach of Starwood’s database was not discovered prior to closing, but had it been, the implications for the deal could have been extremely significant. At the very least, action could have been taken to remediate the compromise at that time. In this day and age, cyber due diligence should be part of any merger or acquisition.
2. Retention of Large Amounts of Personal Information Carries Risk. Personal data is valuable for many reasons, but that value has to be balanced against the risk that accumulated caches of personal data become rich targets for data thieves. For example, there were over 5 million unique unencrypted passport numbers and more than 20 million encrypted passport numbers that were compromised over the course of the Starwood data incident. The value to Starwood and Marriott of retaining that passport information is unclear, but the liability of replacing more than 25 million passports is enormous.
3. With GDPR and CCPA, the Definition of Protected Data Has Expanded. Before the effective date of the General Data Protection Regulation (GDPR) in May of 2018, most of the data involved in the Starwood incident would not have enjoyed any special protection. Under U.S. state law in most jurisdictions, even today, a person’s name, address, phone number, and email address are not considered Personally Identifiable Information or “PII.” However, GDPR and the new California Consumer Privacy Act (CCPA) (effective January 1, 2020) have greatly expanded the scope of protected personal data to include virtually any item of information that can be used to identify an individual. A name, address, phone number or e-mail address are indisputably “personal data” under the GDPR.
4. Guest Reservation Systems Are Vulnerable On Both Ends. In branded hotels, franchise agreements always require that the hotels utilize the brand’s reservation and management system, including brand-mandated hardware, software, portals and connections. This arrangement gives data thieves multiple targets from which to select when seeking to steal guest information. The Wyndham data incident of 2008/2010 was the first notable attack on a brand’s central guest information database. While most hotel guest information data incidents in the past decade have occurred at individual hotels or discrete groups of properties, the Starwood incident proves that a brand’s guest information database is still vulnerable.

2018 also saw a rash of low-tech social engineering attacks against individual hotels, and this type of attack has continued into 2019. Criminals commence these attacks by posing as brand systems support personnel and making phone calls to hotel employees. The employees are asked to provide their login credentials for the reservation management system.

Cybercriminal: Hello, I’m calling from [brand] system support. We’re having difficulty with the reservation process on your end, and we need to check it. Can you please log in for me?
Employee: Sure. [Logs in]
Cybercriminal: We’re still having an issue. Can you please give me your username and password so I can try it on our end.
Employee: No problem. My username is … and my password is …

Using the stolen credentials, the criminal remotely accesses the reservation management system and retrieved information about recent guest bookings, including guest names, addresses, phone numbers, reservation dates, and partial payment card information. Although the systems typically show only partial credit card number, in some cases the criminals are able to unmask the obscured numbers.

The criminal then calls guests with future reservations:

Cybercriminal: Hello, I’m calling from [hotel name] regarding your reservation from to [check-out date]. We’re having a problem processing your credit card. The last four numbers are [XXXX]. Could you please provide me with your full credit card information, including security code, so we can get that taken care of.

Because the criminal has accurate information about the reservation, the guest is more likely to fall for the scam. Once the guest has supplied the card information, the criminal quickly racks up fraudulent charges. Fortunately, most guests don’t trust these calls, but they are bad for the reputation of the hotel and brand. Depending on what information is exposed, the unauthorized access to the reservation management system may legally be considered a data breach that requires notification to affected individuals and regulators.

To help protect your organization from these types of social engineering attacks:

• Change employee passwords at frequent intervals.
• Alert employees to this type of attack and train them in how to respond.
• If possible, implement multi-factor authentication for any access to the reservation management system.
• Audit which employees have access to the reservation management system and disable access for employees who have no business need for it, including employees who have been terminated or who have changed roles.
• Protect partial payment card information so obscured numbers can’t be unmasked.

This article is part of our Conference Materials Library and has a PowerPoint counterpart that can be accessed in the Resource Libary.

HospitalityLawyer.com® provides numerous resources to all sponsors and attendees of The Hospitality Law Conference: Series 2.0 (Houston and Washington D.C.). If you have attended one of our conferences in the last 12 months you can access our Travel Risk Library, Conference Materials Library, ADA Risk Library, Electronic Journal, Rooms Chronicle and more, by creating an account. Our libraries are filled with white papers and presentations by industry leaders, hotel and restaurant experts, and hotel and restaurant lawyers. Click here to create an account or, if you already have an account, click here to login.

In addition to being annoying, computer pop-ups or notifications are often the first step a cyber-criminal uses to victimize unsuspecting users. Be cautious of any notification or pop-up messages. Examples include emails that say you have to download something in order to see a greeting card or a message that says your computer is infected. Don’t click on anything in these pop-ups, including the “x” inside the pop-up itself. Your best response to remove the pop-up safely is to hold down three keys “CTL+ALT+DEL” to exit a pop-up safely on a Windows computer. Use “CMD+ Option+Escape” on a Mac. Then run your antivirus software to see if there is any malware on your computer that caused the pop-up.

HOW TO RESPOND TO FAKE EMAIL MESSAGES

Be careful where you click. Don’t click on links or attachments in e-mails from an unknown sender, a suspicious sender or emails that don’t make sense. Remember that a friend’s email account can become compromised and that attackers can “spoof” someone’s email address to appear to be from anyone they choose. Remember-don’t react emotionally to an email. Pause and think before clicking. Hackers count on this emotional response to overcome logic and force us into making bad cyber-decisions.

RANSOMWARE

Ransomware is a form of malware that restricts access to data by encrypting files or locking computer screens. The criminal behind the ransomware infection then attempts to extort money from the victim by asking for a “ransom”, usually in the form of cryptocurrencies like Bitcoin or in the form of the gift cards from sources like iTunes whereby the cyber-criminal asks the victim to scratch off the back of the gift card and email the card codes in exchange for access to data.

How it begins.

In a ransomware attack, victims open an email addressed to them and may click on an attachment that appears legitimate, like an invoice or notification of a missed delivery. If the victim clicks on a link in that email, it may cause malicious ransomware code to install on their computer.

What happens next.

Once the infection is present, the malware begins encrypting files on a victim’s computer. Users are generally not aware they have been infected until they can no longer access their files or until they begin to see computer messages advising them of the attack and the demand for a ransom payment in exchange for the decryption key.

How to stay safe.

Be careful where you click. Always backup the content on your computer. If you are infected by ransomware, you can have your system wiped clean and then restore your files from your backup. Because ransomware can infect all hard drives, disconnect the backup drive when not in use or use cloud backup.

The bad guys are getting creative with hybrid giftcard / CEO Fraud scams. There is a campaign underway where they are impersonating an executive and urgently ask for gift cards to be bought for customers. The numbers need to be emailed or texted to the boss, after they are physically bought at stores. Never comply with request like that and always confirm using a live phone call to make sure this is not a scam. Sometimes it’s OK to say “no” to the boss!

About KPM Law
Kalbaugh Pfund & Messersmith, PC is a top-rated civil litigation firm with four locations serving the the mid-Atlantic since 1990. As a progressive civil litigation firm with more than 25 years of dynamic multi-jurisdictional practice, Kalbaugh, Pfund & Messersmith, top-rated by Martindale-Hubbell, is recognized as experienced, client-centered, value-driven, and outcome-oriented. Having focused the practice on legal matters that speak to the collective strength and experience of their dynamic team of attorneys, KPM provides unparalleled acuity in their field while employing strategies that increase efficiencies, enhance outcomes, and benefit their clients both legally and financially. With four strategically located offices, KPM practices in the states of Virginia, Maryland, West Virginia, North Carolina, and the District of Washington, representing a variety of insurance carriers, international corporations, national and regional companies, self-insured businesses, and individuals — clients who rely on KPM’s experienced professionals, progressive philosophies and proven track record to meet their litigation needs in the mid-Atlantic area.

Social media evidence is important information to explore, especially considering most people (Plaintiffs) tend to have no filter when it comes to posting information about: relationships with their family, romantic interests, employers, prior medical history, who has done them wrong, friends, lawyers, meals, and the list goes on. People also like to share their personal opinions on just about anything – Nike, Chic-Fil-A, NFL protests, etc.

Social media information is potentially important as an admission against interest, assuming the information is relevant. Information a party or witness puts on the internet can potentially be used against them in cross-examination at trial or during discovery. Litigators have never had this type of ready access to so much of what a party or witness says, does or thinks.

Once suit is filed, you need to have a strategy for obtaining social media evidence and how you are going to use it. The first step is to perform an investigation. The second step is to use your discovery tools. The third step is to get the evidence admitted. And the fourth step is ethical considerations. Developing a good social media investigation strategy does more than just provide you with information. It helps you craft discovery requests that ask for specific information, a requirement that now exists in federal courts and that will soon exist in state courts. The specific information requests can help you compile the discovery, comply with discovery requirements, and help you drill down to obtain the facts you need in order to help your case.

Authors

David Eaton
David Eaton is a founding shareholder of the firm and practices in the Nashville, Tennessee office. He practices in Kentucky, Mississippi, North Carolina, and Tennessee and focuses in the areas of long-term care defense and general liability claims. As an advisor to health care providers, David has worked closely with nursing home staffs and personnel in the strategy and development of the defenses of cases prior to and through trials. David received a Bachelor of Arts degree in English from Nicholls State University in 1995 and a Doctor of Jurisprudence from Mississippi College School of Law in 2000.

Michael Phillips
Michael Phillips is a founding shareholder with Hagwood and Tipton and president of the firm’s Executive Committee. Michael oversees staff in both the Jackson, Mississippi, and Hillsborough, North Carolina, offices.A significant portion of Michael’s cases involves the defense of physicians, nurses, hospitals, nursing homes, assisted living facilities and other health care providers. He handles all phases of the litigation process – with a particular emphasis on trial – and has defended claims against nursing homes and assisted living facilities in Mississippi, Tennessee, Alabama and North Carolina. Michael also has extensive experience in the areas of complex defense litigation involving premises security/liability, insurance coverage and general insurance defense.

What Is the GDPR?
The GDPR (or Regulation) is perhaps the most comprehensive privacy law of its kind in the world, emphasizing the growing social, political and legal concerns about the potential misuse and abuse of individuals’ personal data. This is no surprise given the rapid advances in technology and the impact of the new economic reality of “big data” and data analytics on consumer information.

The GDPR has set a new precedent for the high stakes of protecting individuals’ privacy, which is being watched closely and even shaping the privacy laws in other countries. The GDPR replaced the Data Protection Directive of 1995 and sets stricter standards for companies that collect or process data on citizens and residents of EU member countries. While considered a milestone achievement for individuals’ data protection laws, the GDPR presents complex challenges for companies that must now take steps to become GDPR compliant or run the risk of being subject to audits, lawsuits and/or stiff financial penalties.

Which Organizations Are Subject to the GDPR?
There is a big misconception in the U.S. business community that the GDPR only applies to EU companies. The new Regulation expands the territorial reach of the GDPR to include companies established outside the EU. This means that a company that has no offices, staff or even customers in any EU country may nonetheless need to comply with the GDPR if it processes and stores personal data on EU residents in any way. In other words, U.S. companies may be subject to the GDPR if they control or process data of EU residents.

The GDPR focuses in particular on the activities of data “controllers” and data “processors.” A data controller is an individual or entity that “determines the purposes and means of processing personal data.” A data processor is any individual or entity that processes (i.e., collects, stores, uses) personal data at the direction of the data controller. A positive response (yes) to one or more of the questions below may signal that an organization is subject to the GDPR.

Does your organization process or store data on EU residents?
The GDPR broadly defines the term “data processing” to include “collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction.” In reality, virtually any activity involving personal data of EU subjects may be closely scrutinized and classified as a processing activity within the definition of the Regulation, to the extent it is performed at the request of a data controller.

Does your organization offer goods or services to EU residents?
The GDPR expressly states that the Regulation applies to organizations outside the EU that offer goods or services to data subjects within the EU regardless of whether a fee is charged for such goods or services. Thus, an organization should consider whether it:

• Offers services in a language or currency of a EU member state
• Enables EU residents to place orders in such other language
• References EU customers in its publications.

It is noteworthy that merely having a website that is accessible by EU residents is not conclusive for purposes of determining whether an organization is subject to the GDPR.

Does your organization monitor the behavior of EU residents as that behavior occurs in the EU?
The GDPR also applies to non-EU organizations that monitor the behavior and activities of EU residents within the EU. This includes tracking EU residents on the internet to create profiles or to analyze or predict individual preferences and behavior.

What Is Protected Personal Data Under the GDPR?
The GDPR protects “personal data,” which is broadly defined in Article 4(1) to encompass:

“…any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier…”

The definition provides a broad range of identifiers, including “a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” For example, personal data may include a photo, racial or ethnic data, an email address, bank details, posts on social networking websites, political opinions, health and genetic information, a computer IP address and so on.

The GDPR also refers to sensitive personal data as “special categories of personal data,” which include genetic data and biometric data, where processed to uniquely identify an individual, and data concerning health. Processing of such data is prohibited unless the data subject gives explicit consent. Otherwise there are very few exceptions in which processing of such special categories of personal data also is possible (e. g., if it is necessary to defend or enforce a legal claim).

When a data controller collects personal data from an individual, including a third party, the controller must provide information to the data subject regarding processing activities, including:

• Contact information for the controller and Data Protection Officer, if applicable
• Purpose of the collection and processing of personal data
• Intended recipients of the personal data, if any
• Whether personal data will be transferred outside the EU
• Time period for which the personal data will be stored
• Individuals’ right to request access to, correction or erasure of their personal data
• Individuals’ right to file a complaint with an EU privacy regulator (Supervisory Authority) with respect to the collection or use of their personal data.

What Are Consent Requirements for Processing Personal Data?
Consent remains one of six lawful bases to process personal data, as listed in Article 6 of the GDPR. However, the requirements for validly obtaining consent have been increased to place a higher burden on data controllers. Article 7 sets out what is meant by consent, and the Information Commissioner’s Office (ICO) has published detailed guidance on consent under the GDPR. In brief, consent must be “freely given, specific, informed and unambiguous.” Organizations should review how they seek, record and manage consent, and whether they need to make any changes to their policies and procedures. In evaluating compliance with the GDPR’s expanded consent requirements, organizations should note the following characteristics:

• Active Opt-in: There must be “clear affirmative action”; consent cannot be inferred from silence, pre-ticked boxes or inactivity.
• Unbundled: Consent requests must be separate from other terms and conditions and should not be a precondition of signing up to a service unless necessary for that service.
• Granular: Granular options to consent separately to different types of processing should be given wherever appropriate.
• Named: Name your organization and any third parties that will be relying on consent; even precisely defined categories of third-party organizations will not be acceptable under the GDPR.
• Verifiable: Keep records to demonstrate what the individual has consented to, including what they were told and when and how they consented.
• Easy to Withdraw: There must be simple ways for people to withdraw consent – tell people about their right to withdraw and offer them easy ways to withdraw consent at any time.
• No Imbalance in the Relationship: Consent is not “freely given” if there is imbalance in the relationship between the individual and the data controller.

What Rights Do Individuals Have to Protect Personal Data?
One of the key premises of the GDPR is to expand the rights of individuals to protect their personal data. This includes an individual’s right to access, rectify and/or seek erasure of their personal data.

Right to Access
Individuals have the right to access their personal data and request the following information from a data controller:

• Copy of their personal data
• Purpose of processing the personal data
• Categories of personal data
• Recipients of the personal data
• Time period the personal data will be stored
• Individual’s right to request alteration (rectification), erasure and/or restrictions on processing their personal data
• Right to file a complaint with a Supervisory Authority
• Extent to which decisions about the individual are made based on automated processing or profiling of personal data
• Appropriate safeguards for transfers of personal data outside the EU.

Right to Rectification
An individual has the right to request the data controller to correct their personal data without undue delay.

Right to Be Forgotten
The GDPR recognizes an individual’s so-called “right to be forgotten,” subject to limited exceptions. In other words, an individual has the right to request the data controller to erase their personal data without undue delay in certain circumstances, including the following:

• Personal data is no longer required for processing
• Individual withdraws consent to the processing of their personal data
• Individual objects to the processing of their personal data
• Personal data has been unlawfully processed.

What Are the Record-Keeping Requirements Under the GDPR?
Data controllers and processors must maintain written documentation of all activities related to the processing of personal data (including documentation of all steps made in order to be GDPR compliant). These records should include the following information:

• Contact information for the data controller
• Purpose for processing the personal data
• Description of the personal data
• Recipients of the personal data
• Safeguards to protect personal data transferred outside the EU
• Anticipated time frame for erasing personal data
• Technical safeguards employed to protect personal data.

These records of processing activities must be produced to a Supervisory Authority upon request. Notably, the GDPR’s record-keeping requirement does not apply to organizations with fewer than 250 employees.

What Security Measures Are Required to Safeguard Personal Data?
The GDPR does not dictate specific technical security measures that must be implemented by data controllers or processors to safeguard personal data. However, the Regulation does require organizations to conduct a risk assessment to ensure an appropriate level of security based on a cost-benefit analysis. The size of the organization and the nature and scope of processing activities are key factors to consider. Such security measures may include the pseudonymization of personal data (so that data cannot be linked to a specific individual); encryption of personal data; ability to restore and back up personal data; periodic security audits to test and evaluate processing activities; and adherence to recognized industry standard certification requirements to protect data.

What Is a Data Protection Officer?
The GDPR requires data controllers and processors to appoint a Data Protection Officer (DPO) when an organization’s “core activities” consist of processing personal data on a “large scale.” Germany qualifies this requirement to include instances where there is a minimum of 10 people processing personal data automatically. An organization may designate an employee or hire a third party to serve as a DPO, based on their expert knowledge of data protection laws and regulations. A DPO is responsible for monitoring an organization’s compliance with the GDPR, training employees and staff, oversight of any data protection impact assessments, cooperating with the Supervisory Authority, and acting as the liaison between the organization and the Supervisory Authority. In addition, the DPO may be responsible for responding to inquiries by individuals concerning their personal data.

Is an Organization Required to Report a Data Breach?
The GDPR introduces additional mandatory data breach reporting requirements. A data controller must report security breaches to the relevant Supervisory Authority “without undue delay, and where feasible, not later than 72 hours” after it first becomes aware of the incident. If the notification is made after 72 hours, a reasonable justification for the delay must be provided. The breach only needs to be reported if it is likely “to result in a risk for the rights and freedoms” of data subjects – if, for example, the breach could result in discrimination, damage to reputation, financial loss, loss of confidentiality, or any other significant economic or social disadvantage.

A data controller also must notify individuals of a security breach “without undue delay” where the breach “is likely to result in a high risk” to the rights and freedoms of data subjects. However, notification to individuals is not required if (1) the organization has implemented appropriate security measures that render the data unintelligible to any unauthorized person (i.e., encryption); (2) the organization has taken subsequent measures to ensure that a high risk to data subjects does not materialize (i.e., remediation); or (3) it would involve a disproportionate effort, in which case a public communication will suffice (i.e., media notice or publication on the organization’s website).

The contents of the breach notification communication should include the following information where available in “clear and plain” language:

• Nature of the incident
• Type of personal data
• Number of affected persons
• Number of personal data records
• Contact information for the DPO
• Likely consequences of the data breach
• Steps taken by the organization to contain and mitigate the exposure.

Notably, the breach notification requirements set forth above apply to data “controllers.” However, in the event of a breach experienced by a data “processor,” the processor is required to notify the controller “without undue delay.”

Are There Any Repercussions for Failure to Comply with the GDPR?
The most serious infringement of the GDPR can result in administrative fines by a Supervisory Authority of up to €20 million or 4 percent of the offending company’s global annual revenue, whichever is higher. For lesser noncompliance offenses, company audits and a tiered fine structure may be imposed.

Under the GDPR, data controllers and processors also may be subject to liability and damages for legal proceedings commenced by a data subject in a court of law or a complaint lodged with a Supervisory Authority. Such complaints may be filed in the jurisdiction where the data subject resides or works, or the location of the alleged infringement of the Regulation concerning the processing of the individual’s personal data. Data controllers and processors may have joint liability for compensatory damages awarded to an individual to ensure they are made whole.

The GDPR also grants Supervisory Authorities the following powers to:

• Conduct investigations of data controllers and processors
• Perform data protection audits
• Issue warnings or reprimands
• Order an organization to comply with a data subject’s request regarding personal data (including rectification, erasure and restrictions on processing)
• Require an organization to bring its processing activities into compliance with the GDPR
• Order an organization to notify individuals of a data breach
• Order the suspension of data flows.

Summary
In summary, U.S. companies are well advised to consider their compliance obligations, if any, under the GDPR. The extraterritorial reach of the EU’s new privacy Regulation means that non-EU companies may be subject to the law. A critical factor in evaluating the potential application of the GDPR to U.S. companies is whether a company collects, stores, transfers or otherwise processes personal data of EU residents. If so, the company may be required to obtain an individual’s express consent to the use of their personal data, in addition to maintaining internal records of the company’s personal data processing activities. Moreover, companies may have a mere 72 hours to notify EU regulatory authorities of a data breach involving the personal data of EU residents. Failure to comply with the GDPR’s extensive requirements may result in regulatory investigations, legal proceedings, compensatory damages, injunction orders or hefty administrative fines.

Why is the hospitality industry such a frequent target? What makes this industry uniquely vulnerable to information threats? This article will examine those questions and suggest certain measures that hotel and restaurant companies can employ to try to mitigate the risks to information that they own or possess.

Multiple Parties Are Involved In The Equation

Hotel companies and many restaurant companies face unusual problems when it comes to cyber security and vulnerability to data theft/loss due to traditional ownership/management/franchise structures as well as the way hotels and restaurants tend to operate.

For branded hotels (and many branded restaurants) there are typically at least three parties are involved in a functioning hotel business: the franchisor or “brand,” the owner (or owners’ group) and the operator a/k/a the management company. Each of those entities plays a particular role in the function of the hotel as a business, and each may have its own computer systems or stored information:

Franchisor

• Owns the “flag” of the brand and in exchange for use of its marks and marketing services, can impose its own standards for hotel features, including the process for booking rooms;
• Typically mandates that the owner install a particular hardware/software suite to handle the reservations functions;
• Maintains ownership and control of that system through contractual means; and
• Typically claims ownership of guest data that is input into the reservations system by hotel employees or others.

Owner

• Typically not the brand; could be individuals, investor groups or major asset holding companies, including investment funds, insurance companies, banks;
• May have varying degrees of involvement in operational issues that include guest or employee data; and
• May own separate “point of sale” payment card systems for food/beverage/retail outlets situated within the hotel; and

Operator

• If independent from Owner, will usually have a management agreement with the Owner that establishes an agency relationship with Owner for purposes of all day-to-day hotel operations;
• Third party operators are usually the formal employers of hotel personnel and maintain all employee data (including Social Security Numbers);
• May collect guest data prior to inputting same into the reservations and management system owned by the franchisor, if the hotel is branded; and
• May obtain and maintain payment card information associated with group bookings.

Sometimes the complex relationship between franchisors, owners and operators requires that information be shared, or that separate computer systems be tied to each other. For example, as indicated above, major hotel brands require all of their franchised hotels to utilize the brand’s reservations and management computer system when booking or checking in all guests. Thus, hotel owners and operators are forced to have their own on-site personnel utilize the computer system of another company when transacting business with guests. In addition, hotels, like restaurants and other consumer businesses, often permit interfacing between their own computer systems and those of third party vendors or credit card processors.

All of this means that hotel and restaurant systems are to some extent dependent upon the security measures and practices of other entities which the hotels and restaurants do not control. A classic example of this is the Wyndham Worldwide breaches which occurred 2008 and 2010, where hackers were able to penetrate Wyndham’s central reservations database through a hack of a single franchised hotel, and then use the Wyndham system’s connections to dozens of other individual franchised hotels to steal hundreds of thousands of sets of credit card data.

The Hospitality Industry Does Business By Payment Card

Credit and debit card data has long been a preferred target of data thieves. Payment by card is the mainstay of most hotels and restaurants.. Therefore, hotels and restaurants represent a tantalizing treasure chest of data for cyber criminals to try to crack open.

The Wyndham Worldwide series of data breaches, where the brand’s reservations system was the subject of the attacks, were certainly notorious in the world of hotel data incidents, but statistically most credit card data theft in hotels occurs due to malware affecting point-of-sale (“POS”) systems, rather than the brand reservations systems for guest room bookings. Of the twenty-one most high-profile hotel company data breaches that have occurred since 2010, twenty of them were a result of malware affecting point-of-sale systems in hotel restaurant, bar and retail outlets. This is also true for the recent restaurant data breaches affecting Wendy’s, Arby’s, Landry’s and Noodles & Company, which were all the result of malware affecting point-of-sale systems in several locations.

Cyber criminals, through a variety of methods, are able to infect POS systems with credit card data-scraping malware that captures personal account data at some point during the payment process. This malware is often capable of moving between connected systems and may infect groups of hotels and restaurants that are either related by common brand or by a common third party operator and may often operate for several months or even years before being detected by the operator.

Some hotel credit card compromises are not high-tech in nature. Many hotels still tend to receive faxed credit card authorization forms for company bookings or group bookings, and often the faxed paper forms, which contain credit card numbers and expiration dates, are kept in a non-secure manner, such as in binders behind the hotel front desk. These paper forms are susceptible to being lost or stolen, and while many state breach notification laws do not expressly cover loss or theft of paper data, a growing number of state laws do. For example, the data breach laws of California, Hawaii and Alaska all protect data in any form, including paper, that contains personally identifying information.

In addition to these “paper” breaches, the hotel industry is also vulnerable to identity thieves targeting guests who may be unfamiliar with the area or the hotel. The thieves use various schemes including calling hotel guests, posing as the front desk, to ask for updated credit card information or leaving fliers for pizza delivery with phone numbers directed to thieves who take down the guest’s credit card information.

Employee Turnover and Fluidity Contribute to Security Problems

In the hospitality world there tends to be a high degree of movement of employees in and out of particular locations. Hotel operators will transfer their skilled employees to other locations where they may be needed. Employees in less skilled positions tend to come and go frequently as well. Hotel or restaurant owners may decide to change third-party operating companies, and the new operator will bring in its own management-level employees to manage the location. Maintaining a consistently trained workforce can be a challenge for both the hotel industry shares with the restaurant industry.

In recent years many information security industry experts have identified a company’s employees as its most vulnerable point from a data security perspective. A fluid workforce means that it is more difficult to train employees in the secure receipt and treatment of personal information, in complying with privacy and security policies, in protecting and changing user access credentials, and in being alert for social engineering attempts. Keeping up with which employees have access to different levels of information is also challenging when there are frequent changes of personnel at particular job levels. Only certain job functions within a hotel setting require access to guest or employee personally identifying information, and hotel companies (as well as companies in other industries) are not always as careful as they should be about controlling access by job grade/description and making sure access is eliminated when an employee moves out of a particular position or is terminated.

How Can Hospitality Companies Better Prepare for and Combat Cyber Threats?

While hospitality companies have unique problems that tend to make them more vulnerable to threats of compromise and theft of personal information, there are ways that these companies can prepare for and mitigate against such risks, and there are lessons to be learned from looking at prior data security incidents. In analyzing recent breaches, it is likely that utilization of the following practices could have mitigated or prevented such incidents.

• Contractual Risk-Shifting and Secure Handling Requirements: Franchisors, owners and operators, in their dealings with each other and third parties such as vendors and contractors, can help to control the risks inherent in sharing systems or information with others. Requiring specific cyber incident indemnification, where negotiating leverage permits, is useful to protect hotel companies from the economic consequences of a breach incident caused by or contributed to by another party. In addition, contract provisions requiring compliance with minimum information security standards (e.g., compliance with Payment Card Industry Data Security Standards a/k/a “PCI-DSS”) or mandating third party compliance with a hotel company’s own security policies can reduce the risk
  of cyber incidents.
• Employee Policy Enforcement and Training: Despite the fluidity of management and staff employees that is attendant to operating a hotel or restaurant, operators can and should consistently update their employee policies on data security and rigorously train employees who have access to data or systems. Where employees do not require access to personal information to perform their job functions, that access should be terminated. Policies concerning use of mobile devices, external information storage devices and internet usage should be enforced. In addition, to protect against identity thieves, employees should be trained on how to advise guests on potential risks and how to identify suspicious behavior and when to report suspected identity theft or data breaches.
• Guard Guest and Customer Card Data: Considering that POS malware attacks are a very common type of cyber incident affecting hotels and restaurants, operators and owners should take extra care in selecting their POS system vendors and credit card processors. Agreements with those entities should be vetted and, if possible, modified to add protection and minimum data handling standards for the outside vendor. Compliance with PCI-DSS not only helps to ensure that data security software, hardware and practices are safer, but also helps to protect against fines and penalties which may be levied against hotels by the credit card industry for noncompliance with PCI-DSS when a breach occurs.

Authors

Sandy Brian Garfinkel Mr. Garfinkel is a member with the law firm of Eckert Seamans Cherin & Mellott, LLC. He maintains a busy and diverse business litigation practice with a particular emphasis in the hospitality industry. As part of his work in the hospitality world he regularly assists hotel management and ownership companies in preparing for and responding to breaches of data security. He is also the founder and chair of the firm’s Data Security & Privacy Practice Group.Mr. Garfinkel can be reached at 412.566.6868 or at sgarfinkel@eckertseamans.com.

Malgorzata “Gosia” Kosturek Ms. Kosturek focuses her practice on hospitality law and general corporate law. She assists clients in numerous types of corporate transactions, including acquisitions, mergers, and financings, primarily in the hospitality industry. She is also a member of the firm’s Data Security & Privacy Practice Group. Ms. Kosturek can be reached at 412.566.6180 or at gkosturek@eckertseamans.com.

How We Got Here

California has a unique ballot initiative process that allows citizens to pass laws outside of the traditional legislative process. At a high level, if a citizen drafts an initiative and then secures enough signatures, s/he can put the initiative on the ballot and California citizens can vote it into law. If such an initiative becomes law, it is significantly more difficult to amend than a law passed through the legislative process.

Here, a real estate developer received over 600,000 signatures for a consumer privacy initiative. The developer vowed to put the initiative on the ballot in November unless the Legislature passed a similar law. With polls suggesting that the initiative would pass if put to a vote, the Legislature passed A.B. 375, the California Consumer Privacy Act of 2018.

Will the Act Apply to Your Company?

The Act provides sweeping protections to consumers and their personal information. It generally applies to any for-profit company, and any entity that controls or is controlled by such company, conducting business in California that collects consumers’ personal information and meets at least one of the following criteria:

1. Generates annual gross revenues over $25 million.
2. Alone or in combination, receives or shares the personal information of 50,000 or more consumers, households or devices.
3. Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

The California Consumer Privacy Act – An Overview

The Act will not go into effect until 2020, and the Legislature may continue to make changes up until that point. In its current form, the main provisions of the Act include:

1. Sweeping Definition of Personal Information. The Act is much broader than other U.S. statutes that focus on specific sensitive data like Social Security numbers. The Act defines “personal information” as any “information that … could be reasonably linked, directly or indirectly, with a particular consumer or household.” An exclusion exists for publicly available information.
2. Broad Consumer Rights. The Act grants California residents a broad range of new rights with respect to their personal information. Companies are forced to accommodate these new consumer rights, including:
   1. Companies that collect personal information must disclose to consumers the categories of personal information to be collected and for what purpose they use it.
      If a consumer asks, companies must disclose exactly what personal information they collect on the consumer and for what purpose they use it.
   2. If a consumer asks, companies must deliver such personal information to the consumer in a readily useable format, free of charge.
   3. If a consumer asks, companies must delete any of the consumer’s personal information and direct service providers to do the same. Certain exceptions exist if the consumer’s personal information is necessary to provide the consumer a service.
   4. If a consumer opts out, companies are not allowed to sell that consumer’s personal information to third parties. (For consumers under the age of 16, companies can only sell personal information if such consumers affirmatively opt in to such use of their personal information.)
   5. If a consumer asks, companies must disclose the categories of any third parties to which personal information of the consumer was previously sold or disclosed.
   6. Consumers also maintain a private right of action if a company’s lack of reasonable security practices results in a data breach.
3. Extensive Authority of Attorney General. The California Attorney General has broad authority to promulgate regulations pursuant to the Act. Also, the Attorney General has the authority to prosecute an action against a company that violates the Act. Additionally, the Act prohibits companies from discriminating against consumers who exercise any of their rights under the Act. However, companies can offer consumers financial incentives to collect or sell their personal information.

The Act also establishes a Consumer Privacy Fund in the General Fund and allows any business to seek the Attorney General’s opinion on how to comply with the Act.

Comparisons to the EU’s GDPR

The Act is modeled after the European Union’s General Data Protection Regulation (GDPR) — but there are meaningful differences between the two. Generally, the Act puts more onus on the consumer. Although consumers are granted broad rights, for the most part, they must take affirmative action to seek the protection afforded under the Act. Under the GDPR, however, that burden is inverted; companies must disclose their legal basis and retention plans for specific data at the time of collection, cannot process certain sensitive information (e.g. health data) or automatically profile consumers without receiving explicit consent, and generally must document data activities internally, whether consumers ask about their information or not. Thus, the Act makes less rigorous demands of companies than the GDPR.

Another major difference? The GDPR took around four years to pass. The California Legislature passed the Act in about one week.

For more information on the GDPR, please visit our International Affairs: GDPR resource page.

Implications of the Act

Although the Act is not as expansive as the EU’s GDPR, it is viewed as the most comprehensive, aggressive privacy law in the United States. Reports estimate that the Act will apply to over half a million U.S. companies. To some extent, domestic U.S. companies have been able to isolate the impacts of the GDPR, but they will likely have less luck ducking the regulatory challenges of the Act. Businesses subject to the Act will be forced to reform their privacy data collection, dissemination, and disclosure practices — which will be an expensive and time-sensitive undertaking.

Some positive news for businesses: the version of the bill that was passed is not likely to be the law that ultimately takes effect. Because the Act was passed by the Legislature instead of by California voters, legislators can change the details up until the Act goes into effect, and they have indicated plans to do so.

More immediately, the Legislature has expressed that it may make technical changes to the bill from August 6 to August 31. Most expect these changes will be limited to small tweaks, including correcting typos or changing terminology. Some trade associations plan to advocate for easy changes to the Act this month and wait until 2019 to address bigger issues.

Certainly, over the next 17 months, we expect many changes to the language of the Act. We’ll be tracking to see whether these changes affect the practical implications of the Act on your business.

MEET THE AUTHORS

Paul H. Luehr, Partner
612.766.7195
paul.leuhr@faegrebd.com

Alison F. Watson, Partner
202.312.7454
alison.watson@faegrebd.com

Nicole L. Pelletier, Associate
317.237.1353
nicole.pelletier@faegrebd.com

Suppliers and retailers of alcoholic beverages advertise their respective products and offerings in a wide variety of digital outlets. Questions arise as to how the complex legal landscape of alcohol regulation applies in these digital spaces. Advertising media include social network services (e.g., Facebook), video sharing sites (e.g., YouTube), blogs, and smartphone applications. In addition to these types of media which engage consumers directly on their televisions and personal devices, other types of media target consumers in retail places. These media include digital screens which are physically present in store, as well as seemingly invisible technology which targets the consumer in store on his or her smartphone.

The Law Plays Catch-Up

Tied house laws, which address the financial relationships between supplier and retailer licensees, were enacted well before any digital media was invented. As a result, the alcohol laws have been playing catch up with this technology. Nevertheless, it is clear that social media qualifies as advertising for the purpose of alcohol beverage laws, and more and more jurisdictions are creating specific legislation to clarify this point. For example, Georgia, Kentucky, and Louisiana all now include social media in state definitions of advertising. On the federal level, the U.S. Tax and Trade Bureau (“TTB”) has confirmed that mandatory statements required in supplier product advertising are required in all forms of social media as well.

Paying for Technology: Compliance with State and Federal Tied House Rules

Technology can be expensive, and as a result retailers frequently wish to enlist supplier support to defray the cost of advertising both in and out of their premises. Generally, it is important to remember that the same rules which govern traditional advertising also govern these new technologies. Therefore, the same questions which come up in traditional advertising also apply here. For example, does the advertising involve the supplier paying for or buying advertising for the retailer in a manner that results in prohibited “cooperative advertising”? Does the technology involve the supplier providing or otherwise paying for a piece of equipment which is not covered by any applicable tied house exception?

The recent case of Retail Digital Network, LLC v. Prieto, 861 F.3d 839 (9th Cir. 2017), involved the issue of an impermissible payment for advertising. The plaintiff in the case installs liquid crystal displays for advertisements in retail outlets. Advertisers pay plaintiff for the opportunity to feature their brand advertising in the retail location. Plaintiff in turn then pays the retailer a percentage of the advertising fees generated by the display. Suppliers of alcohol beverages refused to do business with the plaintiff out of concern that California’s alcohol beverage laws prohibited them from paying to place advertising on a retail premises. The plaintiff sued the California Department of Alcoholic Beverage Control to enjoin enforcement of this particular part of the state tied house law. In short, the plaintiff argued that the suppliers’ proposed advertisements were protected commercial speech, and that the state interests and concerns inherent in the Twenty-first Amendment were outweighed by First Amendment interests. An en banc panel of the Ninth Circuit held that the California advertising prohibition directly and materially advanced the state’s interest in maintaining the three tier system, and therefore was sufficient to overcome First Amendment scrutiny.

Because digital advertising has become so popular, a cottage industry has developed for screens, closed loop televisions, and other devices that sit in retail places to stream digital content. Retailers frequently ask whether these items can be paid for or loaned by suppliers. This is a state specific issue, and the answer to the question will vary from one jurisdiction to another. One way to analyze the issue is to determine whether the item really a digital sign (likely covered under a tied house exception) or an illegal thing of value (a gift not covered by a tied house exception). The Texas Alcoholic Beverage Commission (“TABC”) has published two Marketing Practices Bulletins on this subject which provide helpful guidance. The TABC articulated questions to be used to determine the true nature of the item. They include:

• Is the primary purpose of the item to advertise a product?
• Is it a permanent fixture?
• Is it a thing of value?
• How long will the item stay in the retail premises?

Questions Raised by SmartPhone Applications

The uptick in digital advertising has also increased the number of smartphone applications directed at the marketing and sale of alcoholic beverages. Many retailers now have their own smartphone applications, and many interface with applications operated by non-licensees which drive traffic to the retail establishment.

Many of the best practices associated with applications which advertise alcohol are the same as the best practices for websites featuring alcohol products. These include, but are not limited to, age-gating and promoting responsible consumption. In addition, however, smartphone applications also raise several other legal issues in the alcohol space, depending on the functionality of the application. Consider the following issue-spotter questions:

• Does the app, if operated by an unlicensed third party, improperly use or avail itself of the retailer’s license to sell alcoholic beverages?
• Does the app facilitate an improper flow of funds between a supplier and a retailer?
• Does the app offer promotions which could result in violations of state happy hour or drink pricing rules?
• Does the app result in tied house exclusion by directing consumers away from one retailer and toward another?

Summary

Digital communications promoting alcohol present compliance challenges in terms of their jurisdictional reach, and to whom they may be directed. It is best for industry members to consult state law to determine which laws and regulations governing traditional advertising may also apply in the context of digital advertising. Furthermore, many states have developed enforcement policies and other opinion statements on social media and related issues; therefore, consulting state agency resources is recommended.

Auto Infotainment Systems: The Next Hacking Frontier

According to a recent article published by the webzine Motherboard, cars are a potential treasure trove of unsecured data just waiting for a hacker to claim it. A security software engineer discovered that his car’s infotainment system did not use modern security software principles, yet it stored an unbelievable amount of personal data obtained from his phone – including contact information, texts, emails, call histories, as well as directory listings that had been synchronized with his car via Bluetooth and other similar connections. Worse, he discovered this information was being stored on the car’s infotainment system in plain, unencrypted text.

He surmised that unscrupulous hackers could gain access to this information remotely through his in-car internet connection, a quickly growing technology, or directly through the car’s USB port. Although mobile operating systems like Google Android and Apple iOS use highly effective security protections, these protections could be undone simply by pairing mobile devices to the car’s infotainment system.

We don’t know to what extent the issue exists among the various car models manufactured each year, but this revelation should raise several concerns for your business. If employees sync their mobile devices to a company car’s infotainment systems, they could be unintentionally storing personal data on the car’s system, making it susceptible to hackers. Similarly, if an employee uses a company-issued or personal mobile device for work that is paired to a company car, or even a personal vehicle, sensitive company information such as customer lists and contact info may be stored in the car and, therefore, vulnerable.

What Should You Do?

How should you deal with this apparent security risk? Unfortunately, there are no easy fixes at present. Car manufacturers are just now beginning to discuss how to address data security issues created by their cars. For companies with a fleet of cars, however, you should contact the car manufacturers to inquire about the security of the firmware (the embedded software) used in the cars. You should remain in contact with the car manufacturers to make certain you will be notified if there are tech-related updates or recalls. If the manufacturer indicates the car’s firmware needs updating, ensure this is done as soon as possible, even it means taking the car to the dealership.

If employees are responsible for company car maintenance, or if they use their personal cars for work, you should have a policy requiring employees to update the car’s firmware within a set period of time following the release of the update. You may also want to consider prohibiting employees from syncing their mobile devices to company vehicles or syncing company-issued mobile devices to their personal vehicles.

In this age of car connectivity, auto manufacturers are working on developing more secure systems to protect the data collected by cars. Until those systems are a reality, however, you need to be aware of the potential data security risks posed by some cars and take whatever steps you can to help reduce that risk.

For more information, contact the author at MGomsak@fisherphillips.com or 502.561.3972. This article originally appeared on the Fisher Phillip’s Employment Privacy Blog.

William Evanina, Director of the National Counterintelligence and Security Center, issued a statement to Reuters earlier today, stating no attendee, whether there in an official or spectator capacity, is too insignificant a target. Evanina further advises attendees that if they absolutely must take a device, to take one that is not their usual device (ie: a “burner” device) and to remove the battery when not in use. British officials are also issuing the same warnings to their own attendees and players.

If you’re planning on taking a mobile phone, laptop, PDA or other electronic device with you — make no mistake — any data on those devices (especially your personally identifiable information) may be accessed by the Russian government or cyber criminals.

– William Evanina, Director, National Counterintelligence and Security Center

In related news, the official streaming app for Spain’s La Liga soccer division has admitted to spying on its users. According to Spanish newspaper El Diario, the app maker claims the app, which has over 10 million downloads in the Google Play store, enables the microphone to be turned on when a user enters a bar, in an effort to discover if the venue is illegally streaming a match.

La Liga is claiming the issue only affected users in Spain, and only those who opted in to allowing the app to access their device’s microphone and gather GPS data. However, this opt-in was tied to the apps privacy policy and was enabled when users accepted the terms and conditions for using the app (who really reads the small print right?). La Liga justified its actions by claiming the illegal streams have cost the league over 150 million Euros, and claims they only gather statistical, not personal data. According to the newly implemented GDPR however, these sorts of practices are now illegal.

Special Note: As the World Cup continues, The Rysk Group will update their original post with any relevant information on cybersecurity incidents and news.

ADA regulations require hotels to make reasonable modifications in their policies and practices when necessary to afford goods, services, facilities, privileges, advantages, or accommodations to individuals with disabilities. Because the purpose of a hotel’s website is, in large part, to allow members of the public to review information pertaining to the goods and services available at the hotel and then reserve appropriate guest accommodations, such websites have been found to be subject to the requirements of ADA regulations. According to these regulations, a hotel must identify and describe accessible features in the facilities and guest rooms offered through its reservations service in enough detail to reasonably permit individuals with disabilities to assess independently whether a given facility or guest room meets his or her accessibility needs. Thus, rather than alleging that the website itself is inaccessible to users with disabilities, these “new” website accessibility lawsuits claim that a hotel’s website violates the ADA by failing to sufficiently identify and describe the physical “brick and mortar” accessibility features of the hotel.

The promulgation of these regulations have made it easier than ever for plaintiffs to file lawsuits against hotels. Previously, a even a “drive by” plaintiff had to physically go to a hotel, experience some sort of an ADA violation, and then allege an intent to return to the Hotel in order to establish standing necessary to bring a lawsuit. Now, however, Plaintiffs can sue multiple hotels on the same day from the comfort of their own home. They can file these types of lawsuits simply by claiming that they WANTED to visit a specific hotel (or multiple hotels), but were deterred from doing so and/or making a reservation because the hotel’s website failed to provide enough information for them to determine whether the accessibility features of the hotel meets their needs. Thus, a plaintiff can assert a claim against your hotel without ever visiting, without ever making a reservation, and without contacting you first to notify you of the alleged deficiencies on your website.

The amount of these types of lawsuits is increasing exponentially, with several plaintiffs (represented by the same few plaintiff law firms) filing dozens of these suits each and every day. Accordingly, if your hotel does not already provide a plethora of accessibility-related information regarding your property, it is imperative that you make changes to your website as soon as practicable. In particular, you should provide plenty of information about both the common areas of the hotel as well as the accessible guestrooms.

At a minimum, you should include information regarding the accessibility features of the primary features of your hotel — that is, your parking, main entrance, public restrooms, pool lift, restaurants and bars, fitness centers, and business centers. You should also provide information regarding whether there are accessible routes to get to these highly utilized common areas. It is of course equally important that these areas are actually compliant with the ADA, as providing false, inaccurate, or misleading information could result in liability as well.

Additionally, you need to provide as much accessibility-related information as possible regarding the specific room that will be booked. This includes the bed type (double double, queen, king, etc.), number of beds, type of bathroom and shower (roll-in shower, transfer shower, bathtub with accessible bench, etc.), and whether any visual alarms exist.

Based on the dearth of case law in this relatively new and complex area of the law, it is still a bit of a guessing game as to how much information is “sufficient” under the law. And, although ADA compliance is imperative, you also want to strike a balance between the amount of ADA-related information you are providing and various logistical and aesthetic issues that your website may face so that you do not overwhelm the reader. Just keep in mind that at the end of the day, providing as much accessibility related information as possible on your website will significantly increase your compliance with the ADA, and, as a result, will also decrease the chances that you will be hit with this type of “website drive by” lawsuit that so many hotels are now being forced to defend against.