• Marriott acquired Starwood in September of 2016, but Marriott continued to operate Starwood’s guest database separately from Marriott’s until a few weeks after the breach incident was announced.
• The unauthorized intrusion into Starwood’s database occurred in 2014, but was not discovered by Starwood nor by Marriott later during the course of its acquisition of Starwood.
• The guest information compromised in the incident included name, address, phone number, email address, passport number, preferred guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preference, and in some instances, payment card numbers and expiration dates. It was ultimately reported by Marriott’s forensic assessment provider the 383 million records were affected.

These facts underscore several crucial considerations for hotel companies regarding how guest data is collected, secured and retained. Some of these considerations aren’t ones that our industry normally associates with data security concerns. Here are some of the key takeaways:

1. Data Security/Privacy is a Critical Due Diligence Consideration. In any merger or acquisition there are due diligence checklist items for the surviving entity. In the case of the Marriott/Starwood transaction the security breach of Starwood’s database was not discovered prior to closing, but had it been, the implications for the deal could have been extremely significant. At the very least, action could have been taken to remediate the compromise at that time. In this day and age, cyber due diligence should be part of any merger or acquisition.
2. Retention of Large Amounts of Personal Information Carries Risk. Personal data is valuable for many reasons, but that value has to be balanced against the risk that accumulated caches of personal data become rich targets for data thieves. For example, there were over 5 million unique unencrypted passport numbers and more than 20 million encrypted passport numbers that were compromised over the course of the Starwood data incident. The value to Starwood and Marriott of retaining that passport information is unclear, but the liability of replacing more than 25 million passports is enormous.
3. With GDPR and CCPA, the Definition of Protected Data Has Expanded. Before the effective date of the General Data Protection Regulation (GDPR) in May of 2018, most of the data involved in the Starwood incident would not have enjoyed any special protection. Under U.S. state law in most jurisdictions, even today, a person’s name, address, phone number, and email address are not considered Personally Identifiable Information or “PII.” However, GDPR and the new California Consumer Privacy Act (CCPA) (effective January 1, 2020) have greatly expanded the scope of protected personal data to include virtually any item of information that can be used to identify an individual. A name, address, phone number or e-mail address are indisputably “personal data” under the GDPR.
4. Guest Reservation Systems Are Vulnerable On Both Ends. In branded hotels, franchise agreements always require that the hotels utilize the brand’s reservation and management system, including brand-mandated hardware, software, portals and connections. This arrangement gives data thieves multiple targets from which to select when seeking to steal guest information. The Wyndham data incident of 2008/2010 was the first notable attack on a brand’s central guest information database. While most hotel guest information data incidents in the past decade have occurred at individual hotels or discrete groups of properties, the Starwood incident proves that a brand’s guest information database is still vulnerable.

2018 also saw a rash of low-tech social engineering attacks against individual hotels, and this type of attack has continued into 2019. Criminals commence these attacks by posing as brand systems support personnel and making phone calls to hotel employees. The employees are asked to provide their login credentials for the reservation management system.

Cybercriminal: Hello, I’m calling from [brand] system support. We’re having difficulty with the reservation process on your end, and we need to check it. Can you please log in for me?
Employee: Sure. [Logs in]
Cybercriminal: We’re still having an issue. Can you please give me your username and password so I can try it on our end.
Employee: No problem. My username is … and my password is …

Using the stolen credentials, the criminal remotely accesses the reservation management system and retrieved information about recent guest bookings, including guest names, addresses, phone numbers, reservation dates, and partial payment card information. Although the systems typically show only partial credit card number, in some cases the criminals are able to unmask the obscured numbers.

The criminal then calls guests with future reservations:

Cybercriminal: Hello, I’m calling from [hotel name] regarding your reservation from to [check-out date]. We’re having a problem processing your credit card. The last four numbers are [XXXX]. Could you please provide me with your full credit card information, including security code, so we can get that taken care of.

Because the criminal has accurate information about the reservation, the guest is more likely to fall for the scam. Once the guest has supplied the card information, the criminal quickly racks up fraudulent charges. Fortunately, most guests don’t trust these calls, but they are bad for the reputation of the hotel and brand. Depending on what information is exposed, the unauthorized access to the reservation management system may legally be considered a data breach that requires notification to affected individuals and regulators.

To help protect your organization from these types of social engineering attacks:

• Change employee passwords at frequent intervals.
• Alert employees to this type of attack and train them in how to respond.
• If possible, implement multi-factor authentication for any access to the reservation management system.
• Audit which employees have access to the reservation management system and disable access for employees who have no business need for it, including employees who have been terminated or who have changed roles.
• Protect partial payment card information so obscured numbers can’t be unmasked.

This article is part of our Conference Materials Library and has a PowerPoint counterpart that can be accessed in the Resource Libary.

HospitalityLawyer.com® provides numerous resources to all sponsors and attendees of The Hospitality Law Conference: Series 2.0 (Houston and Washington D.C.). If you have attended one of our conferences in the last 12 months you can access our Travel Risk Library, Conference Materials Library, ADA Risk Library, Electronic Journal, Rooms Chronicle and more, by creating an account. Our libraries are filled with white papers and presentations by industry leaders, hotel and restaurant experts, and hotel and restaurant lawyers. Click here to create an account or, if you already have an account, click here to login.

I often think of the words first heard spoken by the Fram Oil mechanic in the television commercial many years ago – “you can pay me now or you can pay me later.” The wisdom of this statement has been proven time and time again. Its application in the legal services context is no exception as avoiding using legal counsel on the front end will in many instances only result in greater expense on the back end. In our everyday lives, we invest in our health and the proper repair and maintenance of our homes and cars because we know that the consequence of failing to do so will be far worse in the long run. It begs the question, therefore, why business owners do not always operate their companies the same way. This lesson was unfortunately learned the hard way by some of my clients.

While serving as outside general counsel for various companies, I have seen firsthand how common, simple mistakes which could have easily been prevented by involving legal counsel initially, cost much more to remedy on the back-end. As the growth of information technology continues to drive our world and compliance standards and regulations continue to increase, it is now more important than ever to be proactive and consistently involve legal counsel when making decisions. This “best practice” is the best way to minimize exposure and ensure compliance before it costs you, as shown by the three simple examples discussed below.

II. Affordable Care Act Compliance – Did You Check The Right Box?

It is widely known that if your company has more than fifty employees the Affordable Care Act (ACA) requires that you offer health insurance to all employees who work more than thirty hours per week. What you may not know is that the employees of separate but related entities’ all count towards the “fifty employees” determination. I have seen this fact overlooked, which results in the failure to provide the required insurance and consequential exorbitant per employee fines. Additionally, not any insurance plan will do — your insurance plan must provide minimum essential coverage and meet the definitions of minimum value and affordability. Each of these components, as defined by the ACA, must be considered when making decisions regarding the type of employee health insurance plan to offer. If you fail to offer a plan with each of the three components, the IRS will come knocking and you should expect to bring your checkbook. However, your company may be prepared for the knock on the door if it has intentionally chosen to offer employees an insurance plan with only minimum essential coverage even if the insurance plan fails to provide minimum value and affordability. This is a popular business decision by companies who have learned that the fines associated with offering a plan that only provides “minimum essential coverage” are often less expensive than the out of pocket costs to provide employees a fully compliant plan.

Additionally, even if you can breathe a sigh of relief knowing your insurance plan meets the three criteria, or your company has chosen to intentionally provide a plan with only minimum
essential coverage, you must accurately report it to the IRS on your and forms. A mistake as small as checking the wrong box on an IRS form can be very costly. For example, the initial fine one of my clients received was $1,600,000 before the error in completing the forms was discovered and remedied. Thus, when new regulations such as the ACA are passed, I strongly encourage you to consult with legal counsel who can answer the necessary questions and provide the required guidance, as relying on an insurance broker’s representations alone has proven not to be sufficient. I have seen them confuse different legal criteria more than once, requiring legal counsel to remedy the situation at a later date. These are risks too expensive to take as they can be easily avoided.

III. Data Privacy & Cyber Liability Coverage – What Does Your Plan Cover?

It should come as no surprise that data privacy is one of the biggest areas of liability risk and monetary exposure facing companies today. As more of today’s world becomes technology driven, this risk and exposure will only continue to increase. Traditional contracts, SaaS contracts and cyber liability insurance policies now often contain new types of provisions and potential risks related to data privacy which can be explained to you by legal counsel who will seek to minimize these risks. In nearly all contexts, the burden is on you to ensure your company and your clients’ electronic information is protected. You must be aware of the risks and benefits involved in every transaction.

The good news is that due diligence and awareness today will go a long way towards saving your company money and distress in the long run, as well as protect vulnerable client relationships. For example, one of my clients learned the hard way that its cyber liability insurance policy only covered claims by clients and their customers, without coverage for regulatory investigations. Thus, when it was faced with extensive investigations, potential litigation and severe penalties from the Federal Trade Commission and state governments, due to a relatively small data breach, which caused no actual damages to their clients, it was forced to defend itself solely using its own financial resources. Thus, you should consult data privacy counsel to ensure data privacy laws compliance and insurance coverage counsel to review your cyber liability insurance coverage.

Additionally, you should retain information technology professionals to conduct appropriate vulnerability testing to ensure the safety of your electronically stored information regardless of the size of your company. While taking these additional steps proactively will result in what may seem like an unnecessary expense at the time, based on your risk assessment, these steps are actually safeguards no company can afford to ignore today due to the potential consequences of one data breach.

IV. Corporate Governance – A House Is Only As Good As Its Foundation

Unless you are a sole proprietorship, your company is required to maintain proper corporate governance. You may not think corporate governance is important and neglect it like many companies because it is certainly not exciting, but it is the foundation that may very well protect your company when necessary, as well as save the company time, energy, resources and money in the long run. Just like no couple ever marries intending to be later divorced, most companies do not form intending to be sold or preparing to face a lawsuit, whether it may be with another company, a customer, your own employee or even co-owners. However, these things happen all the time. It may have already happened to your company.

In my experience, over half of all companies fail to maintain proper corporate governance. The result is that in the event the company sells or seeks to determine which of its entities own certain assets, it will have to quickly recreate missing corporate governance at a very steep cost. For example, if proper documentation of board of director decisions and related matters have not been memorialized along the way, they will have to be recreated on the back end — a far more time consuming and expensive task than addressing governance on a routine basis. Further, although it is difficult to “pierce the corporate veil” today and hold individual owners liable for the company’s liabilities, this is still always a potential threat when internal, corporate governance is not followed and maintained.

V. Conclusion

Although the Fram Oil mechanic did not also say we should learn from each other’s mistakes, this premise is a logical extension of the “pay me now or pay me later” principle. In providing the examples above, I want to emphasize the importance of proactive decision making because no one should wait until their company is faced with uncertainty or decisions with potentially expensive and negative repercussions to consult with legal counsel. Ensuring correct decisions and necessary actions occur at the front end by engaging legal counsel may save you a great deal of time and expense in the long run. You can pay me now or you can pay me later after all.

This article is part of our Conference Materials Library and has a PowerPoint counterpart that can be accessed in the Resource Libary.

HospitalityLawyer.com® provides numerous resources to all sponsors and attendees of The Hospitality Law Conference: Series 2.0 (Houston and Washington D.C.). If you have attended one of our conferences in the last 12 months you can access our Travel Risk Library, Conference Materials Library, ADA Risk Library, Electronic Journal, Rooms Chronicle and more, by creating an account. Our libraries are filled with white papers and presentations by industry leaders, hotel and restaurant experts, and hotel and restaurant lawyers. Click here to create an account or, if you already have an account, click here to login.

Authors

Craig Harris – Shareholder, Dallas office
charris@munsch.com
214.855.7590

Craig is a trial lawyer with 30 years of experience serving the needs of established companies, growing businesses and entrepreneurs in commercial, restaurant, employment, intellectual property and oil and gas litigation and other general business matters.

Craig has a reputation for aggressively and successfully representing the interests of his clients. He has extensive trial experience in both state and federal courts, having handled hundreds of commercial and employment litigation matters, including business disputes, contracts, minority shareholder issues, partnership matters, non-compete agreements, employment discrimination, sexual harassment, wage and hour claims, employment contracts, as well as restaurant-related cases and intellectual property and oil and gas litigation. In many instances, Craig also serves as outside General Counsel to many of his clients.

Craig’s level of commitment and service to his clients is one of the primary reasons clients turn to him again and again when they need legal representation. Craig has become adept at applying his insights to his clients’ businesses and industry sectors to the specific case at hand, and each matter is handled according to his clients’ business goals to achieve their objectives.

Natalie Sears – Associate, Dallas office
nsears@munsch.com
214.855.7512

Natalie’s practice focuses on a wide range of complex commercial litigation matters, including labor and employment and construction litigation.

Prior to joining Munsch Hardt, Natalie served as an Associate for a commercial law firm based in Dallas, Texas, where she handled drafting documents used in all phases of commercial litigation, including original petitions, written discovery requests and responses, motions for summary judgment and non-dispositive pre-trial motions.

Natalie also has extensive experience in intellectual property litigation. She has represented clients in preparing applications to register trademarks and copyrights with the United States Patent and Trademark Office, prosecuting against parties seeking registration of similar marks and defending against oppositions filed with the Trademark Trial and Appeal Board.