• Marriott acquired Starwood in September of 2016, but Marriott continued to operate Starwood’s guest database separately from Marriott’s until a few weeks after the breach incident was announced.
• The unauthorized intrusion into Starwood’s database occurred in 2014, but was not discovered by Starwood nor by Marriott later during the course of its acquisition of Starwood.
• The guest information compromised in the incident included name, address, phone number, email address, passport number, preferred guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preference, and in some instances, payment card numbers and expiration dates. It was ultimately reported by Marriott’s forensic assessment provider the 383 million records were affected.

These facts underscore several crucial considerations for hotel companies regarding how guest data is collected, secured and retained. Some of these considerations aren’t ones that our industry normally associates with data security concerns. Here are some of the key takeaways:

1. Data Security/Privacy is a Critical Due Diligence Consideration. In any merger or acquisition there are due diligence checklist items for the surviving entity. In the case of the Marriott/Starwood transaction the security breach of Starwood’s database was not discovered prior to closing, but had it been, the implications for the deal could have been extremely significant. At the very least, action could have been taken to remediate the compromise at that time. In this day and age, cyber due diligence should be part of any merger or acquisition.
2. Retention of Large Amounts of Personal Information Carries Risk. Personal data is valuable for many reasons, but that value has to be balanced against the risk that accumulated caches of personal data become rich targets for data thieves. For example, there were over 5 million unique unencrypted passport numbers and more than 20 million encrypted passport numbers that were compromised over the course of the Starwood data incident. The value to Starwood and Marriott of retaining that passport information is unclear, but the liability of replacing more than 25 million passports is enormous.
3. With GDPR and CCPA, the Definition of Protected Data Has Expanded. Before the effective date of the General Data Protection Regulation (GDPR) in May of 2018, most of the data involved in the Starwood incident would not have enjoyed any special protection. Under U.S. state law in most jurisdictions, even today, a person’s name, address, phone number, and email address are not considered Personally Identifiable Information or “PII.” However, GDPR and the new California Consumer Privacy Act (CCPA) (effective January 1, 2020) have greatly expanded the scope of protected personal data to include virtually any item of information that can be used to identify an individual. A name, address, phone number or e-mail address are indisputably “personal data” under the GDPR.
4. Guest Reservation Systems Are Vulnerable On Both Ends. In branded hotels, franchise agreements always require that the hotels utilize the brand’s reservation and management system, including brand-mandated hardware, software, portals and connections. This arrangement gives data thieves multiple targets from which to select when seeking to steal guest information. The Wyndham data incident of 2008/2010 was the first notable attack on a brand’s central guest information database. While most hotel guest information data incidents in the past decade have occurred at individual hotels or discrete groups of properties, the Starwood incident proves that a brand’s guest information database is still vulnerable.

2018 also saw a rash of low-tech social engineering attacks against individual hotels, and this type of attack has continued into 2019. Criminals commence these attacks by posing as brand systems support personnel and making phone calls to hotel employees. The employees are asked to provide their login credentials for the reservation management system.

Cybercriminal: Hello, I’m calling from [brand] system support. We’re having difficulty with the reservation process on your end, and we need to check it. Can you please log in for me?
Employee: Sure. [Logs in]
Cybercriminal: We’re still having an issue. Can you please give me your username and password so I can try it on our end.
Employee: No problem. My username is … and my password is …

Using the stolen credentials, the criminal remotely accesses the reservation management system and retrieved information about recent guest bookings, including guest names, addresses, phone numbers, reservation dates, and partial payment card information. Although the systems typically show only partial credit card number, in some cases the criminals are able to unmask the obscured numbers.

The criminal then calls guests with future reservations:

Cybercriminal: Hello, I’m calling from [hotel name] regarding your reservation from to [check-out date]. We’re having a problem processing your credit card. The last four numbers are [XXXX]. Could you please provide me with your full credit card information, including security code, so we can get that taken care of.

Because the criminal has accurate information about the reservation, the guest is more likely to fall for the scam. Once the guest has supplied the card information, the criminal quickly racks up fraudulent charges. Fortunately, most guests don’t trust these calls, but they are bad for the reputation of the hotel and brand. Depending on what information is exposed, the unauthorized access to the reservation management system may legally be considered a data breach that requires notification to affected individuals and regulators.

To help protect your organization from these types of social engineering attacks:

• Change employee passwords at frequent intervals.
• Alert employees to this type of attack and train them in how to respond.
• If possible, implement multi-factor authentication for any access to the reservation management system.
• Audit which employees have access to the reservation management system and disable access for employees who have no business need for it, including employees who have been terminated or who have changed roles.
• Protect partial payment card information so obscured numbers can’t be unmasked.

This article is part of our Conference Materials Library and has a PowerPoint counterpart that can be accessed in the Resource Libary.

HospitalityLawyer.com® provides numerous resources to all sponsors and attendees of The Hospitality Law Conference: Series 2.0 (Houston and Washington D.C.). If you have attended one of our conferences in the last 12 months you can access our Travel Risk Library, Conference Materials Library, ADA Risk Library, Electronic Journal, Rooms Chronicle and more, by creating an account. Our libraries are filled with white papers and presentations by industry leaders, hotel and restaurant experts, and hotel and restaurant lawyers. Click here to create an account or, if you already have an account, click here to login.

In addition to being annoying, computer pop-ups or notifications are often the first step a cyber-criminal uses to victimize unsuspecting users. Be cautious of any notification or pop-up messages. Examples include emails that say you have to download something in order to see a greeting card or a message that says your computer is infected. Don’t click on anything in these pop-ups, including the “x” inside the pop-up itself. Your best response to remove the pop-up safely is to hold down three keys “CTL+ALT+DEL” to exit a pop-up safely on a Windows computer. Use “CMD+ Option+Escape” on a Mac. Then run your antivirus software to see if there is any malware on your computer that caused the pop-up.

HOW TO RESPOND TO FAKE EMAIL MESSAGES

Be careful where you click. Don’t click on links or attachments in e-mails from an unknown sender, a suspicious sender or emails that don’t make sense. Remember that a friend’s email account can become compromised and that attackers can “spoof” someone’s email address to appear to be from anyone they choose. Remember-don’t react emotionally to an email. Pause and think before clicking. Hackers count on this emotional response to overcome logic and force us into making bad cyber-decisions.

RANSOMWARE

Ransomware is a form of malware that restricts access to data by encrypting files or locking computer screens. The criminal behind the ransomware infection then attempts to extort money from the victim by asking for a “ransom”, usually in the form of cryptocurrencies like Bitcoin or in the form of the gift cards from sources like iTunes whereby the cyber-criminal asks the victim to scratch off the back of the gift card and email the card codes in exchange for access to data.

How it begins.

In a ransomware attack, victims open an email addressed to them and may click on an attachment that appears legitimate, like an invoice or notification of a missed delivery. If the victim clicks on a link in that email, it may cause malicious ransomware code to install on their computer.

What happens next.

Once the infection is present, the malware begins encrypting files on a victim’s computer. Users are generally not aware they have been infected until they can no longer access their files or until they begin to see computer messages advising them of the attack and the demand for a ransom payment in exchange for the decryption key.

How to stay safe.

Be careful where you click. Always backup the content on your computer. If you are infected by ransomware, you can have your system wiped clean and then restore your files from your backup. Because ransomware can infect all hard drives, disconnect the backup drive when not in use or use cloud backup.

The bad guys are getting creative with hybrid giftcard / CEO Fraud scams. There is a campaign underway where they are impersonating an executive and urgently ask for gift cards to be bought for customers. The numbers need to be emailed or texted to the boss, after they are physically bought at stores. Never comply with request like that and always confirm using a live phone call to make sure this is not a scam. Sometimes it’s OK to say “no” to the boss!

About KPM Law
Kalbaugh Pfund & Messersmith, PC is a top-rated civil litigation firm with four locations serving the the mid-Atlantic since 1990. As a progressive civil litigation firm with more than 25 years of dynamic multi-jurisdictional practice, Kalbaugh, Pfund & Messersmith, top-rated by Martindale-Hubbell, is recognized as experienced, client-centered, value-driven, and outcome-oriented. Having focused the practice on legal matters that speak to the collective strength and experience of their dynamic team of attorneys, KPM provides unparalleled acuity in their field while employing strategies that increase efficiencies, enhance outcomes, and benefit their clients both legally and financially. With four strategically located offices, KPM practices in the states of Virginia, Maryland, West Virginia, North Carolina, and the District of Washington, representing a variety of insurance carriers, international corporations, national and regional companies, self-insured businesses, and individuals — clients who rely on KPM’s experienced professionals, progressive philosophies and proven track record to meet their litigation needs in the mid-Atlantic area.

I often think of the words first heard spoken by the Fram Oil mechanic in the television commercial many years ago – “you can pay me now or you can pay me later.” The wisdom of this statement has been proven time and time again. Its application in the legal services context is no exception as avoiding using legal counsel on the front end will in many instances only result in greater expense on the back end. In our everyday lives, we invest in our health and the proper repair and maintenance of our homes and cars because we know that the consequence of failing to do so will be far worse in the long run. It begs the question, therefore, why business owners do not always operate their companies the same way. This lesson was unfortunately learned the hard way by some of my clients.

While serving as outside general counsel for various companies, I have seen firsthand how common, simple mistakes which could have easily been prevented by involving legal counsel initially, cost much more to remedy on the back-end. As the growth of information technology continues to drive our world and compliance standards and regulations continue to increase, it is now more important than ever to be proactive and consistently involve legal counsel when making decisions. This “best practice” is the best way to minimize exposure and ensure compliance before it costs you, as shown by the three simple examples discussed below.

II. Affordable Care Act Compliance – Did You Check The Right Box?

It is widely known that if your company has more than fifty employees the Affordable Care Act (ACA) requires that you offer health insurance to all employees who work more than thirty hours per week. What you may not know is that the employees of separate but related entities’ all count towards the “fifty employees” determination. I have seen this fact overlooked, which results in the failure to provide the required insurance and consequential exorbitant per employee fines. Additionally, not any insurance plan will do — your insurance plan must provide minimum essential coverage and meet the definitions of minimum value and affordability. Each of these components, as defined by the ACA, must be considered when making decisions regarding the type of employee health insurance plan to offer. If you fail to offer a plan with each of the three components, the IRS will come knocking and you should expect to bring your checkbook. However, your company may be prepared for the knock on the door if it has intentionally chosen to offer employees an insurance plan with only minimum essential coverage even if the insurance plan fails to provide minimum value and affordability. This is a popular business decision by companies who have learned that the fines associated with offering a plan that only provides “minimum essential coverage” are often less expensive than the out of pocket costs to provide employees a fully compliant plan.

Additionally, even if you can breathe a sigh of relief knowing your insurance plan meets the three criteria, or your company has chosen to intentionally provide a plan with only minimum
essential coverage, you must accurately report it to the IRS on your and forms. A mistake as small as checking the wrong box on an IRS form can be very costly. For example, the initial fine one of my clients received was $1,600,000 before the error in completing the forms was discovered and remedied. Thus, when new regulations such as the ACA are passed, I strongly encourage you to consult with legal counsel who can answer the necessary questions and provide the required guidance, as relying on an insurance broker’s representations alone has proven not to be sufficient. I have seen them confuse different legal criteria more than once, requiring legal counsel to remedy the situation at a later date. These are risks too expensive to take as they can be easily avoided.

III. Data Privacy & Cyber Liability Coverage – What Does Your Plan Cover?

It should come as no surprise that data privacy is one of the biggest areas of liability risk and monetary exposure facing companies today. As more of today’s world becomes technology driven, this risk and exposure will only continue to increase. Traditional contracts, SaaS contracts and cyber liability insurance policies now often contain new types of provisions and potential risks related to data privacy which can be explained to you by legal counsel who will seek to minimize these risks. In nearly all contexts, the burden is on you to ensure your company and your clients’ electronic information is protected. You must be aware of the risks and benefits involved in every transaction.

The good news is that due diligence and awareness today will go a long way towards saving your company money and distress in the long run, as well as protect vulnerable client relationships. For example, one of my clients learned the hard way that its cyber liability insurance policy only covered claims by clients and their customers, without coverage for regulatory investigations. Thus, when it was faced with extensive investigations, potential litigation and severe penalties from the Federal Trade Commission and state governments, due to a relatively small data breach, which caused no actual damages to their clients, it was forced to defend itself solely using its own financial resources. Thus, you should consult data privacy counsel to ensure data privacy laws compliance and insurance coverage counsel to review your cyber liability insurance coverage.

Additionally, you should retain information technology professionals to conduct appropriate vulnerability testing to ensure the safety of your electronically stored information regardless of the size of your company. While taking these additional steps proactively will result in what may seem like an unnecessary expense at the time, based on your risk assessment, these steps are actually safeguards no company can afford to ignore today due to the potential consequences of one data breach.

IV. Corporate Governance – A House Is Only As Good As Its Foundation

Unless you are a sole proprietorship, your company is required to maintain proper corporate governance. You may not think corporate governance is important and neglect it like many companies because it is certainly not exciting, but it is the foundation that may very well protect your company when necessary, as well as save the company time, energy, resources and money in the long run. Just like no couple ever marries intending to be later divorced, most companies do not form intending to be sold or preparing to face a lawsuit, whether it may be with another company, a customer, your own employee or even co-owners. However, these things happen all the time. It may have already happened to your company.

In my experience, over half of all companies fail to maintain proper corporate governance. The result is that in the event the company sells or seeks to determine which of its entities own certain assets, it will have to quickly recreate missing corporate governance at a very steep cost. For example, if proper documentation of board of director decisions and related matters have not been memorialized along the way, they will have to be recreated on the back end — a far more time consuming and expensive task than addressing governance on a routine basis. Further, although it is difficult to “pierce the corporate veil” today and hold individual owners liable for the company’s liabilities, this is still always a potential threat when internal, corporate governance is not followed and maintained.

V. Conclusion

Although the Fram Oil mechanic did not also say we should learn from each other’s mistakes, this premise is a logical extension of the “pay me now or pay me later” principle. In providing the examples above, I want to emphasize the importance of proactive decision making because no one should wait until their company is faced with uncertainty or decisions with potentially expensive and negative repercussions to consult with legal counsel. Ensuring correct decisions and necessary actions occur at the front end by engaging legal counsel may save you a great deal of time and expense in the long run. You can pay me now or you can pay me later after all.

This article is part of our Conference Materials Library and has a PowerPoint counterpart that can be accessed in the Resource Libary.

HospitalityLawyer.com® provides numerous resources to all sponsors and attendees of The Hospitality Law Conference: Series 2.0 (Houston and Washington D.C.). If you have attended one of our conferences in the last 12 months you can access our Travel Risk Library, Conference Materials Library, ADA Risk Library, Electronic Journal, Rooms Chronicle and more, by creating an account. Our libraries are filled with white papers and presentations by industry leaders, hotel and restaurant experts, and hotel and restaurant lawyers. Click here to create an account or, if you already have an account, click here to login.

Authors

Craig Harris – Shareholder, Dallas office
charris@munsch.com
214.855.7590

Craig is a trial lawyer with 30 years of experience serving the needs of established companies, growing businesses and entrepreneurs in commercial, restaurant, employment, intellectual property and oil and gas litigation and other general business matters.

Craig has a reputation for aggressively and successfully representing the interests of his clients. He has extensive trial experience in both state and federal courts, having handled hundreds of commercial and employment litigation matters, including business disputes, contracts, minority shareholder issues, partnership matters, non-compete agreements, employment discrimination, sexual harassment, wage and hour claims, employment contracts, as well as restaurant-related cases and intellectual property and oil and gas litigation. In many instances, Craig also serves as outside General Counsel to many of his clients.

Craig’s level of commitment and service to his clients is one of the primary reasons clients turn to him again and again when they need legal representation. Craig has become adept at applying his insights to his clients’ businesses and industry sectors to the specific case at hand, and each matter is handled according to his clients’ business goals to achieve their objectives.

Natalie Sears – Associate, Dallas office
nsears@munsch.com
214.855.7512

Natalie’s practice focuses on a wide range of complex commercial litigation matters, including labor and employment and construction litigation.

Prior to joining Munsch Hardt, Natalie served as an Associate for a commercial law firm based in Dallas, Texas, where she handled drafting documents used in all phases of commercial litigation, including original petitions, written discovery requests and responses, motions for summary judgment and non-dispositive pre-trial motions.

Natalie also has extensive experience in intellectual property litigation. She has represented clients in preparing applications to register trademarks and copyrights with the United States Patent and Trademark Office, prosecuting against parties seeking registration of similar marks and defending against oppositions filed with the Trademark Trial and Appeal Board.

What Is the GDPR?
The GDPR (or Regulation) is perhaps the most comprehensive privacy law of its kind in the world, emphasizing the growing social, political and legal concerns about the potential misuse and abuse of individuals’ personal data. This is no surprise given the rapid advances in technology and the impact of the new economic reality of “big data” and data analytics on consumer information.

The GDPR has set a new precedent for the high stakes of protecting individuals’ privacy, which is being watched closely and even shaping the privacy laws in other countries. The GDPR replaced the Data Protection Directive of 1995 and sets stricter standards for companies that collect or process data on citizens and residents of EU member countries. While considered a milestone achievement for individuals’ data protection laws, the GDPR presents complex challenges for companies that must now take steps to become GDPR compliant or run the risk of being subject to audits, lawsuits and/or stiff financial penalties.

Which Organizations Are Subject to the GDPR?
There is a big misconception in the U.S. business community that the GDPR only applies to EU companies. The new Regulation expands the territorial reach of the GDPR to include companies established outside the EU. This means that a company that has no offices, staff or even customers in any EU country may nonetheless need to comply with the GDPR if it processes and stores personal data on EU residents in any way. In other words, U.S. companies may be subject to the GDPR if they control or process data of EU residents.

The GDPR focuses in particular on the activities of data “controllers” and data “processors.” A data controller is an individual or entity that “determines the purposes and means of processing personal data.” A data processor is any individual or entity that processes (i.e., collects, stores, uses) personal data at the direction of the data controller. A positive response (yes) to one or more of the questions below may signal that an organization is subject to the GDPR.

Does your organization process or store data on EU residents?
The GDPR broadly defines the term “data processing” to include “collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction.” In reality, virtually any activity involving personal data of EU subjects may be closely scrutinized and classified as a processing activity within the definition of the Regulation, to the extent it is performed at the request of a data controller.

Does your organization offer goods or services to EU residents?
The GDPR expressly states that the Regulation applies to organizations outside the EU that offer goods or services to data subjects within the EU regardless of whether a fee is charged for such goods or services. Thus, an organization should consider whether it:

• Offers services in a language or currency of a EU member state
• Enables EU residents to place orders in such other language
• References EU customers in its publications.

It is noteworthy that merely having a website that is accessible by EU residents is not conclusive for purposes of determining whether an organization is subject to the GDPR.

Does your organization monitor the behavior of EU residents as that behavior occurs in the EU?
The GDPR also applies to non-EU organizations that monitor the behavior and activities of EU residents within the EU. This includes tracking EU residents on the internet to create profiles or to analyze or predict individual preferences and behavior.

What Is Protected Personal Data Under the GDPR?
The GDPR protects “personal data,” which is broadly defined in Article 4(1) to encompass:

“…any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier…”

The definition provides a broad range of identifiers, including “a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” For example, personal data may include a photo, racial or ethnic data, an email address, bank details, posts on social networking websites, political opinions, health and genetic information, a computer IP address and so on.

The GDPR also refers to sensitive personal data as “special categories of personal data,” which include genetic data and biometric data, where processed to uniquely identify an individual, and data concerning health. Processing of such data is prohibited unless the data subject gives explicit consent. Otherwise there are very few exceptions in which processing of such special categories of personal data also is possible (e. g., if it is necessary to defend or enforce a legal claim).

When a data controller collects personal data from an individual, including a third party, the controller must provide information to the data subject regarding processing activities, including:

• Contact information for the controller and Data Protection Officer, if applicable
• Purpose of the collection and processing of personal data
• Intended recipients of the personal data, if any
• Whether personal data will be transferred outside the EU
• Time period for which the personal data will be stored
• Individuals’ right to request access to, correction or erasure of their personal data
• Individuals’ right to file a complaint with an EU privacy regulator (Supervisory Authority) with respect to the collection or use of their personal data.

What Are Consent Requirements for Processing Personal Data?
Consent remains one of six lawful bases to process personal data, as listed in Article 6 of the GDPR. However, the requirements for validly obtaining consent have been increased to place a higher burden on data controllers. Article 7 sets out what is meant by consent, and the Information Commissioner’s Office (ICO) has published detailed guidance on consent under the GDPR. In brief, consent must be “freely given, specific, informed and unambiguous.” Organizations should review how they seek, record and manage consent, and whether they need to make any changes to their policies and procedures. In evaluating compliance with the GDPR’s expanded consent requirements, organizations should note the following characteristics:

• Active Opt-in: There must be “clear affirmative action”; consent cannot be inferred from silence, pre-ticked boxes or inactivity.
• Unbundled: Consent requests must be separate from other terms and conditions and should not be a precondition of signing up to a service unless necessary for that service.
• Granular: Granular options to consent separately to different types of processing should be given wherever appropriate.
• Named: Name your organization and any third parties that will be relying on consent; even precisely defined categories of third-party organizations will not be acceptable under the GDPR.
• Verifiable: Keep records to demonstrate what the individual has consented to, including what they were told and when and how they consented.
• Easy to Withdraw: There must be simple ways for people to withdraw consent – tell people about their right to withdraw and offer them easy ways to withdraw consent at any time.
• No Imbalance in the Relationship: Consent is not “freely given” if there is imbalance in the relationship between the individual and the data controller.

What Rights Do Individuals Have to Protect Personal Data?
One of the key premises of the GDPR is to expand the rights of individuals to protect their personal data. This includes an individual’s right to access, rectify and/or seek erasure of their personal data.

Right to Access
Individuals have the right to access their personal data and request the following information from a data controller:

• Copy of their personal data
• Purpose of processing the personal data
• Categories of personal data
• Recipients of the personal data
• Time period the personal data will be stored
• Individual’s right to request alteration (rectification), erasure and/or restrictions on processing their personal data
• Right to file a complaint with a Supervisory Authority
• Extent to which decisions about the individual are made based on automated processing or profiling of personal data
• Appropriate safeguards for transfers of personal data outside the EU.

Right to Rectification
An individual has the right to request the data controller to correct their personal data without undue delay.

Right to Be Forgotten
The GDPR recognizes an individual’s so-called “right to be forgotten,” subject to limited exceptions. In other words, an individual has the right to request the data controller to erase their personal data without undue delay in certain circumstances, including the following:

• Personal data is no longer required for processing
• Individual withdraws consent to the processing of their personal data
• Individual objects to the processing of their personal data
• Personal data has been unlawfully processed.

What Are the Record-Keeping Requirements Under the GDPR?
Data controllers and processors must maintain written documentation of all activities related to the processing of personal data (including documentation of all steps made in order to be GDPR compliant). These records should include the following information:

• Contact information for the data controller
• Purpose for processing the personal data
• Description of the personal data
• Recipients of the personal data
• Safeguards to protect personal data transferred outside the EU
• Anticipated time frame for erasing personal data
• Technical safeguards employed to protect personal data.

These records of processing activities must be produced to a Supervisory Authority upon request. Notably, the GDPR’s record-keeping requirement does not apply to organizations with fewer than 250 employees.

What Security Measures Are Required to Safeguard Personal Data?
The GDPR does not dictate specific technical security measures that must be implemented by data controllers or processors to safeguard personal data. However, the Regulation does require organizations to conduct a risk assessment to ensure an appropriate level of security based on a cost-benefit analysis. The size of the organization and the nature and scope of processing activities are key factors to consider. Such security measures may include the pseudonymization of personal data (so that data cannot be linked to a specific individual); encryption of personal data; ability to restore and back up personal data; periodic security audits to test and evaluate processing activities; and adherence to recognized industry standard certification requirements to protect data.

What Is a Data Protection Officer?
The GDPR requires data controllers and processors to appoint a Data Protection Officer (DPO) when an organization’s “core activities” consist of processing personal data on a “large scale.” Germany qualifies this requirement to include instances where there is a minimum of 10 people processing personal data automatically. An organization may designate an employee or hire a third party to serve as a DPO, based on their expert knowledge of data protection laws and regulations. A DPO is responsible for monitoring an organization’s compliance with the GDPR, training employees and staff, oversight of any data protection impact assessments, cooperating with the Supervisory Authority, and acting as the liaison between the organization and the Supervisory Authority. In addition, the DPO may be responsible for responding to inquiries by individuals concerning their personal data.

Is an Organization Required to Report a Data Breach?
The GDPR introduces additional mandatory data breach reporting requirements. A data controller must report security breaches to the relevant Supervisory Authority “without undue delay, and where feasible, not later than 72 hours” after it first becomes aware of the incident. If the notification is made after 72 hours, a reasonable justification for the delay must be provided. The breach only needs to be reported if it is likely “to result in a risk for the rights and freedoms” of data subjects – if, for example, the breach could result in discrimination, damage to reputation, financial loss, loss of confidentiality, or any other significant economic or social disadvantage.

A data controller also must notify individuals of a security breach “without undue delay” where the breach “is likely to result in a high risk” to the rights and freedoms of data subjects. However, notification to individuals is not required if (1) the organization has implemented appropriate security measures that render the data unintelligible to any unauthorized person (i.e., encryption); (2) the organization has taken subsequent measures to ensure that a high risk to data subjects does not materialize (i.e., remediation); or (3) it would involve a disproportionate effort, in which case a public communication will suffice (i.e., media notice or publication on the organization’s website).

The contents of the breach notification communication should include the following information where available in “clear and plain” language:

• Nature of the incident
• Type of personal data
• Number of affected persons
• Number of personal data records
• Contact information for the DPO
• Likely consequences of the data breach
• Steps taken by the organization to contain and mitigate the exposure.

Notably, the breach notification requirements set forth above apply to data “controllers.” However, in the event of a breach experienced by a data “processor,” the processor is required to notify the controller “without undue delay.”

Are There Any Repercussions for Failure to Comply with the GDPR?
The most serious infringement of the GDPR can result in administrative fines by a Supervisory Authority of up to €20 million or 4 percent of the offending company’s global annual revenue, whichever is higher. For lesser noncompliance offenses, company audits and a tiered fine structure may be imposed.

Under the GDPR, data controllers and processors also may be subject to liability and damages for legal proceedings commenced by a data subject in a court of law or a complaint lodged with a Supervisory Authority. Such complaints may be filed in the jurisdiction where the data subject resides or works, or the location of the alleged infringement of the Regulation concerning the processing of the individual’s personal data. Data controllers and processors may have joint liability for compensatory damages awarded to an individual to ensure they are made whole.

The GDPR also grants Supervisory Authorities the following powers to:

• Conduct investigations of data controllers and processors
• Perform data protection audits
• Issue warnings or reprimands
• Order an organization to comply with a data subject’s request regarding personal data (including rectification, erasure and restrictions on processing)
• Require an organization to bring its processing activities into compliance with the GDPR
• Order an organization to notify individuals of a data breach
• Order the suspension of data flows.

Summary
In summary, U.S. companies are well advised to consider their compliance obligations, if any, under the GDPR. The extraterritorial reach of the EU’s new privacy Regulation means that non-EU companies may be subject to the law. A critical factor in evaluating the potential application of the GDPR to U.S. companies is whether a company collects, stores, transfers or otherwise processes personal data of EU residents. If so, the company may be required to obtain an individual’s express consent to the use of their personal data, in addition to maintaining internal records of the company’s personal data processing activities. Moreover, companies may have a mere 72 hours to notify EU regulatory authorities of a data breach involving the personal data of EU residents. Failure to comply with the GDPR’s extensive requirements may result in regulatory investigations, legal proceedings, compensatory damages, injunction orders or hefty administrative fines.

Why is the hospitality industry such a frequent target? What makes this industry uniquely vulnerable to information threats? This article will examine those questions and suggest certain measures that hotel and restaurant companies can employ to try to mitigate the risks to information that they own or possess.

Multiple Parties Are Involved In The Equation

Hotel companies and many restaurant companies face unusual problems when it comes to cyber security and vulnerability to data theft/loss due to traditional ownership/management/franchise structures as well as the way hotels and restaurants tend to operate.

For branded hotels (and many branded restaurants) there are typically at least three parties are involved in a functioning hotel business: the franchisor or “brand,” the owner (or owners’ group) and the operator a/k/a the management company. Each of those entities plays a particular role in the function of the hotel as a business, and each may have its own computer systems or stored information:

Franchisor

• Owns the “flag” of the brand and in exchange for use of its marks and marketing services, can impose its own standards for hotel features, including the process for booking rooms;
• Typically mandates that the owner install a particular hardware/software suite to handle the reservations functions;
• Maintains ownership and control of that system through contractual means; and
• Typically claims ownership of guest data that is input into the reservations system by hotel employees or others.

Owner

• Typically not the brand; could be individuals, investor groups or major asset holding companies, including investment funds, insurance companies, banks;
• May have varying degrees of involvement in operational issues that include guest or employee data; and
• May own separate “point of sale” payment card systems for food/beverage/retail outlets situated within the hotel; and

Operator

• If independent from Owner, will usually have a management agreement with the Owner that establishes an agency relationship with Owner for purposes of all day-to-day hotel operations;
• Third party operators are usually the formal employers of hotel personnel and maintain all employee data (including Social Security Numbers);
• May collect guest data prior to inputting same into the reservations and management system owned by the franchisor, if the hotel is branded; and
• May obtain and maintain payment card information associated with group bookings.

Sometimes the complex relationship between franchisors, owners and operators requires that information be shared, or that separate computer systems be tied to each other. For example, as indicated above, major hotel brands require all of their franchised hotels to utilize the brand’s reservations and management computer system when booking or checking in all guests. Thus, hotel owners and operators are forced to have their own on-site personnel utilize the computer system of another company when transacting business with guests. In addition, hotels, like restaurants and other consumer businesses, often permit interfacing between their own computer systems and those of third party vendors or credit card processors.

All of this means that hotel and restaurant systems are to some extent dependent upon the security measures and practices of other entities which the hotels and restaurants do not control. A classic example of this is the Wyndham Worldwide breaches which occurred 2008 and 2010, where hackers were able to penetrate Wyndham’s central reservations database through a hack of a single franchised hotel, and then use the Wyndham system’s connections to dozens of other individual franchised hotels to steal hundreds of thousands of sets of credit card data.

The Hospitality Industry Does Business By Payment Card

Credit and debit card data has long been a preferred target of data thieves. Payment by card is the mainstay of most hotels and restaurants.. Therefore, hotels and restaurants represent a tantalizing treasure chest of data for cyber criminals to try to crack open.

The Wyndham Worldwide series of data breaches, where the brand’s reservations system was the subject of the attacks, were certainly notorious in the world of hotel data incidents, but statistically most credit card data theft in hotels occurs due to malware affecting point-of-sale (“POS”) systems, rather than the brand reservations systems for guest room bookings. Of the twenty-one most high-profile hotel company data breaches that have occurred since 2010, twenty of them were a result of malware affecting point-of-sale systems in hotel restaurant, bar and retail outlets. This is also true for the recent restaurant data breaches affecting Wendy’s, Arby’s, Landry’s and Noodles & Company, which were all the result of malware affecting point-of-sale systems in several locations.

Cyber criminals, through a variety of methods, are able to infect POS systems with credit card data-scraping malware that captures personal account data at some point during the payment process. This malware is often capable of moving between connected systems and may infect groups of hotels and restaurants that are either related by common brand or by a common third party operator and may often operate for several months or even years before being detected by the operator.

Some hotel credit card compromises are not high-tech in nature. Many hotels still tend to receive faxed credit card authorization forms for company bookings or group bookings, and often the faxed paper forms, which contain credit card numbers and expiration dates, are kept in a non-secure manner, such as in binders behind the hotel front desk. These paper forms are susceptible to being lost or stolen, and while many state breach notification laws do not expressly cover loss or theft of paper data, a growing number of state laws do. For example, the data breach laws of California, Hawaii and Alaska all protect data in any form, including paper, that contains personally identifying information.

In addition to these “paper” breaches, the hotel industry is also vulnerable to identity thieves targeting guests who may be unfamiliar with the area or the hotel. The thieves use various schemes including calling hotel guests, posing as the front desk, to ask for updated credit card information or leaving fliers for pizza delivery with phone numbers directed to thieves who take down the guest’s credit card information.

Employee Turnover and Fluidity Contribute to Security Problems

In the hospitality world there tends to be a high degree of movement of employees in and out of particular locations. Hotel operators will transfer their skilled employees to other locations where they may be needed. Employees in less skilled positions tend to come and go frequently as well. Hotel or restaurant owners may decide to change third-party operating companies, and the new operator will bring in its own management-level employees to manage the location. Maintaining a consistently trained workforce can be a challenge for both the hotel industry shares with the restaurant industry.

In recent years many information security industry experts have identified a company’s employees as its most vulnerable point from a data security perspective. A fluid workforce means that it is more difficult to train employees in the secure receipt and treatment of personal information, in complying with privacy and security policies, in protecting and changing user access credentials, and in being alert for social engineering attempts. Keeping up with which employees have access to different levels of information is also challenging when there are frequent changes of personnel at particular job levels. Only certain job functions within a hotel setting require access to guest or employee personally identifying information, and hotel companies (as well as companies in other industries) are not always as careful as they should be about controlling access by job grade/description and making sure access is eliminated when an employee moves out of a particular position or is terminated.

How Can Hospitality Companies Better Prepare for and Combat Cyber Threats?

While hospitality companies have unique problems that tend to make them more vulnerable to threats of compromise and theft of personal information, there are ways that these companies can prepare for and mitigate against such risks, and there are lessons to be learned from looking at prior data security incidents. In analyzing recent breaches, it is likely that utilization of the following practices could have mitigated or prevented such incidents.

• Contractual Risk-Shifting and Secure Handling Requirements: Franchisors, owners and operators, in their dealings with each other and third parties such as vendors and contractors, can help to control the risks inherent in sharing systems or information with others. Requiring specific cyber incident indemnification, where negotiating leverage permits, is useful to protect hotel companies from the economic consequences of a breach incident caused by or contributed to by another party. In addition, contract provisions requiring compliance with minimum information security standards (e.g., compliance with Payment Card Industry Data Security Standards a/k/a “PCI-DSS”) or mandating third party compliance with a hotel company’s own security policies can reduce the risk
  of cyber incidents.
• Employee Policy Enforcement and Training: Despite the fluidity of management and staff employees that is attendant to operating a hotel or restaurant, operators can and should consistently update their employee policies on data security and rigorously train employees who have access to data or systems. Where employees do not require access to personal information to perform their job functions, that access should be terminated. Policies concerning use of mobile devices, external information storage devices and internet usage should be enforced. In addition, to protect against identity thieves, employees should be trained on how to advise guests on potential risks and how to identify suspicious behavior and when to report suspected identity theft or data breaches.
• Guard Guest and Customer Card Data: Considering that POS malware attacks are a very common type of cyber incident affecting hotels and restaurants, operators and owners should take extra care in selecting their POS system vendors and credit card processors. Agreements with those entities should be vetted and, if possible, modified to add protection and minimum data handling standards for the outside vendor. Compliance with PCI-DSS not only helps to ensure that data security software, hardware and practices are safer, but also helps to protect against fines and penalties which may be levied against hotels by the credit card industry for noncompliance with PCI-DSS when a breach occurs.

Authors

Sandy Brian Garfinkel Mr. Garfinkel is a member with the law firm of Eckert Seamans Cherin & Mellott, LLC. He maintains a busy and diverse business litigation practice with a particular emphasis in the hospitality industry. As part of his work in the hospitality world he regularly assists hotel management and ownership companies in preparing for and responding to breaches of data security. He is also the founder and chair of the firm’s Data Security & Privacy Practice Group.Mr. Garfinkel can be reached at 412.566.6868 or at sgarfinkel@eckertseamans.com.

Malgorzata “Gosia” Kosturek Ms. Kosturek focuses her practice on hospitality law and general corporate law. She assists clients in numerous types of corporate transactions, including acquisitions, mergers, and financings, primarily in the hospitality industry. She is also a member of the firm’s Data Security & Privacy Practice Group. Ms. Kosturek can be reached at 412.566.6180 or at gkosturek@eckertseamans.com.

William Evanina, Director of the National Counterintelligence and Security Center, issued a statement to Reuters earlier today, stating no attendee, whether there in an official or spectator capacity, is too insignificant a target. Evanina further advises attendees that if they absolutely must take a device, to take one that is not their usual device (ie: a “burner” device) and to remove the battery when not in use. British officials are also issuing the same warnings to their own attendees and players.

If you’re planning on taking a mobile phone, laptop, PDA or other electronic device with you — make no mistake — any data on those devices (especially your personally identifiable information) may be accessed by the Russian government or cyber criminals.

– William Evanina, Director, National Counterintelligence and Security Center

In related news, the official streaming app for Spain’s La Liga soccer division has admitted to spying on its users. According to Spanish newspaper El Diario, the app maker claims the app, which has over 10 million downloads in the Google Play store, enables the microphone to be turned on when a user enters a bar, in an effort to discover if the venue is illegally streaming a match.

La Liga is claiming the issue only affected users in Spain, and only those who opted in to allowing the app to access their device’s microphone and gather GPS data. However, this opt-in was tied to the apps privacy policy and was enabled when users accepted the terms and conditions for using the app (who really reads the small print right?). La Liga justified its actions by claiming the illegal streams have cost the league over 150 million Euros, and claims they only gather statistical, not personal data. According to the newly implemented GDPR however, these sorts of practices are now illegal.

Special Note: As the World Cup continues, The Rysk Group will update their original post with any relevant information on cybersecurity incidents and news.

Indeed, the majority of all U.S. businesses have experienced at least one cybersecurity incident in the last year, with some estimates as high as 80%. And a data breach involving so-called knowledge assets (confidential business information) costs an average of $5.4 million to resolve, up to a maximum of $270 million for the largest breaches.

The good news for GCs is that having a well-designed response plan in place can lower the risk of a breach and greatly minimize the damage if a breach occurs. Some best practices discussed at the ACC meeting, and elsewhere, are worth considering:

Best Practices

• Cultivate close relationships with IT directors to make it more likely that GCs are contacted in the event of a breach or crisis.
• Extend the relationships to as many IT employees as possible to overcome the personal responsibility that some employees feel when a breach occurs.
• Evaluate and routinely measure employee security training levels.
• Meet with as many relevant departments as possible to assess the specific risks and issues that could arise if/when a breach occurs.
• Conduct a thorough survey of the data collected by the organization, focusing on employee, consumer, medical, and financial data, and determine if any data does not need to be stored.
• Critically examine contracts and breach procedures of existing vendors that are privy to sensitive data or have access to internal systems.
• Perform vendor due diligence before committing to any new contractual relationships and consider requiring vendors to fill out a questionnaire indicating their experience and policies with data breaches, training level of their employees, and general control procedures for sensitive data.
• For vendors that have access to critical information, consider requiring the vendors to provide independent third-party security assessments or audits.
• Create a standard data privacy and security addendum that can be attached to vendor contracts (which are usually drafted by vendors) to ensure that the organization’s data is being protected and include risk allocation provisions that apply should the vendor be subject to or lead to a breach.
• Monitor relationships with vendors to ensure continued compliance with contract provisions, applicable laws, regulations, and industry standards. Further, ensure that once the relationship ends, the vendor destroys or returns company data as appropriate.
• Document the plan. Create a list of policies and procedures to be followed if there is an incident, and include clearly defined roles and individuals who need to be contacted.
• Make sure to focus on the immediate aftermath of a breach — the first 48 hours being most critical — and ensure that internal and external communications keep stakeholders apprised as the situation develops.
• Consider working with a public relations firm to develop consistent messaging that can be efficiently communicated in a crisis.
• Create an internal response team, including members of management, IT, legal, and public relations that can quickly decide remedial steps and appropriate communication.
• Consider the company’s overall insurance program and whether cyber risks are covered.

Authors

Matthew J. Siegel – Member, Cozen O’Connor
Ethan Price-Livingston – Associate, Cozen O’Connor

1. Update all passwords for increased safety and security

This one may seem obvious, but many people forget about it. We’re all guilty of mindlessly typing in a random, easy-to-remember password. The simpler your password is, the easier it is to hack. Create a combination for your accounts that ensures increased safety. The more numbers, upper and lowercase letters and symbols you add, the more secure your password becomes. Don’t make the same password for every account. If you’re worried about forgetting, there are apps available such as 1Password and Keeper where you can securely store passwords and confidential information.

2. Monitor your bank and credit card statements

Keep track and check all your statements on a regular basis, especially in the months after traveling. If you’re still getting charges from Boston even though you’re back home in Seattle, obviously something isn’t right. In these situations, contact your bank immediately so they can take proper measures to ensure the cancellation of your card. Also notify your bank of any upcoming travels. This way, your card won’t be frozen if your bank is aware you are traveling and they can keep an eye out for any fishy transactions that may occur during or after your trip.

3. Update the way you pay

It might also be time to think about using an updated way to pay. Services such as Apple Pay, Android Pay and Paypal encrypt credit cards with new tokens each time you pay. Your actual number is never used or given out to any retailers, which means your information is less likely to be exposed in the event of a breach. Not every retailer has this feature enabled yet; however, it’s continuing to grow as more stores, hotels and even online retailers are realizing the benefits that it produces.

For business travelers, check to see if your travel management company offers a secure virtual payment option. For instance, Travel and Transport’s Secure Pay generates a virtual, on-time use credit card for hotel bookings. Secure Pay significantly cuts down on the risk of fraudulent activity that can occur with a ghost card by assigning a new card number for each hotel booking.

4. Ditch the PIN

If you need to use a debit card, ask the cashier to run your card as credit and sign for your purchase instead of typing in a PIN number. Hackers who gain access to PIN numbers can print out a copy of your card and actually take money out of an ATM.

5. Make sure it’s secure

Are you interacting with a business online? Make sure that any personally identifiable information you transmit via a website or form is secure. This includes anything from credit card numbers to even your name, address, phone number and email. A recent airline data breach was related to a customer contact form. Look for the “https://” prefix in your browser’s address bar, and you can even click the little lock symbol to find out more about the type of encryption that is used. This is a tip directly from Travel and Transport’s own data security department and all of our forms meet this standard. Contact us and see for yourself!

6. When in doubt? Pay cash

If these options still aren’t protective enough, put away your credit card and use cash whenever possible. Although this might be considered “old school” and it isn’t always an option for business travelers who use a corporate card and have to file expenses, it can be an effective option for leisure travelers. Your information can’t be hacked if your credit card is safely tucked away in your wallet. This not only provides a safer way to pay, but it also allows you to budget your expenses accordingly if you know you only have a certain amount of cash to use.

Before you travel, take out a designated amount of cash to use when purchasing. If you need more cash, look for ATMs inside reputable businesses and banks and check to make sure that ATM skimmer devices have not been installed.  Always cover the PIN keypad with your hand to ensure that nobody watches you enter your code.

Traveling can be stressful, but don’t let credit card fraud get in the way of an otherwise enjoyable trip. Taking a few extra moments to protect your card safety can make a huge difference when it comes to securing your data.

This article was originally published by Travel & Transport. Click here to view the original article.

Even in an era of acute cyberawareness, we still struggle to keep our business networks and personal computers secure. And now the Internet of Things (IoT) exponentially increases our risk from hacktivists, nation states, and criminals. Today our smartTV, home security system, toaster, and heart pacemaker have a user name and password. These devices increase what the security community calls the attack surface – that is, new and novel ways for intruders to hack into your life.

Yet people must communicate, statecraft must be practiced, and commerce and money must flow around the world. Adherence to a basic cyber hygiene regiment can greatly reduce cyber risk exposure. Just like exercising, eating healthy, and getting more sleep – good cyber habits are not difficult, but they must become a routine to be effective.

If you don’t do anything else to protect your digital self, do the following:

Use a new password for every account.

Why? Hackers know people reuse their passwords. So, when a hacker obtains millions of user names and passwords he has automated tools to try these username and passwords against other websites such as banks, corporate networks, ecommerce sites, email providers, and social media sites. Think for a moment of the damage to be done if you use the same password for your work account and your bank account.

Create good passwords.

Why? Hackers know people create lousy passwords. “12345”, “password”, and “qwerty” are embarrassingly popular, as proven in every single theft of databases of passwords. Use at least eight (8) characters, upper and lower case and special characters. Avoid common words and short phrases, since there are hacker tools that test every permutation of dictionary words. Additionally, consider using a password manager which can help you create stronger, unique passwords and remember them for you.

Don’t open suspicious attachments or links.

Why? Technically there are numerous ways to access a computer illegally, but most of the high-profile computer breaches happen because one employee clicked on one single hyperlink in an email or website; that’s all it takes. You know the feeling when you’re not sure if the email is legit…trust your instincts.

Don’t use free public Wi-Fi.

Why? Free public Wi-Fi is not free. You pay a high price in security and privacy. Imagine your laptop screen is a stadium jumbotron. Every page you visit, every search term you type, every computer you connect to is on virtual display. Potentially, others connecting to the same free Wi-Fi can spy on your communications, access your computer’s data, or misdirect you to malicious websites that infect your computer/corporate network.

Don’t “overshare” on social media.

Why? Whether the watcher it’s a nation-state, cyber protester, or criminal, hackers have done their homework before they strike. If the hackers are targeting your corporation, details about travel, new projects, promotions, or office politics speak volumes on how to attack your organization or you. These details can be used to craft, for example, a phony human resources email with the “pay and promotion” attachment that is laced with malicious software. Moreover, our sharing across social medias creates a cumulative personality profile that can be used against us or our organizations. Remember – photos of the new puppy = good. Photographic evidence, locations, and commentary on the Saturday after-game exploits = bad.

In short, the potential for reputational or financial harm to your company or personnel is pretty significant compared to the relatively small amount of effort it takes to mind your cyber behavior. Survey your personal and organizational cyber fitness, and offset a major problem down the road.

For more intelligence analysis and insights, follow iJET on Twitter where we share regular updates on risk management issues impacting global organizations and the security of their people and operations.

1. Host applications, thereby eliminating the need to install and run applications on users’ own computers or data centers (known as Software-as-a-Service, or SaaS).
2. Host the hardware and software on its own infrastructure, thereby eliminating the need to install in-house hardware and software needed to develop or run a new application (known as Platform-as-a-Service or PaaS).
3. Provide virtualized computing resources, thereby eliminating the need to install and run hardware, software, servers, storage or other infrastructure in the user’s own facility (known as Infrastructure-as-a-Service or IaaS).

Knowing Where Your Data is Stored is Mission-Critical

Don’t let the term “cloud” fool you into thinking that the information is not in a specific location. It is, and it’s important to know the exact geographic location of the server where your data will be stored, including any back-up locations.

First, your legal obligations relating to the information can completely change according to the geographic location of where your information is stored. For example, if the cloud provider sends your organization’s personally identifiable information (PII) to a server in the European Union, you will be subject to the ultra-strict privacy rules of the General Data Protection Regulation (GDPR), set to take effect in May 2018.

Second, your information may not be as secure if the privacy and security laws in the server’s location are not as protective as in the United States. Servers in India, for example, are subject to India’s Information Technology Act , which allows the Indian government to intercept and demand decryption of information with serious fines and/or imprisonment for non-compliance.

Third, with some countries’ data localization laws, you may be required to store certain information within a specific country, and you may be prevented from exporting it out of that country. Russia’s localization law, for example, requires a multinational organization to host data concerning Russian citizens only on a server in Russia, which may mean creating a new data center in Russia.

Depending on the type of information you are sharing, you may also have to comply with U.S. export control regulations. This is an especially important contract consideration for information relating to items classified as “dual use,” or technology with encryption functionalities that are subject to Export Administration Regulations. Storage of such information outside the United States may lead to serious sanctions if required licenses are not obtained.

Finally, in the event of a data breach, U.S. and foreign law enforcement agencies have broad rights to obtain subpoenas to information stored in the cloud. However, rules surrounding a data breach vary from country to country and even state to state — some states, for example, exempt organizations from disclosing a data breach if the data is encrypted, and the encryption key was not exposed.

Conclusion

While cloud computing offers many benefits to organizations, it also introduces its own legal obligations and risks, many of which are tied closely to the geographic location of the stored data. As such, organizations must work proactively to understand the particular data privacy regulations applicable to their cloud computing arrangement. This due diligence will help organizations determine if they should engage with a cloud vendor or continue to store their data on-site.

Thomas J. Posey, Partner
Faegre Baker Daniels LLP
311 S. Wacker Drive, Suite 4300
Chicago, IL 60606, USA
Main:  (312) 212-5500
Direct:   (312) 212-2338
Email:  thomas.posey@faegrebd.com