• Seeing your Name in Lights: Before you sign a location agreement, you need to understand the nature of the filming and think carefully about the use of your hotel. Do you want the goodwill of your name being shared in the movie or show? If so, do you have the rights to your hotel name? If your hotel is branded, you may need the approval of the brand under the franchise agreement.
• In it for the Money: Depending on your property and the filming schedule, some production companies will pay lucratively for the use of your property. Don’t be afraid to ask for a location fee. This is a business negotiating point to keep in mind, particularly when balancing risks and benefits to your property.
• Don’t Judge a Book by its Cover: Before making any final decisions about participation in the shoot, you should fully understand what is being filmed at your hotel, particularly if your name is being used or your property is easily identifiable. What actions are being taken at your property, or what is going to be said about your hotel? Some production companies will allow for a script read in advance to provide an opportunity for sign-off on the dialogue, in case there are issues involved with the portrayal of your property. You may also want to request language regarding the portrayal of your property in the final movie or show. Remember that the production company will own the footage in perpetuity – with the hotel having little to no contractual remedy to prevent the use of the footage after it is shot – so you must address any remaining concerns before the filming commences.
• Lights, Camera, Action: Is the production an action movie full of stunts conducted on the roof of your property, or does the hotel lobby set the scene for a romantic first kiss? The nature of the filming makes a difference for your risk allocation. You need an appropriate indemnity from the production company, evidence that it is appropriately insured (including you being named as additional insured on its applicable insurance policies), and to consider your preference for any dispute resolution. You should also address how to handle any damage to your hotel property that may result from the filming, and if the production company asks for a release, it should be negotiated prior to signing the location agreement.
• Your Show Must Go On: In the location agreement, it is essential to document and detail where and when the production company will be filming. Your hotel is your business, and unless the production company is renting out your entire hotel (which is rare), you need language in the agreement regarding the treatment of your guests. You also need to collaborate in advance with the hotel management and staff to ensure the shoot does not materially inconvenience the guests, and that the hotel can comply with the requirements of the location agreement.
• Who Was Voted Off: For many film shoots, particularly the ever-growing genre of reality television, confidentiality is of paramount importance to the production companies. Review these provisions carefully and consider whether the requested confidentiality restrictions are enforceable by your hotel management. The next step is to appropriately convey the message and instructions to your hotel staff regarding what they can and cannot do before, during, and after the filming.
• Behind the Curtain: Keep in mind that there are intellectual property and licensing considerations which may need to be addressed depending on the nature of the filming. Language stating that the hotel grants the rights to the production company for all art and objects in and around the property is often in the location agreement, but is it accurate? Does your hotel own the licensing rights to the piece of art that will be featured in the guest room scene? If not, it must be addressed.
• Sign on the Dotted Line: Who signs for the hotel is not always straight-forward. Under the hotel management agreement, the appropriate signatory for a location agreement may be the hotel owner, the hotel management company, or another construct such as the management company as an agent for the hotel owner. Either way, make sure that the agreement accurately reflects the appropriate signatory in the recitals and the signature block, and that the text of the location agreement accurately addresses the references to the signatory.

• Marriott acquired Starwood in September of 2016, but Marriott continued to operate Starwood’s guest database separately from Marriott’s until a few weeks after the breach incident was announced.
• The unauthorized intrusion into Starwood’s database occurred in 2014, but was not discovered by Starwood nor by Marriott later during the course of its acquisition of Starwood.
• The guest information compromised in the incident included name, address, phone number, email address, passport number, preferred guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preference, and in some instances, payment card numbers and expiration dates. It was ultimately reported by Marriott’s forensic assessment provider the 383 million records were affected.

These facts underscore several crucial considerations for hotel companies regarding how guest data is collected, secured and retained. Some of these considerations aren’t ones that our industry normally associates with data security concerns. Here are some of the key takeaways:

1. Data Security/Privacy is a Critical Due Diligence Consideration. In any merger or acquisition there are due diligence checklist items for the surviving entity. In the case of the Marriott/Starwood transaction the security breach of Starwood’s database was not discovered prior to closing, but had it been, the implications for the deal could have been extremely significant. At the very least, action could have been taken to remediate the compromise at that time. In this day and age, cyber due diligence should be part of any merger or acquisition.
2. Retention of Large Amounts of Personal Information Carries Risk. Personal data is valuable for many reasons, but that value has to be balanced against the risk that accumulated caches of personal data become rich targets for data thieves. For example, there were over 5 million unique unencrypted passport numbers and more than 20 million encrypted passport numbers that were compromised over the course of the Starwood data incident. The value to Starwood and Marriott of retaining that passport information is unclear, but the liability of replacing more than 25 million passports is enormous.
3. With GDPR and CCPA, the Definition of Protected Data Has Expanded. Before the effective date of the General Data Protection Regulation (GDPR) in May of 2018, most of the data involved in the Starwood incident would not have enjoyed any special protection. Under U.S. state law in most jurisdictions, even today, a person’s name, address, phone number, and email address are not considered Personally Identifiable Information or “PII.” However, GDPR and the new California Consumer Privacy Act (CCPA) (effective January 1, 2020) have greatly expanded the scope of protected personal data to include virtually any item of information that can be used to identify an individual. A name, address, phone number or e-mail address are indisputably “personal data” under the GDPR.
4. Guest Reservation Systems Are Vulnerable On Both Ends. In branded hotels, franchise agreements always require that the hotels utilize the brand’s reservation and management system, including brand-mandated hardware, software, portals and connections. This arrangement gives data thieves multiple targets from which to select when seeking to steal guest information. The Wyndham data incident of 2008/2010 was the first notable attack on a brand’s central guest information database. While most hotel guest information data incidents in the past decade have occurred at individual hotels or discrete groups of properties, the Starwood incident proves that a brand’s guest information database is still vulnerable.

2018 also saw a rash of low-tech social engineering attacks against individual hotels, and this type of attack has continued into 2019. Criminals commence these attacks by posing as brand systems support personnel and making phone calls to hotel employees. The employees are asked to provide their login credentials for the reservation management system.

Cybercriminal: Hello, I’m calling from [brand] system support. We’re having difficulty with the reservation process on your end, and we need to check it. Can you please log in for me?
Employee: Sure. [Logs in]
Cybercriminal: We’re still having an issue. Can you please give me your username and password so I can try it on our end.
Employee: No problem. My username is … and my password is …

Using the stolen credentials, the criminal remotely accesses the reservation management system and retrieved information about recent guest bookings, including guest names, addresses, phone numbers, reservation dates, and partial payment card information. Although the systems typically show only partial credit card number, in some cases the criminals are able to unmask the obscured numbers.

The criminal then calls guests with future reservations:

Cybercriminal: Hello, I’m calling from [hotel name] regarding your reservation from to [check-out date]. We’re having a problem processing your credit card. The last four numbers are [XXXX]. Could you please provide me with your full credit card information, including security code, so we can get that taken care of.

Because the criminal has accurate information about the reservation, the guest is more likely to fall for the scam. Once the guest has supplied the card information, the criminal quickly racks up fraudulent charges. Fortunately, most guests don’t trust these calls, but they are bad for the reputation of the hotel and brand. Depending on what information is exposed, the unauthorized access to the reservation management system may legally be considered a data breach that requires notification to affected individuals and regulators.

To help protect your organization from these types of social engineering attacks:

• Change employee passwords at frequent intervals.
• Alert employees to this type of attack and train them in how to respond.
• If possible, implement multi-factor authentication for any access to the reservation management system.
• Audit which employees have access to the reservation management system and disable access for employees who have no business need for it, including employees who have been terminated or who have changed roles.
• Protect partial payment card information so obscured numbers can’t be unmasked.

This article is part of our Conference Materials Library and has a PowerPoint counterpart that can be accessed in the Resource Libary.

HospitalityLawyer.com® provides numerous resources to all sponsors and attendees of The Hospitality Law Conference: Series 2.0 (Houston and Washington D.C.). If you have attended one of our conferences in the last 12 months you can access our Travel Risk Library, Conference Materials Library, ADA Risk Library, Electronic Journal, Rooms Chronicle and more, by creating an account. Our libraries are filled with white papers and presentations by industry leaders, hotel and restaurant experts, and hotel and restaurant lawyers. Click here to create an account or, if you already have an account, click here to login.

Why is the hospitality industry such a frequent target? What makes this industry uniquely vulnerable to information threats? This article will examine those questions and suggest certain measures that hotel and restaurant companies can employ to try to mitigate the risks to information that they own or possess.

Multiple Parties Are Involved In The Equation

Hotel companies and many restaurant companies face unusual problems when it comes to cyber security and vulnerability to data theft/loss due to traditional ownership/management/franchise structures as well as the way hotels and restaurants tend to operate.

For branded hotels (and many branded restaurants) there are typically at least three parties are involved in a functioning hotel business: the franchisor or “brand,” the owner (or owners’ group) and the operator a/k/a the management company. Each of those entities plays a particular role in the function of the hotel as a business, and each may have its own computer systems or stored information:

Franchisor

• Owns the “flag” of the brand and in exchange for use of its marks and marketing services, can impose its own standards for hotel features, including the process for booking rooms;
• Typically mandates that the owner install a particular hardware/software suite to handle the reservations functions;
• Maintains ownership and control of that system through contractual means; and
• Typically claims ownership of guest data that is input into the reservations system by hotel employees or others.

Owner

• Typically not the brand; could be individuals, investor groups or major asset holding companies, including investment funds, insurance companies, banks;
• May have varying degrees of involvement in operational issues that include guest or employee data; and
• May own separate “point of sale” payment card systems for food/beverage/retail outlets situated within the hotel; and

Operator

• If independent from Owner, will usually have a management agreement with the Owner that establishes an agency relationship with Owner for purposes of all day-to-day hotel operations;
• Third party operators are usually the formal employers of hotel personnel and maintain all employee data (including Social Security Numbers);
• May collect guest data prior to inputting same into the reservations and management system owned by the franchisor, if the hotel is branded; and
• May obtain and maintain payment card information associated with group bookings.

Sometimes the complex relationship between franchisors, owners and operators requires that information be shared, or that separate computer systems be tied to each other. For example, as indicated above, major hotel brands require all of their franchised hotels to utilize the brand’s reservations and management computer system when booking or checking in all guests. Thus, hotel owners and operators are forced to have their own on-site personnel utilize the computer system of another company when transacting business with guests. In addition, hotels, like restaurants and other consumer businesses, often permit interfacing between their own computer systems and those of third party vendors or credit card processors.

All of this means that hotel and restaurant systems are to some extent dependent upon the security measures and practices of other entities which the hotels and restaurants do not control. A classic example of this is the Wyndham Worldwide breaches which occurred 2008 and 2010, where hackers were able to penetrate Wyndham’s central reservations database through a hack of a single franchised hotel, and then use the Wyndham system’s connections to dozens of other individual franchised hotels to steal hundreds of thousands of sets of credit card data.

The Hospitality Industry Does Business By Payment Card

Credit and debit card data has long been a preferred target of data thieves. Payment by card is the mainstay of most hotels and restaurants.. Therefore, hotels and restaurants represent a tantalizing treasure chest of data for cyber criminals to try to crack open.

The Wyndham Worldwide series of data breaches, where the brand’s reservations system was the subject of the attacks, were certainly notorious in the world of hotel data incidents, but statistically most credit card data theft in hotels occurs due to malware affecting point-of-sale (“POS”) systems, rather than the brand reservations systems for guest room bookings. Of the twenty-one most high-profile hotel company data breaches that have occurred since 2010, twenty of them were a result of malware affecting point-of-sale systems in hotel restaurant, bar and retail outlets. This is also true for the recent restaurant data breaches affecting Wendy’s, Arby’s, Landry’s and Noodles & Company, which were all the result of malware affecting point-of-sale systems in several locations.

Cyber criminals, through a variety of methods, are able to infect POS systems with credit card data-scraping malware that captures personal account data at some point during the payment process. This malware is often capable of moving between connected systems and may infect groups of hotels and restaurants that are either related by common brand or by a common third party operator and may often operate for several months or even years before being detected by the operator.

Some hotel credit card compromises are not high-tech in nature. Many hotels still tend to receive faxed credit card authorization forms for company bookings or group bookings, and often the faxed paper forms, which contain credit card numbers and expiration dates, are kept in a non-secure manner, such as in binders behind the hotel front desk. These paper forms are susceptible to being lost or stolen, and while many state breach notification laws do not expressly cover loss or theft of paper data, a growing number of state laws do. For example, the data breach laws of California, Hawaii and Alaska all protect data in any form, including paper, that contains personally identifying information.

In addition to these “paper” breaches, the hotel industry is also vulnerable to identity thieves targeting guests who may be unfamiliar with the area or the hotel. The thieves use various schemes including calling hotel guests, posing as the front desk, to ask for updated credit card information or leaving fliers for pizza delivery with phone numbers directed to thieves who take down the guest’s credit card information.

Employee Turnover and Fluidity Contribute to Security Problems

In the hospitality world there tends to be a high degree of movement of employees in and out of particular locations. Hotel operators will transfer their skilled employees to other locations where they may be needed. Employees in less skilled positions tend to come and go frequently as well. Hotel or restaurant owners may decide to change third-party operating companies, and the new operator will bring in its own management-level employees to manage the location. Maintaining a consistently trained workforce can be a challenge for both the hotel industry shares with the restaurant industry.

In recent years many information security industry experts have identified a company’s employees as its most vulnerable point from a data security perspective. A fluid workforce means that it is more difficult to train employees in the secure receipt and treatment of personal information, in complying with privacy and security policies, in protecting and changing user access credentials, and in being alert for social engineering attempts. Keeping up with which employees have access to different levels of information is also challenging when there are frequent changes of personnel at particular job levels. Only certain job functions within a hotel setting require access to guest or employee personally identifying information, and hotel companies (as well as companies in other industries) are not always as careful as they should be about controlling access by job grade/description and making sure access is eliminated when an employee moves out of a particular position or is terminated.

How Can Hospitality Companies Better Prepare for and Combat Cyber Threats?

While hospitality companies have unique problems that tend to make them more vulnerable to threats of compromise and theft of personal information, there are ways that these companies can prepare for and mitigate against such risks, and there are lessons to be learned from looking at prior data security incidents. In analyzing recent breaches, it is likely that utilization of the following practices could have mitigated or prevented such incidents.

• Contractual Risk-Shifting and Secure Handling Requirements: Franchisors, owners and operators, in their dealings with each other and third parties such as vendors and contractors, can help to control the risks inherent in sharing systems or information with others. Requiring specific cyber incident indemnification, where negotiating leverage permits, is useful to protect hotel companies from the economic consequences of a breach incident caused by or contributed to by another party. In addition, contract provisions requiring compliance with minimum information security standards (e.g., compliance with Payment Card Industry Data Security Standards a/k/a “PCI-DSS”) or mandating third party compliance with a hotel company’s own security policies can reduce the risk
  of cyber incidents.
• Employee Policy Enforcement and Training: Despite the fluidity of management and staff employees that is attendant to operating a hotel or restaurant, operators can and should consistently update their employee policies on data security and rigorously train employees who have access to data or systems. Where employees do not require access to personal information to perform their job functions, that access should be terminated. Policies concerning use of mobile devices, external information storage devices and internet usage should be enforced. In addition, to protect against identity thieves, employees should be trained on how to advise guests on potential risks and how to identify suspicious behavior and when to report suspected identity theft or data breaches.
• Guard Guest and Customer Card Data: Considering that POS malware attacks are a very common type of cyber incident affecting hotels and restaurants, operators and owners should take extra care in selecting their POS system vendors and credit card processors. Agreements with those entities should be vetted and, if possible, modified to add protection and minimum data handling standards for the outside vendor. Compliance with PCI-DSS not only helps to ensure that data security software, hardware and practices are safer, but also helps to protect against fines and penalties which may be levied against hotels by the credit card industry for noncompliance with PCI-DSS when a breach occurs.

Authors

Sandy Brian Garfinkel Mr. Garfinkel is a member with the law firm of Eckert Seamans Cherin & Mellott, LLC. He maintains a busy and diverse business litigation practice with a particular emphasis in the hospitality industry. As part of his work in the hospitality world he regularly assists hotel management and ownership companies in preparing for and responding to breaches of data security. He is also the founder and chair of the firm’s Data Security & Privacy Practice Group.Mr. Garfinkel can be reached at 412.566.6868 or at sgarfinkel@eckertseamans.com.

Malgorzata “Gosia” Kosturek Ms. Kosturek focuses her practice on hospitality law and general corporate law. She assists clients in numerous types of corporate transactions, including acquisitions, mergers, and financings, primarily in the hospitality industry. She is also a member of the firm’s Data Security & Privacy Practice Group. Ms. Kosturek can be reached at 412.566.6180 or at gkosturek@eckertseamans.com.

Lotteries. A lottery is generally defined as a promotion in which all three of the following elements are present: prize, chance, and consideration. Lotteries, except those that are state operated, are illegal under federal law and the laws of all fifty states. Lottery laws are enforced by the following:

The penalties for failure to comply with federal and local laws depend on the venue and may include: consumer redress, awarding multiple prizes, fines (may be significant), cease and desist orders from future promotions, and corrective advertising.

Sweepstakes. A sweepstakes is generally defined as a promotion involving the elements of prize and chance. That is, sweepstakes are promotions in which winners are selected at random to win a prize.

Consideration. Consideration can be monetary or non-monetary (i.e., a purchase or payment but also the expenditure of a substantial degree of effort that directly benefits the sponsor). There are many different ways to remove the element of consideration. In at least 33 states, statutes or case law clearly state or suggest that only monetary consideration will trigger a lottery law challenge; six states do not expressly limit the definition of consideration to a monetary requirement; the remaining states do not clearly define consideration. This is an evolving issue (e.g., not long ago, requiring internet access to enter a promotion was deemed consideration in some states). Current “hot topics” include text messaging, user-generated content and social networking sites which may require a fee or action on behalf of the entrant.

Alternative Method of Entry “AMOE”. A chance promotion with a viable, free AMOE which does not place the entrant at any real or perceived disadvantage vis-à-vis those who pay to play should not run afoul of lottery laws. Key considerations to avoid: (a) lack of universal availability; (b) separate deadline dates (especially problematic for mail-in entries); (c) separate prize pools; (d) disparity in number of chances to win; (e) insufficient number of free entry opportunities/methods; (f) real or perceived disadvantage to those who enter via AMOE; (g) burdensome entry requirements compared to purchase entries. The AMOE must have “equal dignity” to the purchase entries.

Contests. Contests are promotions in which winners are selected to win a prize on the basis of bona fide skill or objective criteria. Several state prize promotion/gambling laws prohibit requiring consideration, even in bona fide skill contests. In determining whether or not a promotion is a skill contest, states generally employ one of three tests: any chance test; dominant element test; material element test; or gambling instinct test. The hotel should focus on ensuring there are qualified judges and that any judging criteria applied to entries is objective.

Official rules. Official rules serve as the contract between the sponsor and the consumer. They are the most crucial element of any promotion and should include:

Abbreviated rules must appear in all advertisements, entry forms, and promotional materials. Procedural Requirements. Hotels considering a promotion should know that there may be registration requirements in AZ, FL, NY, and RI and bonding requirements FL and NY.

• Joint Vision/Motivated Parties – A new brand entering the U.S. has to show that it is fulfilling a niche in the market that has not already been captured. Therefore, in developing its first few hotel projects, finding the right location and developer are paramount. The brand needs to be certain that a developer will be (i) able to source a site that optimizes the brand strategy while offering significant visibility of the new brand to the market, (ii) able to complete the project on time and within their budget (to ensure the project is completed), and (iii) committed to the brand vision so that they will be equally focused on building to brand standards. But this requires quite a balancing act. For example, opening a flagship property in New York City under the new brand may provide great visibility but such a location comes with big city challenges such as union relations, greater regulation, greater cost to develop, and potentially longer lead times to open. From the developer’s perspective, it needs to make sure that the company behind the brand has the resources to support and grow the vision for the new brand and the financial commitment to overcome inevitable initial challenges in rolling out the brand so that the brand has a legitimate opportunity for long-term success.
• Brand Investment – Although existing hotel brands typically allocate their overall brand marketing costs to their hotel owners, developers for new brands will often not be willing to bear the costs of ramping up the marketing efforts of the new brand both because of the significant upfront costs to launch a brand and the lack of a sufficient portfolio of hotels within the new brand to reasonably bear the allocated costs. Also, the brand may be looking to invest marketing dollars well outside the locales of its initial branded hotels in order to extend brand awareness, and to create interest for new developers to build branded hotels in other markets. That said, developers of initial brand hotels also benefit from such initiatives, especially if their hotels are located in gateway markets, so such developers may be more motivated to contribute to marketing campaigns that do not have an immediate impact on their local market.
• Developing Vision – Another consideration for new brands is that the brand standards may not yet be fully defined or may be evolving at the time of the initial project development. This may allow an initial developer to be part of developing the brand vision or, alternatively, may allow the developer to request some concessions or changes to the standards for the project. However, this may also cause frustration between the brand and the developer as there is not a defined set of standards for the brand to point to in negotiating the agreements or requesting capital expenditures. This may be true even if the brand is already established in another market outside the US as some changes to the brand standards may be necessary to adjust the brand for the US market or to comply with US laws. To avoid unnecessary tension between the brand and its initial developers and in order to avoid development delays as these conflicts are ironed out, it is important that the brand and the developer agree upfront on what is meant by the brand’s brand standards; such as, whether there are comparable existing hotels the parties can look to in the future that set the quality level of the brand’s standards, the projected competitive set of hotels to the new hotel, and the projected costs of implementing the standards, from a hard and soft goods perspective and from an operational and staffing perspective.
• Brand Resources – Unless the brand is being launched by an established US brand or an established international brand, there may or may not be a larger platform supporting brand services for the initial hotels opening under the new brand, such as technical services, reservations, and purchasing. So the developer may be agreeing to brand services that may be developed in the future, may never be developed or may never grow beyond a small platform or a limited number of properties. For the developer, it is important to ensure that the cost of any centralized services are fairly allocated to the property (i.e., the first hotel should not bear the burden of the entire centralized services or marketing costs for an international brand and the marketing fee should be fairly allocated between US and international marketing efforts). The brand should be sensitive to these concerns and have a strategy for the timing of development of brand resources in the future to present to any potential developers.
• Brand Longevity – One of the biggest considerations for the brand and the developer is what happens if the brand does not grow or somehow misses the mark. If the hotel is not successful, then both parties may want to either end the relationship or reposition the property. It is important for the parties to discuss the parameters for any exit ahead of time as the brand’s and the developer’s interest may not be aligned once the hotel fails to hit projections.

Above all, both the brand and the developer need to keep in mind that working with a new brand is different than working with an established brand and, to ensure that the project and the brand are a success, both sides need to be flexible in addressing the inevitable challenges of launching a new brand.

Slip and falls are the number one cause of accidents in hotels, restaurants and public buildings according to the Bureau of Labor Statistics. Injuries from a seemingly incidental fall here or trip there are estimated to cost some $70 billion annually according to the National Safety Council.

In fact, the Centers for Disease Control has determined over one million people each year are injured in slip and fall accidents and unbelievably more than 70 percent of these slip and fall injuries occur on flat level surfaces. And it’s not just hotel or restaurant guests that are impacted: the National Safety Council estimated compensation and medical costs associated with just employee slip and falls is approximately $7 billion annually.

We’ve all seen people trip, and yes sometimes if it’s someone we know, a little stumble can even be a bit funny but really these kinds of accidents are no laughing matter. OSHA has reported slips, trips and falls are 15% of all accidental deaths and are second only to motor vehicle accidents as the cause of death and account for over 17,000 deaths each year.

The most common causes of slip and falls are obvious, and it would seem because of this, easy fixes, but those don’t always happen. We will take a closer look at some of the most common causes for slip and fall accidents and steps that can be taken toward preventing them in the future.

Common causes of slip and fall accidents (and how to help avoid them in the first place)

First, it’s important to examine some of the most common causes (direct and indirect) of slip and fall accidents. Direct causes are such things as spilled liquids, food, cracked or broken tiles, worn mats, cracked or broken sidewalks, uneven steps, ice and snow, potholes, and physical obstacles. Indirect causes include inadequate or dim lighting, and missing handrails or guardrails, among other things. Some of the most common causes include:

• Wet Floors. Food or beverages, rain, snow, and ice can be deposited on the floor or tracked into buildings. In reviewing housekeeping, maintenance, and cleaning policies, floors should be cleaned during non-peak hours and the premises inspected on a consistent and routine basis. Audits should be conducted, and performance tracked and retained. Cleaning/Checklists should be filled out and retained for a sufficient period of time. Caution/warning signs need to be placed in close proximity to the actual spill or wet area. These signs should be sufficient in number and placed in a timely manner so as to provide adequate warning.
• Ice and Snow. A business is responsible for the sidewalks, parking lots and landscaping on their property. Walkways may include areas outside the sidewalks immediately surrounding the building. In most cases, the law does not require a business owner to remove snow and ice off the property. However, if the weather causes an unusually heavy accumulation of snow on the roof, and that snow then melts and drips off onto the sidewalk and freezes on the ground, the business owner could be held responsible for an injury resulting from the ice created by the melting and refreezing. Regular inspections of the property, gutters and downspouts will help identify potential problems.
• Misplaced Physical Objects. Misplaced mats, furniture, door stops, moldings, fallen merchandise, power cords or wiring can all be the source of a slip and fall injury. A number of hotels and/or restaurants have made it the responsibility of the surveillance teams to monitor various areas of the property and notify the proper internal group to address any perceived problems.
• Congested Means of Ingress and Egress. Business owners must ensure adequate means for patrons to enter and exit the building or premises without severe congestion. Heavy amounts of congestion through obstructed areas could cause a business owner to become liable for injuries stemming from the congestion. To address these concerns building maintenance coordinates with the event planers in scheduling on-going maintenance so as have minimal impact on visitors.
• Inadequate Lighting. Dim or inadequate lighting can result in liability by hiding hazards such as steps, curbs, potholes or uneven pavement (and it can also invite criminals to assault or steal from patrons).
• And a Note about Sidewalks. In some jurisdictions, the property owner is responsible for maintaining the sidewalk adjacent to its property. In other jurisdictions, the business owner and governmental entity share the responsibility for maintaining the sidewalk.

Preventative steps can help avoid slip and fall accidents

In addition to safety training, take time to survey a property – note potential hazards and take immediate action to eliminate these hazards. These steps include:

• Maintaining floors, sidewalks, aisles, and walkways at regular intervals and documenting the inspections.
• Provide regular training for employees regarding safety measures and protocols with immediate reporting.
• Create safety protocols and instruct employees in slip and fall safety – create and retain incident reports. Instruct employees on procedures for assisting customers who have fallen – emergency assistance police and rescue.
• Conduct regular maintenance of outdoor areas including sidewalks, play areas, and parking lots and, monitor and repair landscaping, potholes, and lane markings, and remove any obstacles.
• Maintain records of maintenance including actions to remove and repair conditions. Make sure governmental inspections are all passed and maintain proof of passing scores.
• Conduct regular safety surveillance of mats, carpeted floors, lighting, litter, fallen merchandise, and uneven or buckled flooring.
• Maintain proper liability insurance with periodic policy reviews.
• Improve safety through constant monitoring, setting benchmarks, and examining policies and procedures.

Beyond these day-to-day safety procedures and protocols, staff training, and monitoring/inspections to ensure the safety of your grounds, there are some “big picture” planning principles that can be implemented. For example, it’s important to measure (and record) the slip resistance of all floor surfaces (both wet and dry) on the property.

A number of hotel, restaurant and resort companies have started to address slip and fall concerns by conducting floor slip resistance testing, which establishes baseline benchmarks using a tribometer set to ASTM requirements in order to establish both dry and wet coefficients of friction for inside and outside walking surfaces. They then monitor the findings and conduct routine audits to ensure compliance with standards (and promptly take any corrective action as required). It is critically important to establish this baseline, in case of future claims geared toward improper flooring.

Also, when considering the installation of new flooring, take the opportunity at the initial design and material selection stage to ensure that appropriate design and materials are used, with safety top-of-mind. With respect to existing floors, if your internal floor slip resistance testing demonstrates a below standard coefficient of friction, steps will need to be taken to replace or apply various treatments to bring the flooring up to standard. Implementing a science-based, measurable, benchmarked, and audited program can go a long way in limiting liability and capturing value for your organization.

What to do if a slip and fall accident occurs

Unfortunately, even when all of the necessary safety precautions are in place, slip and fall accidents can still happen. Hotel or restaurant owners and operators need to understand it starts at the top. Safety is a culture and that means from the CEO on down. It is every single employees’ duty to improve safety. Training staff is critically important in building a culture of safety. Part of this training includes (periodically conducting drills on these slip and fall protocols) to make sure everyone is prepared and trained for what to do in the event an incident occurs, as the likely first responders to slip and fall incidents:

• Offer assistance – immediately call for medical attention, police, and other first-responders, as appropriate.
• Gather documentation – prepare a comprehensive incident report, including witness statements and contact information, and a statement from the injured party.
• Secure video surveillance footage and/or take photographs of the scene and the claimant (if they allow you).
• Report the incident to risk management, legal and the insurance carrier.
• Follow-up with claimant within 24 hours. Let them know of your concern, and find out if they sought medical attention. Also have a corporate representative contact them within a few days, and maintain records of all contact (and outcomes). If the area of the fall is defective, make sure building operations and risk management are aware of the hazard so that it can be repaired as soon as possible.
• Preserve evidence, i.e. a mat, floor tile, etc. DO NOT conceal evidence. It can result in additional damages from a separate cause of action for spoliation of evidence.
• Monitor for and keep record of social media postings by the claimant/plaintiff.

Slip and falls may still happen, so what’s next?

Even with the best of intentions, and with industry leading policies and procedures, proper vigilance and pro-active maintenance and repair, slip and fall accidents will still occur. For property owners in the hospitality industry, it is crucial to develop world class legal protocols designed to limit liability and manage slip and falls when they do happen.

All strategies begin with an initial assessment or audit. Where are we experiencing incidents? How often are they occurring? What can we learn about each incident? After collecting this data the next step is to establish benchmarks. Benchmarks should be established by specific measurement where practical. Gathering data from insurance carriers or brokers and other similar players within the industry are helpful in evaluating how your business compares to others in the same industry. Then implementing a program of constant monitoring followed up by auditing those results will create a culture of safety that will produce measureable cost savings. This culture of safety may involve creating custom models designed to address specific concerns or more broad applications to address systemic problems.

In the final analysis, creating a culture of safety will produce a significant reduction in litigation costs. Even though slip and falls may be a cost of doing business in the profitable and visible hospitality industry, the safety of guests, staff and other visitors does not have to take a back seat to profit.

David Willis, a trial attorney with more than 25 years of litigation experience, focuses his national practice in the defense of corporations in the areas of complex tort, commercial, and employment law. He represents both public and private corporations in the areas of hospitality, specifically the food and beverage industry, franchise, health care, transportation, and environmental law. David has extensive multi-jurisdictional trial experience and has tried to verdict over 50 cases in state and federal courts.

Eckert Seamans’ practice reflects virtually every industry and segment of the country’s business. Clients include Fortune 500 companies, financial institutions,newspapers and other media, hotels, health care organizations, airlines, and railroads. The firm also represents numerous federal, state, and local governmentaland educational entities. In order to provide access to legal resources that enhance our ability to serve clients’ needs around the world, Eckert Seamans is a memberfirm of SCG Legal, a global network of over 145 independent law firms located in 82countries. For more information about the firm, please visit www.eckertseamans.com

Unfortunately, hotels and hotel companies have been, and continue to be, tempting and frequent targets for data thieves.

Why are hotels of such interest to information thieves? Several factors could be to blame. One may be that hotels do such a large amount of business through credit and debit card transactions, and payment card fraud is a favored type of identity theft crime among cyber criminals and those to whom they sell their stolen information. Another may be that hotels frequently must tie their data and computer systems together with the computer systems of others, such as the major hotel brands and, at times, outside vendors or contractors. High employee turnover and, in many cases, poor employee training in security practices may also contribute to the vulnerability of hotels to data thieves.

Wyndham’s Data Incidents

Arguably the most notorious set of hotel data breach incidents happened to Wyndham Worldwide Corporation during the period of 2008-2009. Here’s how those incidents unfolded:

In April of 2008, foreign hackers gained access to Wyndham’s computer system through a single computer in one of Wyndham’s franchised hotels that an employee at the property had connected to the internet. The internet connection permitted the hackers to intrude into the hotel computer. This computer was also connected to Wyndham’s property management and reservation system (all Wyndham franchised hotels are required by contract to utilize Wyndham’s management and reservations system). This pathway was used by the hackers to gain access to Wyndham’s own servers at its data center in Phoenix, Arizona. Once inside Wyndham’s system, the hackers obtained administrator passwords and access codes. At that point, the intruders had a ready pipeline to reach individual Wyndham franchised hotels that were connected to Wyndham’s central servers.

Within approximately a month, the hackers had used Wyndham’s computerized connections with its franchised hotels to compromise the computer systems of 41 different properties. Unfortunately, it took Wyndham a number of months to recognize that the intrusion had occurred.

Even more regrettably, the hackers returned twice more in 2009. Wyndham believed that the security vulnerabilities that had allowed the 2008 attack to occur had been remedied, but they had not. The second cyber attack on Wyndham resulted in the compromise of information from 39 franchised hotels; the third, 28 hotels.

The hackers, believed to have been operating from Russia, stole guest credit and debit card account information. In total, over 600,000 accounts were compromised in this series of breaches. By no means do these incidents qualify to be among the largest data breaches on record, especially compared to a few of the more recent highly publicized incidents, such as the 2013 pre-Christmas cyber attack against Target, in which over 70 million individuals were affected, or the more recent EBay data breach, which is said to have impacted over 233 million people. Nonetheless, the potential for payment card fraud as a result of the Wyndham breach has been estimated to exceed $10 million.

The consequences to Wyndham have been serious and seemingly endless. Initially, just after the incidents occurred, Wyndham issued notifications to all affected individuals. Such notifications are required by the data breach notification statutes of 47 U.S. states. The notification process was extremely expensive, in part because Wyndham first had to obtain contact information for the affected people based only upon credit card account numbers. Wyndham also provided a year of credit monitoring to affected individuals, at the company’s cost. In addition, Wyndham was required to spend time and resources attempting to satisfy a number of state consumer protection regulators and state attorneys general that it was adequately responding to the breaches.

As notifications were being processed, the franchised hotels began receiving notices from their credit card processors that the major credit card companies would be imposing assessments against the hotels, as merchants, for recovery of fraud costs associated with the breach incidents. The hotels turned to Wyndham and sought indemnification for these assessments. Ultimately, Wyndham bore the legal costs of challenging the majority of the credit card brand assessments and obtaining reductions in the fines.

Wyndham’s woes over the breach incidents were only just beginning. In April of 2012, the Federal Trade Commission brought a lawsuit against Wyndham in federal court, alleging that Wyndham had failed to observe adequate security practices concerning personal consumer information, and that these failures amounted to unfair and deceptive trade practices. The Commission’s complaint quoted the privacy policy which appears on Wyndham websites, which stated that Wyndham would use commercially reasonable efforts to protect the personal identifying information of its customers. The complaint then went on to allege that Wyndham had failed to employ reasonable industry practices to safeguard guests’ data. Wyndham asked the court to dismiss the lawsuit, arguing that the Commission had overstepped its authority to regulate by claiming to have the right to enforce unwritten, unspecified data security standards against companies. Over a year after it was filed, the court denied Wyndham’s motion to dismiss in early 2014. The trial court specially certified the question of the FTC’s jurisdiction so that it could proceed immediately to appeal before the Third Circuit Court of Appeals. On August 24, 2015, the Third Circuit issued a decision affirming the trial court’s holding that the FTC had the power sue Wyndham, and thus the enforcement action will proceed.

If that were not enough, in May of 2014, a Wyndham shareholder brought a derivative action lawsuit against Wyndham. The claims in that lawsuit focus on the fiduciary liability of Wyndham’s board of directors for the data breaches themselves as well as the ensuing Federal Trade Commission lawsuit. The complaint alleges, among other things, that Wyndham failed to disclose the incident to shareholders in its financial filings in a timely manner. Wyndham has already filed a motion to dismiss the shareholder complaint, but no decision has been issued on that motion as of the time of the writing of this article.

The fallout and consequences to Wyndham from these events have been dire. Adverse impacts to Wyndham include harm to its image and reputation, the cost of notification of consumers and credit monitoring, legal fees and loss of goodwill among consumers, among other things.

What Can Be Learned From the Wyndham Breach Incidents? Security experts and analysts are becoming more vocal in warning consumers and corporate America that data intrusions are unavoidable. It is becoming the accepted industry wisdom that a determined hacker can get into virtually any system, regardless of how well it is protected. Therefore, it is difficult to say that a good lesson to take away from the Wyndham data incidents is that hotel companies should attempt to make themselves invincible against cyber attacks. Moreover, hotels often have certain inherent vulnerabilities to data theft, including the requirement that their computer systems must often be tied to those of entities which they do not control. There is no easy solution to this circumstance.

Rather, industry experts, as well as lawmakers, are beginning to call for faster and better intrusion response as a defense – through implementing closer monitoring and tighter protocols to detect breaches earlier, and having detailed and rehearsed cyber incident response plans, to name a few. Data breach response plans should include, among other things: creation of an incident response team (company officers, general counsel, outside data breach response counsel, information technology personnel, communications personnel, risk management personnel, etc.); a game plan for analyzing and containing a breach incident, including identification of forensic assessment and response firm; and, a plan for notifying affected individuals and government agencies where required. Speed in responding to an exposure or theft of information is a key component to reducing a company’s exposure after a breach. The Wyndham incidents underscore that delays in identifying breaches and shutting down exploited system vulnerabilities, in notifying affected people and consumer protection agencies, and in notifying shareholders, can all lead to higher levels of exposure.

One way to mitigate some of the breach-related costs similar to those incurred by Wyndham is to carry cyber protection insurance. The use of cyber insurance is widely increasing as data breach incidents become more frequent and more broadly reported through the media. Cyber policies come in a wide variety of forms and costs. The scope of coverage and exclusions from coverage must be carefully assessed to make sure a company has reasonable protection in exchange for its premium payments.

In the end, hotel owners, management companies and brands may not be able to avoid becoming the victims of cyber attacks, much in the same way that Wyndham and its franchised hotels became victims. What hotel companies can control, and should strive to prepare for, is their readiness to respond.

About Eckert Seamans

Eckert Seamans Cherin & Mellott, LLC has more than 375 attorneys located in 14 offices throughout the United States, including Pittsburgh, Harrisburg, Philadelphia, and Southpointe, Pa.; Boston; Washington, D.C.; Richmond, Va.; Wilmington, Del.; Newark and Trenton, N.J.; White Plains, N.Y.; Providence, R.I., Troy, Mich. and Charleston, W.Va.  The firm provides a broad range of legal services in the areas of litigation, including mass tort and products liability litigation, corporate and business law, intellectual property law, labor and employment relations, aviation law, bankruptcy and creditors’ rights, employee benefits, environmental law, construction law, municipal finance, real estate, tax and estate law, trucking and transportation law.  Eckert Seamans’ practice reflects virtually every industry and segment of the country’s business and social fabric. Clients include Fortune 500 companies, financial institutions, newspapers and other media, hotels, health care organizations, airlines and railroads. The firm also represents numerous federal, state, and local governmental and educational entities. In order to provide global reach and access to legal resources that enhance our ability to serve clients’ needs around the globe, Eckert Seamans has partnered with Lex Mundi, the world’s leading association of independent law firms, with a network of 160 member firms in more than 100 countries and offices in 600 business centers around the world; as well as SCG Legal, a global network of over 145 independent law firms with more than 11,500 attorneys. For more information about the firm, please visit www.eckertseamans.com.

co-authored by Sandy Garfinkel and Eric J. Zagrocki

Hotel owners and operators may be surprised to learn that that under many states’ laws, hotel guests who stay for lengthy amounts of time may be deemed to have become tenants rather than hotel guests.  These hotel companies may be in for a surprise if it ever becomes necessary to ask the guest to leave the property because of nonpayment, inappropriate conduct or a myriad of other issues that may arise with a long term guest.  Once a guest is considered to be a tenant in the eyes of the law, the process of formal eviction under a state’s landlord-tenant statutes, rather than simple ejection from the property under more favorable hotel-guest provisions, may have to be followed, and that process can be time-consuming and costly.

When dealing with a long term guest, rights and duties of the guest and the hotel will vary depending upon the applicable state law, and states vary widely in how they treat this situation.  Although an exhaustive review of all state laws will not be provided in this article, a few specific examples illustrate the story.

Under New York state laws, a “tenant” is defined to include an occupant of one or more rooms in a hotel who has been in possession for 30 consecutive days or longer, but is not a “transient occupant.”  There is no precise standard in New York for determining whether a person is a “transient occupant.”  Rather, the answer depends upon the entire context of the situation, including whether there is evidence that the person has a permanent residence elsewhere and that the period of his or her stay at the hotel is not intended to be permanent.  A number of other states use the “transient occupant” (also sometimes called “transient guest”) concept as part of their analysis on this topic.

In New York, once a hotel guest has become a “tenant,” he or she may not be removed from occupancy of the hotel room unless specific eviction procedures are followed.  For example, a written eviction notice must be personally served on the tenant at least 30 days before the hotel may do anything to recover possession of the room.  Other guests may find it odd that legal eviction notices are posted on adjoining hotel rooms.  If the tenant does not voluntarily leave by the end of the notice period, the hotel must file a petition with the courts seeking ejectment and possession of the room, which requires notice to the tenant, as well as a hearing.  Weeks and months may pass while this process takes its course.

In contrast, Texas treats this situation very differently.  There, no statute exists which defines when the status of a hotel guest may transform into that of a tenant.  That question turns instead upon whether the guest can establish that he or she has “exclusive possession” of the room.  Texas courts have held that “exclusive possession” does not exist where the hotel continues to exercise control over the room during the guest’s occupancy.  “Control” may include the fact that hotel personnel clean and maintain the room and that the hotel maintains a key to the room, among other things.  If a guest cannot establish exclusive possession of the room, then statutory eviction procedures need not be followed for the hotel to eject the guest and recover possession of the room.

Louisiana takes yet a different approach.  There, if at the time a guest checks in, a departure date has been established, then the guest will acquire no additional rights to stay beyond that date so long as the hotel provides a written notice to depart at least one hour prior to required checkout on the last day of the stay.  Although not entirely clear, failure to give the notice to depart by the mandated date and time may result in the guest acquiring additional rights to a longer possession of the room.  

Hotels can take some practical steps to try to avoid the formation of a landlord/tenant relationship with their guests.  Establishing a definite termination date for the stay helps to defeat a presumption that the guest intends to “reside” at the hotel rather than merely stay there temporarily.  Documenting that the guest has another permanent residential address provides another piece of evidence that may be useful to defeat a claim of tenancy.  Some other best practices include:

• Do not permit guests to receive regular mail deliveries at the hotel;

• Do not agree with the guest to suspend room cleaning service or other activities that require entry into the room by the hotel and which thereby indicate that the hotel maintains control of the room;

• Avoid treating a long term guest differently than short term guests by agreeing to special rates and privileges or by foregoing any regular hotel policies or practices at the long term guest’s request;

• Charge and collect payment from the guest in the same manner as the hotel does for other guests;

• Refrain from providing long term guests with special facilities or amenities that are unavailable to shorter term guests; and,

• Reserve the hotel’s right to relocate the guest to another room at any time.

By developing these types of policies and procedures in dealing with long term guests, and by training hotel staff in how to follow them, hotels can minimize the possibility that someone will go to bed as a guest one night and wake up as a tenant the next morning.  

Sandy Garfinkel has a diverse litigation practice, which focuses primarily on business litigation with a particular emphasis in the hospitality industry.  He represents hotel and resort management companies, owners and developers in dealings and disputes involving franchisors, vendors and guests.  He also advises those companies concerning compliance with electronic data security laws and industry standards, and in responding to breaches of data security. Sandy may be reached at sgarfinkel@eckertseamans.com or 412.566.6868.

Eric Zagrocki is experienced in a broad range of real estate and corporate matters.  He concentrates his practice in the area of commercial real estate and has represented sellers, purchasers, developers, lenders, landlords and tenants in a wide variety of matters relating to the purchase, sale, leasing and finance of commercial real estate. Eric can be reached at ezagrocki@eckertseamans.com or 412.566.1987.

This article is intended to keep readers current on developments in laws impacting the hotel and hospitality industry, and is not intended to be legal advice.  

Bob has studied the rules of various arbitration providers. He knows an effective advocate chooses the arbitration forum that offers the rules best suited for the particular controversy. So, for instance, “If you want depositions, why not pick an arbitration forum whose rules expressly allow depositions?” Always the riddler, Bob put this question on his office wall.

Bob soon had a chance to put words into action. His client was involved in a messy business dispute that spilled over into a contentious litigation. Using his code words—more expeditious, more cost-effective, and confidential—Bob convinced the other side to arbitrate the dispute. The parties asked the court to enter an agreed order sending the case to arbitration.

Bob needed a couple depositions to prove his case. He drafted an arbitration agreement that identified ABC Arbitration Co. as the arbitration provider: “The parties agree that all disputes at issue in the current litigation shall be settled by arbitration administered exclusively by ABC Arbitration Co. Judgment on the award rendered by the arbitrator may be entered in any court having jurisdiction thereof.”

Why ABC? Because its rules stated, “Each party may take two depositions of an adverse party.” Deposition problem solved. Another example of brilliant drafting that anticipated and resolved a potential snare.

There was one problem: ABC Arbitration did not exist. Bob and his adversary could not find ABC’s offices, website or anything having to do with ABC. “No matter,” Bob assured his client. “The parties can select another arbitration provider and can proceed with the desired arbitration.”

Except that Bob two days later received his adversary’s motion to vacate the stipulation and order that directed the parties to arbitration in the first place. His adversary’s argument was simple. The arbitration provision identifies ABC as the arbitral forum; ABC does not exist and cannot arbitrate the dispute; consequently, the parties cannot arbitrate their dispute in accordance with the arbitration clause.

Must the parties now return to court or can Bob salvage the arbitration?

Section 5 of the Federal Arbitration Act states: “If in the agreement provision be made for a method of naming or appointing an arbitrator or arbitrators or an umpire, such method shall be followed; but if no method be provided therein, or if a method be provided and any party thereto shall fail to avail himself of such method, or if for any other reason there shall be a lapse in the naming of an arbitrator or arbitrators or umpire, or in filling a vacancy, then upon the application of either party to the controversy the court shall designate and appoint an arbitrator or arbitrators or umpire, as the case may require, who shall act under the said agreement with the same force and effect as if he or they had been specifically named therein; and unless otherwise provided in the agreement the arbitration shall be by a single arbitrator.”

How do courts determine whether the process for naming an arbitrator “lapses”? If the provision says the designated forum is the “exclusive” arbitral forum, there is a lapse and the court will not enforce the arbitration provision.

“If a designated arbitrator is unavailable, Section 5 of the FAA permits a court to appoint a substitute arbitrator in certain circumstances. Our court of appeals has not addressed the precise set of circumstances in which a court may appoint a substitute arbitrator, but other federal courts have held that Section 5 of the FAA generally permits a court to appoint a substitute arbitrator where the chosen arbitrator is unavailable, unless the selection of an arbitrator is ‘integral’ to the arbitration agreement, as opposed to an ‘ancillary logistical concern,'” the court wrote in Clerk v. Cash Central of Utah LLC, 2011 U.S. Dist. LEXIS 95494, at *13-*14 (E.D. Pa. Aug. 25, 2011).

How does one determine if the selection of the arbitrator is “integral” to the arbitration agreement? The court in Clerk said, “An arbitral forum is an integral part of an arbitration agreement if the agreement includes an express statement designating a particular arbitral forum to administer arbitration.” The Pennsylvania Superior Court agreed in Stewart v. GGNSC-Canonsburg, 9 A.3d 215, 219 (Pa. Super. 2010): “At a minimum, for the selection of an arbitrator to be deemed ‘integral,’ the arbitration clause must include an ‘express statement’ designating a specific arbitrator.” In Khan v. Dell, 669 F.3d 350 (3d Cir. 2012), however, the U.S. Court of Appeals for the Third Circuit reversed the rule. It said the choice of forum is an integral part of the agreement to arbitrate only if “the parties … have unambiguously expressed their intent not to arbitrate their disputes in the event that the designated arbitral forum is unavailable.” So what is an arbitration-contract drafter to do?

• The drafter should decide whether this is an “all or nothing” situation. Is the chosen arbitral forum the only acceptable forum? If so, the drafter should expressly say the forum is “exclusive.” Did Bob consider this issue? No. Would a forum other than ABC Arbitration have worked for Bob? Probably. Did Bob’s arbitration provision achieve his avowed goal? No.
• If another provider can substitute for the chosen arbitral provider, the drafter should make sure to avoid saying—expressly or impliedly—that the chosen provider is “exclusive.” Did Bob say the chosen provider was “exclusive”? Yes: “The arbitration [must be] administered exclusively by ABC Arbitration Co.” Did Bob really mean that? Nope. Did he consider the consequences of this language? Nope.

Could Bob have gotten his cake and eaten it too by ensuring that the parties go to and stay in arbitration even if the designated provider is not available? You bet. As Bob often tells anyone who will listen, “You first have to decide what you want to achieve in arbitration; you then use the language to get there.” Bob failed on both fronts. He is not going “there.”

Unfortunately, hotels and hotel companies have been, and continue to be, tempting and frequent targets for data thieves.

Why are hotels of such interest to information thieves? Several factors could be to blame. One may be that hotels do such a large amount of business through credit and debit card transactions, and payment card fraud is a favored type of identity theft crime among cyber criminals and those to whom they sell their stolen information. Another may be that hotels frequently must tie their data and computer systems together with the computer systems of others, such as the major hotel brands and, at times, outside vendors or contractors. High employee turnover and, in many cases, poor employee training in security practices may also contribute to the vulnerability of hotels to data thieves.

Wyndham’s Data Incidents

Arguably the most notorious set of hotel data breach incidents happened to Wyndham Worldwide Corporation during the period of 2008-2009. Here’s how those incidents unfolded:

In April of 2008, foreign hackers gained access to Wyndham’s computer system through a single computer in one of Wyndham’s franchised hotels that an employee at the property had connected to the internet. The internet connection permitted the hackers to intrude into the hotel computer. This computer was also connected to Wyndham’s property management and reservation system (all Wyndham franchised hotels are required by contract to utilize Wyndham’s management and reservations system). This pathway was used by the hackers to gain access to Wyndham’s own servers
at its data center in Phoenix, Arizona. Once inside Wyndham’s system, the hackers obtained administrator passwords and access codes. At that point, the intruders had a ready pipeline to reach individual Wyndham franchised hotels that were connected to Wyndham’s central servers.

Within approximately a month, the hackers had used Wyndham’s computerized connections with its franchised hotels to compromise the computer systems of 41 different properties. Unfortunately, it took Wyndham a number of months to recognize that the intrusion had occurred.

Even more regrettably, the hackers returned twice more in 2009. Wyndham believed that the security vulnerabilities that had allowed the 2008 attack to occur had been remedied, but they had not. The second cyber attack on Wyndham resulted in the compromise of information from 39 franchised hotels; the third, 28 hotels.

The hackers, believed to have been operating from Russia, stole guest credit and debit card account information. In total, over 600,000 accounts were compromised in this series of breaches. By no means do these incidents qualify to be among the largest data breaches on record, especially compared to a few of the more recent highly publicized incidents, such as the 2013 pre-Christmas cyber attack against Target, in which over 70 million individuals were affected, or the more recent EBay data breach, which is said to have impacted over 233 million people. Nonetheless, the potential for payment card fraud as a result of the Wyndham breach has been estimated to exceed $10 million.

The consequences to Wyndham have been serious and seemingly endless. Initially, just after the incidents occurred, Wyndham issued notifications to all affected individuals. Such notifications are required by the data breach notification statutes of 47 U.S. states. The notification process was extremely expensive, in part because Wyndham first had to obtain contact information for the affected people based only upon credit card account numbers. Wyndham also provided a year of credit monitoring to affected individuals, at the company’s cost. In addition, Wyndham was required to spend time and resources attempting to satisfy a number of state consumer protection regulators and state attorneys general that it was adequately responding to the breaches.

As notifications were being processed, the franchised hotels began receiving notices from their credit card processors that the major credit card companies would be imposing assessments against the hotels, as merchants, for recovery of fraud costs associated with the breach incidents. The hotels turned to Wyndham and sought indemnification for these assessments. Ultimately, Wyndham bore the legal costs of challenging the majority of the credit card brand assessments and obtaining reductions in the fines.

Wyndham’s woes over the breach incidents were only just beginning. In April of 2012, the Federal Trade Commission brought a lawsuit against Wyndham in federal court, alleging that Wyndham had failed to observe adequate security practices concerning personal consumer information, and that these failures amounted to unfair and deceptive trade practices. The Commission’s complaint quoted the privacy policy which appears on Wyndham websites, which stated that Wyndham would use commercially reasonable efforts to protect the personal identifying information of its customers. The
complaint then went on to allege that Wyndham had failed to employ reasonable industry practices to safeguard guests’ data. Wyndham asked the court to dismiss the lawsuit, arguing that the Commission had overstepped its authority to regulate by claiming to have the right to enforce unwritten, unspecified data security standards against companies. Over a year after it was filed, the court denied Wyndham’s motion to dismiss in early 2014. The trial court specially certified the question of the FTC’s jurisdiction so that it could proceed immediately to appeal before the Third Circuit Court of Appeals.  On August 24, 2015, the Third Circuit issued a decision affirming the trial court’s holding that the FTC had the power sue Wyndham, and thus the enforcement action will proceed.

If that were not enough, in May of 2014, a Wyndham shareholder brought a derivative action lawsuit against Wyndham. The claims in that lawsuit focus on the fiduciary liability of Wyndham’s board of directors for the data breaches themselves as well as the ensuing Federal Trade Commission lawsuit. The complaint alleges, among other things, that Wyndham failed to disclose the incident to shareholders in its financial filings in a timely manner. Wyndham has already filed a motion to dismiss the shareholder complaint, but no decision has been issued on that motion as of the time of the writing of this article.

The fallout and consequences to Wyndham from these events have been dire. Adverse impacts to Wyndham include harm to its image and reputation, the cost of notification of consumers and credit monitoring, legal fees and loss of goodwill among consumers, among other things.

What Can Be Learned From the Wyndham Breach Incidents?

Security experts and analysts are becoming more vocal in warning consumers and corporate America that data intrusions are unavoidable. It is becoming the accepted industry wisdom that a determined hacker can get into virtually any system, regardless of how well it is protected. Therefore, it is difficult to say that a good lesson to take away from the Wyndham data incidents is that hotel companies should attempt to make themselves invincible against cyber attacks. Moreover, hotels often have certain inherent vulnerabilities to data theft, including the requirement that their computer systems must often be tied to those of entities which they do not control. There is no easy solution to this circumstance.

Rather, industry experts, as well as lawmakers, are beginning to call for faster and better intrusion response as a defense – through implementing closer monitoring and tighter protocols to detect breaches earlier, and having detailed and rehearsed cyber incident response plans, to name a few. Data breach response plans should include, among other things: creation of an incident response team (company officers, general counsel, outside data breach response counsel, information technology
personnel, communications personnel, risk management personnel, etc.); a game plan for analyzing and containing a breach incident, including identification of forensic assessment and response firm; and, a plan for notifying affected individuals and government agencies where required. Speed in responding to an exposure or theft of information is a key component to reducing a company’s exposure after a breach. The Wyndham incidents underscore that delays in identifying breaches and shutting down exploited system vulnerabilities, in notifying affected people and consumer protection agencies, and in
notifying shareholders, can all lead to higher levels of exposure.

One way to mitigate some of the breach-related costs similar to those incurred by Wyndham is to carry cyber protection insurance. The use of cyber insurance is widely increasing as data breach incidents become more frequent and more broadly reported through the media. Cyber policies come in a wide variety of forms and costs. The scope of coverage and exclusions from coverage must be carefully assessed to make sure a company has reasonable protection in exchange for its premium payments.

In the end, hotel owners, management companies and brands may not be able to avoid becoming the victims of cyber attacks, much in the same way that Wyndham and its franchised hotels became victims. What hotel companies can control, and should strive to prepare for, is their readiness to respond.

Originally published on Monday, 09 June 2014
2722 views at time of republishing