Garvey Schubert Barer – HospitalityLawyer.com

FDA’s Menu-Labeling Update

Dan Vecchio — Sun, 08 Nov 2015 16:00:39 +0000

Since their official unveiling in December 2014, the FDA’s final menu-labeling rules have given rise to a multitude of questions from hospitality businesses who wonder how to comply or whether they must comply at all. The FDA, in turn, appears to be trying its level best to provide enough time and guidance to ease these businesses’ transition to the new rules. First, the FDA extended the deadline for compliance by a full year from December 1, 2015 to December 1, 2016, citing the agency’s extensive dialogue with chain restaurants, grocery stores, and other members of the hospitality industry.

This extension of the compliance deadline gave many businesses much-needed time to decipher and implement the new rules. In support of that effort, in September, the FDA released a set of draft “Guidance for Industry” consisting of question-and-answer discussions of the application of the rules to various hypothetical scenarios. The FDA is careful to stress that this guidance is “non-binding,” and that the “recommendations” therein reflect only the agency’s “current thinking” about the rules. In other words, take the guidance for what it’s worth, because it “does not operate to bind FDA or the public.”

With that rather hefty caveat in mind, hoteliers nevertheless may find that the guidance is worth quite a bit more than a grain of salt. That is because, nestled within a discussion about executive dining rooms, the FDA offers this nugget: “[E]stablishments that do not offer for sale standard menu items . . . for example, hotels that offer complimentary breakfast and hospitals that provide food at no cost to the consumer, would not be considered covered attachments.” That’s because the breakfast isn’t “sold” to customers – it’s given away. So for now, it looks like those croissants and morning coffees your guests enjoy gratis are free and clear of both cost to the customer and the ambit of the FDA’s labeling rules . . . unless the FDA changes its (non-bound) mind, of course.

Credit Card Fraud Liability Shift is Here

Benjamin Lambiotte — Wed, 14 Oct 2015 16:00:06 +0000

Most credit and debit cards in the U.S., and the point of sale terminals and ATMs that read them, still use “magnetic stripe” technology. Magnetic stripes are obsolete and relatively insecure, allowing fraudulent practices such as “skimming” (acquiring cardholder and account data by “reading” the strip, and then making fraudulent transactions or counterfeit cards). Magnetic stripe-based technology also does not support secure data transmission through contact or near-field contactless interfaces, which is seen as impeding the emergence of fully mobile cardless payment modes in the U.S.

Outside the U.S., the story is different. In Asia, Europe, and now in Canada, the payment industry technical standard is “EMV,” which uses a “smart” microchip embedded in the card, and acceptance devices designed to support the chip-based standard. Although the U.S. is the largest user of payment cards in the world, it has been nearly the last country to adopt and implement EMV in payment card transactions.

Because the EMV standard (developed by three major global credit card issuers – Europay, MasterCard, Visa – specifically to combat fraud) is inherently more secure, the U.S. is now the “weak link.” Experts predict credit card fraud “migration” to the U.S. Statistics bear this out. According to a recent Accenture study, in countries (such as the U.K.) where EMV has been implemented, rates are declining, while in the U.S., they continue to rise. Part of the EMV business case is that chip-based payment technology enables “dual-interface” combinations of cards and contactless mobile payment. The need to replace the old magnetic-based point-of- sale acceptance devices in order to implement EMV also presents an opportunity to enable contactless and mobile-ready technology at the POS.

The estimated nationwide costs of converting to chip-based cards and POS acceptance devices are about $8 billion. That has been the primary obstacle to implementation of EMV in the U.S. But major credit card issuers, facing mounting fraud losses, are forcing processing banks and merchants to implement the switchover.

The first step in that forcing process occurred in 2013. As of April 2013, all major U.S. credit card associations, Visa, MasterCard, Discover and American Express, require “acquirers” (banks that contract with merchants to accept or acquire credit card payments from card-issuing banks), service providers, and sub-processors to have the capability to process any EMV POS transaction, both contact and contactless. These entities must adhere to payment network rules and complete approvals, in order to begin processing and passing additional authorization data for EMV transactions.

October 1, 2015 Liability Shift

The next step is much more significant, and is now upon us. It directly affects any merchant who accepts credit or debit cards. Beginning today, on Oct. 1, 2015, MasterCard and Visa will shift liability for fraudulent counterfeit card transactions to the “non-EMV compliant” party. This means that, if a fraudulent transaction is made on a counterfeit card, and the merchant does not have EMV-compliant POS terminals, the merchant will be liable. If the merchant does have an EMV-compliant terminal, and the bank that issued the card issued a magnetic stripe card without an EMV chip, then the issuing bank will be liable.

Although most cards issued in the past couple of years in the U.S. are now chipped, according to most industry observers, many of America’s businesses, particularly small businesses, are not ready for the shift to EMV, at the point of sale. Reasons include a lack of awareness, and a complex technical validation and certification process that is backlogged, and taking longer than expected.

There is a fair amount of fear and confusion about the Oct. 1 “liability shift.” Practically speaking, the circumstances under which a merchant will be liable for a fraudulent transaction are fairly limited. First, the card must be a particular type of counterfeit: a phony magnetic strip type card, with tracking data copied onto the strip from a genuine chip card. Second, the merchant’s POS terminal device must be incapable of reading a contact chip. That is the only situation a merchant can be liable when it has done nothing wrong other than not having the right type of terminal equipment. On the other hand, if a counterfeit card has a chip, and the merchant does not have a terminal capable of reading the chip, but authorizes the transaction anyway, it will be liable for that poor decision. In most other counterfeit card situations, the issuer remains liable. Furthermore, the “liability shift” applies only to “card present” types of transactions, where a customer presents a card at the point of sale. In fact, many observers think this will drive fraud to “card not present” exchanges, i.e. online transactions. Still, the risk is real, and for certain types of merchants (ones who depend heavily on face-to-face card transactions), could be significant.

Steps to Consider

While hardware upgrades can be expensive, and complicated in large organizations, the liability shift will make conversion to EMV-ready POS devices inevitable. Hospitality industry businesses would be well advised to:

Begin implementing EMV now, if you haven’t already begun;
Ensure that your processing and POS equipment providers meet applicable EMV security and certification requirements; and if not, review contracts to determine if they can be terminated in favor of an EMV-ready vendor;
While upgrading to EMV, plan ahead, and consider deploying an integrated solution that will support some form of contactless mobile payment;
Work with the banks that handle your merchant accounts and their POS device providers to find out how and when they are implementing EMV;
Once EMV-ready terminals and related software are deployed, train front-office personnel on how “chip and pin” or “chip and sign” transactions work, and back office and IT personnel on configuration and validation requirements necessary to integrate EMV with legacy systems and work flows.

Larger organizations face a more complex CIO-level technology procurement and payments systems challenge, but there is no shortage of consultants and vendors focused on EMV implementation. Large or small, the change to EMV is already well underway.

Sharing is Daring under Browning-Ferris

Bernice Blessing — Sun, 27 Sep 2015 16:00:22 +0000

From franchisers and companies hiring workers through staffing agencies to participants in the so-called “sharing economy,” companies and individuals today enter into a variety of contractual arrangements to reduce costs and to maximize available capital, flexibility, talent and efficiency in delivering goods and services. The recent decision of the National Labor Relations Board (“NLRB” or “Board”) in Browning-Ferris Industries of California, Inc., 362 NLRB No. 186 (2015), may change how many of these relationships function, and even, whether some of them are now too risky for some participants.

Under Browning-Ferris, the NLRB has shifted the joint-employer standard and increased the risk that employers could be liable for claims and actions against the entities with whom they contract. In the decision, the Board “restated” that it may find that “two or more entities are joint employers of a single workforce” if they essentially share or co-determine matters that govern the essential terms and conditions of employment. After restating this general principle, however, the NLRB proceeded to expand the standard for assessing joint employer status, and to overrule legal precedent it had been following for the past 30 years.

The case involved Browning-Ferris Industries, which operates a recycling facility and staffs its operation with about 60 of its own employees and an additional 240 workers contracted through a staffing agency, Leadpoint Business Services. When a local union filed a petition to represent Leadpoint’s employees, it argued that Browning-Ferris was a joint employer with Leadpoint, and should, therefore, be required to engage in collective bargaining with the union with respect to the Leadpoint workers.

The Board supported the union’s argument, holding that the Board would no longer require that an employer actually exercise authority over workers’ terms and conditions of employment and that the mere possession of such authority was sufficient to make an employer a joint employer. Conditions of employment include such issues as hiring, firing, wages, scheduling, discipline, supervision and direction of work. The Board also overturned its prior requirement that a joint employer’s control must be exercised directly and immediately. Control reserved in a contract or exercised indirectly, through an intermediary, may now establish joint-employer status.

Why Does Browning-Ferris Matter?

Browning-Ferris does not mean that every employer who uses contract labor will now be found to be a joint employer. In fact, other agencies besides the NLRB apply varying joint-employer standards under particular statutes and regulations, including Title VII of the Civil Rights Act, which addresses issues of discrimination, and the Fair Labor Standards Act, which addresses wage and hour issues. Those agencies and the courts may or may not be influenced by the NLRB decision.

But a company should care about Browning-Ferris and its implications for joint-employer status if it contracts with other entities, such as staffing agencies, subcontractors, and franchisees, to deliver, develop or manufacture certain of its goods and services or perform functions like those typically performed by the company’s employees. Under the new test, if the contract reserves the right to control or specify any of the terms or conditions of employment, even if the company does not exercise those rights, there is now a real likelihood that a company could be a joint employer, at least for collective bargaining purposes.

Hospitality is an industry that should be particularly attentive to the NLRB decision because many hotel operators supplement their workforce with, for example, temporary banquet staff, valet attendants, cleaning crews, or engineering staff for remodels and upgrades. Many owners seek to control some hiring and staffing decisions of the management company. Moreover, most hotels in the U.S. are operated by franchisees of the brands. In an effort to control quality, service, and uniform standards, operators or franchisors may wish to have input on which workers are hired or assigned to their worksites, staffing levels, or how work is performed. Such control may be reserved in the contract even if not enforced, and the NLRB has clearly stated that the mere reservation of these rights is sufficient to find a company is a joint employer.

To reduce the possibility of joint-employer status and liability, companies should consider the following suggested best practices when franchising or hiring a staffing agency, contractor or vendor to provide employees:

Avoid contract language that reserves for the company any control over franchisee, contractor, staffing agency or vendor workers, and their terms and conditions of employment. Disclaim such control when possible.
Refrain from actually exercising control over contract workers. This may be challenging for a company that wants to ensure its standards are upheld and that it maintains compliance with applicable laws and rules, but such control puts the company at risk of being a joint employer. Although exercising control is unnecessary for the NLRB to find a company is a joint employer, it certainly may still do so where a company is actually exercising control, even if it disclaims a right to do so in its contract.
Avoid contracting for work that is similar to the duties performed by the company’s employees.
Require staffing agencies or other contractors to provide a written agreement that states that they will comply with all federal, state and local labor rules. This may help insulate the company financially, but it will not prevent the company from having to endure costly and time-consuming litigation or government investigations if the staffing agency, vendor, or contractor has a compliance issue and the company is implicated as a joint employer.
Focus on the contracted company or agency’s outcomes rather than its means to achieve them.
Minimize contact with a contracted company or agency’s non-supervisory employees. Avoid providing direction, materials, training or benefits to contract workers unless necessary.
If the contracted company or agency’s workers are represented by a union, do not participate or retain the right to participate in collective bargaining or in administration of the collective bargaining agreement.

View the original article here.

Clamping Down on “Apartment-Sharing” Website AirBNB

Malcolm Seymour — Mon, 03 Aug 2015 16:00:37 +0000

New York State Attorney General, Eric Schneiderman, has made waves in recent months by subpoenaing the popular “apartment-sharing” website AirBNB for information on more than 15,000 of the website’s hosts in New York City. The subpoenas were issued as part of Schneiderman’s campaign to enforce a 2010 New York law that took effect last year, clamping down on “illegal hotels” across the state. With the backing of tech trade groups and civil liberties organizations, AirBNB has now mounted a high-profile defense against these subpoenas. Meanwhile, other destination cities around the globe are taking steps to follow New York’s lead.

Though press is not always a reliable barometer of public opinion, the most publicized reactions to the Schneiderman investigation have been negative. AirBNB is popular with travelers and hosts, who have turned out in large numbers to petition against Schneiderman’s enforcement efforts. At the time of this writing, the petition to legalize AirBNB rentals in New York City has gathered close to 240,000 signatures. To put the significance of this number into perspective, consider that U.S. Congressional candidates need 1,000 signatures on a petition to be placed on the election ballot, and a petition submitted to the White House needs to collect 25,000 signatures before it receives an official response.

AirBNB’s following probably has less to do with the institutional loyalty of its customers and more to do with the rock-bottom rates of AirBNB rentals. Because AirBNB hosts have low to no overhead, they are often able to underprice conventional hotels by wide margins. In lower Manhattan, efficiency hotel suites start around $250-$300 per night. By comparison, a vacationer can rent a full studio or 1-bedroom apartment in the same locations for $100-$200 per night.

So perhaps it comes as no surprise that AirBNB’s customers have bristled at this crackdown, even going so far as to accuse the New York law of suppressing “innovation.” But it is hardly clear that it is AirBNB’s “innovation” – and not hosts’ avoidance (or ignorance) of the legal complexities of running a hotel business – that makes these savings possible. Most AirBNB hosts operate in a legal limbo, complying neither with landlord-tenant laws (many hosts in New York City are tenants themselves), nor with the various layers of red tape applicable to hotels. Yet in New York – as in most states – a lessor who is not subject to one of these regulatory schemes is, by definition, subject to the other.

New York’s law is somewhat unique, in that it prohibits units subject to New York’s Multiple Dwelling Law from being let for anything other than “permanent resident purposes” (30 or more consecutive days). This law has been on the book for decades – its original purpose was to protect the rental housing supply in New York’s high-density living areas. The 2010 amendments to the Multiple Dwelling Law simply eliminated loopholes in the text of the statute that permitted “illegal hotels” to skirt the law and lease out apartments in multiple dwelling buildings to shorter-term occupants. The legal battle unfolding in New York is based solely on these recent amendments, and thus targets only AirBNB hosts who operate out of “multiple dwellings.”

Not all states have statutes analogous to New York’s Multiple Dwelling Law. But most if not all states regulate hotels and residential landlords extensively. And in most if not all states, a person who charges money for the privilege of occupying a room necessarily falls into at least one of these two categories.

For instance, California’s landlord-tenant law applies to “all persons who hire dwelling units located within this state,” with limited carve-outs for hotels, motels and time shares. Under California law, an AirBNB host is deemed to be either a landlord or an innkeeper – there is no gray area in between. Innkeepers and hoteliers in California are subject to special taxes, bailment obligations, and a labyrinth of other legal duties imposed by statute, regulation and case law. Landlords in California are required to maintain the habitability of all residential premises, must make necessary repairs and provide a range of other services, have limited rights of entry upon rented premises, and generally cannot evict tenants without going to court. Washington and Oregon make the similar distinctions between innkeepers and landlords, and impose equally complex legal obligations on both groups.

Whether AirBNB hosts are considered innkeepers or landlords under the laws of these states, they are operating in highly regulated spheres with high compliance costs that have, in the past, imposed barriers to market entry. AirBNB hosts have avoided these costs, but they have done so largely by ignoring the law. With this advantage, they are able to offer prices that law abiders can seldom match.

The critical question is: if these regulations exist for the benefit of consumers, why shouldn’t AirBNB hosts have to obey them? Or, if these laws stifle innovation and harm consumers, why should they apply to anyone? Shouldn’t hotels be free to compete with AirBNB hosts on the same terms?

This double standard has not gone unnoticed by those holding the short end of the stick in the hospitality industry. Against the backdrop of the Schneiderman investigation, the Hotel Association of New York City has aired its own plans of bringing a private class action lawsuit against AirBNB on behalf of its constituents. The putative basis of this lawsuit – failure by AirBNB hosts to pay transient lodging taxes imposed under state law – would conceivably be applicable to AirBNB hosts outside of New York as well.

While there may be ample legal basis for such a lawsuit, this sort of litigation is not without its drawbacks. AirBNB has many supporters, especially in younger demographics, and it has defenders in local news media (the New York Times, Huffington Post and NPR have all given AirBNB sympathetic coverage). Websites have been spinning the Schneiderman investigation of AirBNB as a populist David vs. Goliath story — similar to the crackdown underway elsewhere against Uber, Lyft, Sidecar and other ride-share companies. There is a risk that hotels could be singled out as the villains of this story if they are perceived to be acting out of self interest rather than fairness– and the direct involvement of industry groups in a private lawsuit would increase this risk.

The Recording Industry Association of America’s (RIAA’s) efforts to prosecute music piracy tell a cautionary tale. In hindsight, the prevailing view is that the RIAA’s lawsuits against music downloaders backfired by fueling an “us versus them” mentality in which the RIAA became the enemy. For a time, the RIAA had the distinction of being chosen as the “worst company in the world” by readers of the Consumerist blog. And yet, for all the RIAA paid in money and reputation, it achieved very little —online music piracy happens more now than ever. Perhaps this is why the RIAA, after years of pursuing copyright infringers in court, has now sheared away half its workforce and diverted funding from litigation to lobbying efforts.

Most of the present AirBNB reportage is focused on the Schneiderman crackdown, which might be a boon to hotels that wish to see the company subject to stricter rules. To the extent that AirBNB’s competitors can level the playing field without entering the spotlight themselves, they stand to achieve a double-win. If the time comes for industry groups to take a more active role in pushing for regulation, they may wish to consider softer alternatives to litigation. Lobbying and public awareness efforts could send a more positive message that would not be perceived as undermining consumer choice. The right messaging could go a long way to winning this fight.

What hotels are after – fair play – is in fact pro-competitive. Competition is not supposed to be a “race to the bottom” in which the winner is the business that cuts the most corners or does the best job of disguising a dangerous product. Let hotels do what AirBNB does, or make AirBNB do what hotels have to do. Wouldn’t it provide consumers with the most choice and value if hotels were free to compete with AirBNB on AirBNB’s terms?

Politicians appear to be receptive to hotels’ views on this issue. The crackdown taking place in New York is based on a law that was passed in 2010. AirBNB only launched in 2008. Paris and Berlin have already taken steps to pass similar legislation. These are promising signs that suggest a solution that does not require litigation might lie within reach.

Feel free to email me or Greg Duff if you would like to know more about this issue, or how we can help.

Originally published on Duff on Hospitality.

BrandVerity’s Latest Study on the Use (and Abuse) of Branded Keywords in Paid Search

Greg Duff — Fri, 24 Jul 2015 01:52:15 +0000

Our friends (and former contributors) at Seattle-based BrandVerity produced an infographic showing that the average hotel brand is losing 26,500 website visitors on direct web traffic each month, leading to a real loss in revenue as these bookings are made elsewhere. Their findings are based on the information found in the hotel selection of their quarterly report on The State of Branded Keywords in Paid Search.

The report assesses the paid search landscape on branded keywords of over 250 consumer-facing brands. Looking at Q1 2015, it found that trademark bidding has cost the typical brand tens of thousands of visitors each month. The full report is available for download today at https://www.brandverity.com/branded-keywords/.

Competition & Markets Authority Recommendations for Online Reviews

John Crosetto — Sun, 19 Jul 2015 01:32:01 +0000

The Competition & Markets Authority (CMA), which investigates business practices and enforces anti-competition and consumer protection legislation in the UK, just released a report and call for information that signals more scrutiny for online reviews and endorsements. Though the report does not identify companies or sites that will be the subject of investigation, it expresses a general concern that a number of businesses are breaking the law. The report does not point fingers, but it’s worth noting that the hospitality industry is mentioned several times as an area of particular interest, based in part on a survey conducted by the British Hospitality Association in March of this year. Consumer reliance on reviews for vacation travel, the relatively higher cost for hospitality related services, and the sensitivity of the hospitality related services to negative reviews were cited by the CMA as reasons why the industry is an area of particular concern.

UK regulations are, of course, aimed at protecting UK consumers, but U.S. companies are well advised to take heed of the report’s warnings and recommendations because, as the report notes, the CMA plans to assume the Presidency of the International Consumer Protection and Enforcement Network (ICPEN), of which the U.S. is an active member. And, the practices flagged by the CMA, as well as the steps businesses can take to address the CMA’s concerns, closely parallel those identified by the Federal Trade Commission (FTC).

So, whether your customers are here in the States or abroad, the following practices may result in an investigation by the CMA (or FTC):

Writing or commissioning fake negative or positive reviews.(Your marketing firm could also be on the hook for setting up fake Twitter or Facebook accounts to submit reviews).
Cherry-picking positive reviews or suppressing negative reviews. (Your website user agreement or comments policy may well allow you to edit or delete user content containing expletives or other inappropriate material, but if those expletives all happen to be in negative reviews of your product or service, you need to consider what disclosures may be necessary to ensure the reviews as a whole are a fair and accurate representation of the actual comments received).
Failing to disclose paid reviews or endorsements. (Whether its cash, a free dessert, or award points, you need to disclose compensation or incentives given to individuals submitting reviews or endorsements).

The best practices recommended by the CMA similarly echo the FTC’s guidelines:

Be clear with your marketing department or outside marketing firm that they may not write or solicit reviews. Documenting that parameter in a letter or agreement will provide a paper trail that could prove handy down the road.
If you do provide compensation or incentives for reviews or endorsements, be sure that that fact is clearly disclosed, e.g., by using a hash tag like “#paid ad.”
Promptly publish all reviews, even negative ones. If reviews have been edited or deleted (e.g., to remove expletives), clearly disclose your policy or basis for doing so.
Establish a procedure (whether in house or with your marketing firm) for detecting and removing fake reviews.

In conjunction with the report, the CMA published summaries on how to comply with UK consumer protection law on online reviews and endorsements.

Ultimately, the CMA and FTC share a common purpose: to protect consumers from unfair or deceptive business practices by protecting the consumer’s ability to make meaningful choices. Disclosure of the connection between a review or endorsement and its source (i.e., an independent individual or a sponsoring company) is essential to meaningful consumer choice. So, in devising your marketing strategy, especially if it includes a forum for consumer reviews, ask whether you’ve given your customer the information necessary to make a meaningful decision about your product or service. Doing so not only helps build brand loyalty, it could help avoid an investigation by the CMA (or FTC).

Don’t Forget Copiers, Scanners and Fax Machines in Your Data Security Program

Benjamin Lambiotte — Mon, 23 Mar 2015 16:00:13 +0000

Current generation multifunction printer/scanner/copier devices are convenient, inexpensive, and very popular. Often overlooked is the fact that most modern printers, copiers, and scanners have many of the same attributes of computers, and are just as vulnerable to the same kind of cyber exploits and attacks as computers. A truly comprehensive data security and privacy risk management approach requires that these commonplace devices be viewed as an integral part of an enterprise’s IT systems, and that device-specific measures be taken to secure them. The National Institute of Standards and Technology (“NIST”) last month published a report on risk management practices for “replication devices,” The NIST report identifies risks associated with such devices, and provides guidance on protecting the confidentiality and integrity of information processed, stored, or transmitted on them.

Risks
Threats include:

Default administration/configuration passwords: Many devices have default passwords which can be easily obtained and used to access stored data, or to control the device.
Data capture: Unless encrypted, data transmitted or stored, including passwords, configuration settings, and data from stored jobs, is vulnerable to interception or modification.
Spam: Unless properly configured and without proper access control, many devices will process any job submitted, which could waste paper, toner, and ink, and tie up the device.
Alteration/corruption of data: If passwords or configurations are changed, denials of service for authorized purposes or potential damage to the device could result.
Outdated and/or unpatched operating systems and firmware: Many devices run an embedded operating system, making them subject to the same threats as any other computer running those operating systems. Also, older devices may have embedded versions of operating systems no longer supported by the manufacturer, which may leave “unpatched” security issues.
Open ports/protocols: For devices that can connect to local networks or the Internet via wireless or ports, open ports and protocols allow data to flow to and from a device. Through open ports, attackers may gain undetected access, and data tampering, unauthorized access, and denial of service can result.

Warning Signs
The Report identified several signs indicating that the security of such a device may be compromised:

Display malfunctions or shows incorrect information;
Materials (ink, paper, or other supplies) run out faster than usual;
Increased number of failed or timed-out jobs;
Unexplained/unauthorized changes in configuration settings;
Device completes processes slower than expected;
Device uses more network time/bandwidth than usual;
Time stamps do not align or make logical sense;
Communications with unknown IP or email addresses increase; and
Markings indicating tampering around key areas of the device (e.g., hard drive or SSD compartment, display area).

Countermeasures
An Appendix to the Report provides a very useful device risk assessment template and checklist. It gives practical guidance on best security practices, across the entire lifecycle of the device. Examples of some countermeasures include:

At acquisition, or in third party supply and support contracts, ensure that the device meets common data security standards, is capable of operating in a secure mode, and that the OS is actively supported by the OEM;
At deployment, change vendor default passwords, and configure the device to operate in a secure mode;
During operation, control device access through PINS and passwords, control physical access to the device itself and its components, such as the SSD or hard drive, and track usage, ensure that stored and transmitted data are encrypted, and timely implement OEM security “patches” and fixes;
During operation, control network access using standard organization practices, close unused open ports and protocols, disable wireless identifier broadcasting, and configure the device to prevent communications to and from unknown and unwanted addresses (blacklist/whitelist); and
When taking the device out of service, change all passwords and PINS to vendor defaults, and remove or sanitize all hard drives and SSDs on which data may be stored.

How Does the NLRB’s Ruling on Non-Business Use of Email Affect Your Business?

Victoria Slade — Wed, 04 Mar 2015 16:00:30 +0000

As you may have heard, the NLRB recently ruled that employees who are given access to their employer’s email system for their jobs must be permitted to use that email system during nonworking time to engage in protected activity, such as forming a union or discussing terms and conditions of employment. This ruling applies to both unionized and non-unionized workforces. The ruling has caused some controversy because it overturned long-established precedent. It is not, however, a reason to panic. Employers who are already complying with the NLRB’s guidance on social media need only make a few changes to their policies.

The case is called Purple Communications, Inc., and all 70-plus pages of the order are available here (under “Board Decision” dated 12/11/2014). The rule before this case was that an employer had the right to restrict non-business use of its email system, so long as it did so in a non-discriminatory fashion. In Purple, the Board held that employees must be granted access to use their employer’s email system during nonworking time to engage in protected activity, such as discussing terms and conditions of employment. Employers with a strict rule that work email is for business use only will therefore need to revise their policy to allow employees to use company email during nonworking time to engage in protected activity. There are some limited exceptions to this rule, for circumstances where permitting use of company email for protected activity will seriously disrupt productivity or business operations. If you think this is the case for your business, please contact us, and we can help you craft a policy that should satisfy the NLRB.

If, like many employers, you already allow non-business use of work email during nonworking time, this decision still impacts you. Most employers have some kind of policy that regulates what employees can do on the company’s email and other communication systems. Because the Purple ruling requires employers to allow employees to use company email to engage in protected activity, restrictions that infringe on this right are no longer OK. This, too, is no reason to panic, however, because it simply means your use of technology policy has to look a bit more like your social media policy (you have one of those, right?). As discussed in the blog posts available here, the Board has already issued a series of rulings and memoranda explaining how it will evaluate social media policies. Generally speaking, the Board has stated that a policy will be struck down if it could be read by a reasonable employee to prohibit protected activity, such as engaging in collective action or discussing conditions of employment.

Although Purple Communications was a dramatic opinion, in that it overturned decades of previous Board law, it should not be difficult for businesses to adapt.

Guest Room Privacy and the Fourth Amendment

Roger Hillman — Thu, 25 Sep 2014 16:00:42 +0000

Hotels are faced with a delicate balancing act when it comes to maintaining guest privacy. Hotel staff must comply with police investigations when noncompliance would constitute obstruction of justice. At the same time, hotel employees must recognize their guests’ Fourth Amendment right to be protected from unreasonable searches and seizures. If hotel employees comply with an unreasonable search or seizure that results in harm to the guest, the hotel could find itself exposed to civil liability.

Courts have recognized that the Fourth Amendment protection from unreasonable searches and seizures applies to searches and seizures in hotel and motel rooms. Certain exceptions allow for warrantless searches and seizures, including consent. In broad terms, the consent exception means that a party’s agreement, actual or implied to a search and/or seizure renders a warrant unnecessary.

In general, during a guest’s stay at the hotel, only the guest may consent to a search of his or her room. While hotel staff members may access the room for cleaning and maintenance during the guest’s stay, they are not authorized to allow police to enter the room. Thus, during a guest’s tenancy at the hotel, employees should not allow police to enter the guest’s room without a search warrant.

Fourth Amendment protections do not apply after a guest’s tenancy expires, at which point those employees with proper authorization from the hotel may aid the police and consent to a search of the room. While this seems like a straightforward principle, it is not always clear when a tenancy actually expires for the purposes of the Fourth Amendment. When faced with this lack of clarity, hotels can take certain actions to ensure careful compliance with the Fourth Amendment by issuing and consistently following policies regarding (a) guest checkout and (b) eviction of guests.

I. Checkout Policy and Procedure

A guest’s Fourth Amendment rights expire once the checkout time has passed. However, this may be modified by the hotel’s practices and guest communications. Consequently, hotel policies and practices may extend Fourth Amendment protections past the guest’s pre-arranged checkout time. For example, if a hotel gives a guest permission to stay until a later checkout time or has a practice of acquiescing when a guest stays past the posted checkout time, Fourth Amendment protections last until that later check-out time. Courts have found that after a hotel provided specific guests with such an allowance, those guests “reasonably believed that the hotels would allow them to do so again, permitting them to retain a privacy interest in their rooms.” Courts realize that most hotels have a pattern or practice of allowing guests some leeway regarding the checkout time.

Each Fourth Amendment inquiry concerning guests checking out of hotels hinges on the specific facts of the case. A hotel that has a clear checkout policy and consistent procedures will provide both staff and guests with certainty as to when a guest’s Fourth Amendment protections have expired.

Fourth Amendment protections depend on the guest’s reasonable expectation of privacy in his or her room, meaning that hotels must state their checkout policies in a manner that would not confuse a reasonable person. An effective communication policy and procedure could involve a notification about the checkout time to the guest upon check-in, the issuance of a reminder to the guest several hours before checkout, and the posting of the checkout time in each room. Further measures may include contacting the guest in the event that checkout time has passed. In these ways, a hotel can unequivocally state that a guest’s tenancy and accompanying Fourth Amendment protections expire at a certain time.

A hotel should do its best to be consistent in communicating and enforcing its checkout policy. In the absence of consistency, guests might be considered reasonable in expecting their Fourth Amendment rights to extend beyond checkout time. If a hotel wants to retain the option to make exceptions to its general checkout time, it should provide a system for staff members to record these extensions so that they know whether or not each guest is protected by the Fourth Amendment.

II. Eviction Policy and Procedure

A justifiable ejection will also extinguish a guest’s Fourth Amendment protections. A guest’s tenancy expires after the hotel has identified grounds for eviction and taken affirmative steps to repossess the room.

Examples of what courts have found to be valid grounds for eviction include:

Raucous behavior.
Illegal activity, including storing illegal drugs.
Failure to pay for the hotel room.
Intoxication, disorderly conduct, and carrying a gun in the hotel.
Odors of marijuana and complaints of loud noise.

The hotel must then act to take back possession of the room, which ends the guest’s expectation of privacy. The Fourth Amendment continues to protect a guest until the hotel staff takes action to commence eviction. The following actions have been identified as sufficient to constitute the commencement of eviction, and thus the extinguishment of Fourth Amendment protections:

Locking the guest out of his room, as long as it is for the purpose of eviction.
Contacting the police for their assistance in physically evicting the defendant.
Removal of the guest’s belongings from the room, a note left on the door informing the guest that he/ she had been evicted, the hotel staff telling the guest that he/she was evicted, or some combination of the above.

In order to create and follow an eviction policy that promotes compliance with the Fourth Amendment, a hotel should identify behaviors that justify eviction. This requires consultation of the law, including any statutes that govern hotel policies. The hotel should then train its staff to recognize and respond to behavior that triggers eviction. A hotel should also provide guests with its eviction policy or communicate in some way the types of behavior that could trigger an eviction. Finally, in the event of an eviction, the hotel must take steps to communicate to the guest that he or she is being evicted. If the hotel has created any doubt or confusion as to whether the behavior under consideration triggers eviction, or does not clearly communicate that the guest is being evicted, Fourth Amendment protections may continue to apply. Therefore, as with the suggestions for checkout procedures discussed above, consistency and clarity will help to ensure a situation in which hotel employees and guests know when the Fourth Amendment no longer applies to protect guests.

In general, hotel staff should not allow police to enter a guest’s room without a warrant. However, if the guest’s tenancy has expired because the checkout time has passed or the guest has been evicted, hotel staff may provide consent for a police search. Hotels should implement polices and procedures that allow guests and staff to know, with certainty, the circumstances under which a guest’s tenancy expires.

Hotel Rebranding: Time for a Change?

Claire Hawkins — Tue, 17 Jun 2014 10:00:37 +0000

Is hotel re-branding trending, and is that a further sign of the recovering lodging industry? There have been a number of announced changes in hotel names and brands in the last few months, and while this may or may not signify an economic uptick, you can be assured that there has been a lot of work behind the scenes to get to this point for all of these venues.

A recent article noted there are many intellectual property issues involved in hotel rebranding, as well as the considerations of public opinion, current trends, and bottom line financials.

All of these factors are compounded given the general nature of hotels: large scale, significant reputation considerations, the considerable costs of the accompanying renovation (and usually updating) and replacing old inventory items that have the old brand, as well as the economic consequences of the time it takes (sometimes up to a year) for the unbranding and rebranding phases as well as reincorporating into the referral, booking, and online channels with the new name.

With all these issues already demanding time and resources, it makes sense to be very sure that the new brand to be adopted is available and that it will be a strong brand. Every company relies on trademark laws to communicate to consumers and to protect the reputation of its business. Making sure your new brand is not too similar to any other existing brand or trademark (including trade dress or other protectable elements), and then registering and managing your rights and responsibilities worldwide and online prevents your marketing and advertising resources and goals from being wasted. Examples of learning these lessons the hard way include instances when Hard Rock Café sued Hard Rock Hotel for trademark infringement; Hershey Entertainment & Resorts Company sued Radisson for calling its hotel Radisson Harrisburg Hershey; Barley Swine restaurant in Austin sued Barley & Swine restaurant in Florida; and Seacrets hotel in Maryland stopped use of SECRET SPOT as a name for restaurant services.

The benefit of a strong brand, if adopting a new one, is that you will be able to use the brand to refer to your business and reputation in a broad, confident manner, prevent others from using similar marks, and build up value and credibility with much more ease than with a mark that already has other similar users out there, and clearing the mark first can help prevent those schedule-interrupting cease and desist letters from third parties.

If you are instead switching to an existing brand, being aware of the strength of the brand’s intellectual property portfolio (worldwide trademark registrations, domain names, franchise or service agreements, web use, trade dress protections, etc.) as part of the initial due diligence can inform you of issues or hurdles or ongoing problems that will need to be considered or managed as the brand is adopted. For example, if the brand has had to send numerous cease and desist letters to others because the name is fairly descriptive, it would be important to include that aspect into future budgets. On the other hand, determining that the brand to be adopted has a strong portfolio of established rights and registrations would be an indication that the change would indeed bring value and stability to your endeavor.

Takeaway: For any of the many reasons to shift, update, adopt, or change a brand, evaluating the strength of the trademarks, trade dress, domain names, and other intellectual property elements should be included in the list of to-do items before proceeding. If you’re going to go with this trend, if it is one, you might as well go with confidence!