• Marriott acquired Starwood in September of 2016, but Marriott continued to operate Starwood’s guest database separately from Marriott’s until a few weeks after the breach incident was announced.
• The unauthorized intrusion into Starwood’s database occurred in 2014, but was not discovered by Starwood nor by Marriott later during the course of its acquisition of Starwood.
• The guest information compromised in the incident included name, address, phone number, email address, passport number, preferred guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preference, and in some instances, payment card numbers and expiration dates. It was ultimately reported by Marriott’s forensic assessment provider the 383 million records were affected.

These facts underscore several crucial considerations for hotel companies regarding how guest data is collected, secured and retained. Some of these considerations aren’t ones that our industry normally associates with data security concerns. Here are some of the key takeaways:

1. Data Security/Privacy is a Critical Due Diligence Consideration. In any merger or acquisition there are due diligence checklist items for the surviving entity. In the case of the Marriott/Starwood transaction the security breach of Starwood’s database was not discovered prior to closing, but had it been, the implications for the deal could have been extremely significant. At the very least, action could have been taken to remediate the compromise at that time. In this day and age, cyber due diligence should be part of any merger or acquisition.
2. Retention of Large Amounts of Personal Information Carries Risk. Personal data is valuable for many reasons, but that value has to be balanced against the risk that accumulated caches of personal data become rich targets for data thieves. For example, there were over 5 million unique unencrypted passport numbers and more than 20 million encrypted passport numbers that were compromised over the course of the Starwood data incident. The value to Starwood and Marriott of retaining that passport information is unclear, but the liability of replacing more than 25 million passports is enormous.
3. With GDPR and CCPA, the Definition of Protected Data Has Expanded. Before the effective date of the General Data Protection Regulation (GDPR) in May of 2018, most of the data involved in the Starwood incident would not have enjoyed any special protection. Under U.S. state law in most jurisdictions, even today, a person’s name, address, phone number, and email address are not considered Personally Identifiable Information or “PII.” However, GDPR and the new California Consumer Privacy Act (CCPA) (effective January 1, 2020) have greatly expanded the scope of protected personal data to include virtually any item of information that can be used to identify an individual. A name, address, phone number or e-mail address are indisputably “personal data” under the GDPR.
4. Guest Reservation Systems Are Vulnerable On Both Ends. In branded hotels, franchise agreements always require that the hotels utilize the brand’s reservation and management system, including brand-mandated hardware, software, portals and connections. This arrangement gives data thieves multiple targets from which to select when seeking to steal guest information. The Wyndham data incident of 2008/2010 was the first notable attack on a brand’s central guest information database. While most hotel guest information data incidents in the past decade have occurred at individual hotels or discrete groups of properties, the Starwood incident proves that a brand’s guest information database is still vulnerable.

2018 also saw a rash of low-tech social engineering attacks against individual hotels, and this type of attack has continued into 2019. Criminals commence these attacks by posing as brand systems support personnel and making phone calls to hotel employees. The employees are asked to provide their login credentials for the reservation management system.

Cybercriminal: Hello, I’m calling from [brand] system support. We’re having difficulty with the reservation process on your end, and we need to check it. Can you please log in for me?
Employee: Sure. [Logs in]
Cybercriminal: We’re still having an issue. Can you please give me your username and password so I can try it on our end.
Employee: No problem. My username is … and my password is …

Using the stolen credentials, the criminal remotely accesses the reservation management system and retrieved information about recent guest bookings, including guest names, addresses, phone numbers, reservation dates, and partial payment card information. Although the systems typically show only partial credit card number, in some cases the criminals are able to unmask the obscured numbers.

The criminal then calls guests with future reservations:

Cybercriminal: Hello, I’m calling from [hotel name] regarding your reservation from to [check-out date]. We’re having a problem processing your credit card. The last four numbers are [XXXX]. Could you please provide me with your full credit card information, including security code, so we can get that taken care of.

Because the criminal has accurate information about the reservation, the guest is more likely to fall for the scam. Once the guest has supplied the card information, the criminal quickly racks up fraudulent charges. Fortunately, most guests don’t trust these calls, but they are bad for the reputation of the hotel and brand. Depending on what information is exposed, the unauthorized access to the reservation management system may legally be considered a data breach that requires notification to affected individuals and regulators.

To help protect your organization from these types of social engineering attacks:

• Change employee passwords at frequent intervals.
• Alert employees to this type of attack and train them in how to respond.
• If possible, implement multi-factor authentication for any access to the reservation management system.
• Audit which employees have access to the reservation management system and disable access for employees who have no business need for it, including employees who have been terminated or who have changed roles.
• Protect partial payment card information so obscured numbers can’t be unmasked.

This article is part of our Conference Materials Library and has a PowerPoint counterpart that can be accessed in the Resource Libary.

HospitalityLawyer.com® provides numerous resources to all sponsors and attendees of The Hospitality Law Conference: Series 2.0 (Houston and Washington D.C.). If you have attended one of our conferences in the last 12 months you can access our Travel Risk Library, Conference Materials Library, ADA Risk Library, Electronic Journal, Rooms Chronicle and more, by creating an account. Our libraries are filled with white papers and presentations by industry leaders, hotel and restaurant experts, and hotel and restaurant lawyers. Click here to create an account or, if you already have an account, click here to login.

What Is the GDPR?
The GDPR (or Regulation) is perhaps the most comprehensive privacy law of its kind in the world, emphasizing the growing social, political and legal concerns about the potential misuse and abuse of individuals’ personal data. This is no surprise given the rapid advances in technology and the impact of the new economic reality of “big data” and data analytics on consumer information.

The GDPR has set a new precedent for the high stakes of protecting individuals’ privacy, which is being watched closely and even shaping the privacy laws in other countries. The GDPR replaced the Data Protection Directive of 1995 and sets stricter standards for companies that collect or process data on citizens and residents of EU member countries. While considered a milestone achievement for individuals’ data protection laws, the GDPR presents complex challenges for companies that must now take steps to become GDPR compliant or run the risk of being subject to audits, lawsuits and/or stiff financial penalties.

Which Organizations Are Subject to the GDPR?
There is a big misconception in the U.S. business community that the GDPR only applies to EU companies. The new Regulation expands the territorial reach of the GDPR to include companies established outside the EU. This means that a company that has no offices, staff or even customers in any EU country may nonetheless need to comply with the GDPR if it processes and stores personal data on EU residents in any way. In other words, U.S. companies may be subject to the GDPR if they control or process data of EU residents.

The GDPR focuses in particular on the activities of data “controllers” and data “processors.” A data controller is an individual or entity that “determines the purposes and means of processing personal data.” A data processor is any individual or entity that processes (i.e., collects, stores, uses) personal data at the direction of the data controller. A positive response (yes) to one or more of the questions below may signal that an organization is subject to the GDPR.

Does your organization process or store data on EU residents?
The GDPR broadly defines the term “data processing” to include “collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction.” In reality, virtually any activity involving personal data of EU subjects may be closely scrutinized and classified as a processing activity within the definition of the Regulation, to the extent it is performed at the request of a data controller.

Does your organization offer goods or services to EU residents?
The GDPR expressly states that the Regulation applies to organizations outside the EU that offer goods or services to data subjects within the EU regardless of whether a fee is charged for such goods or services. Thus, an organization should consider whether it:

• Offers services in a language or currency of a EU member state
• Enables EU residents to place orders in such other language
• References EU customers in its publications.

It is noteworthy that merely having a website that is accessible by EU residents is not conclusive for purposes of determining whether an organization is subject to the GDPR.

Does your organization monitor the behavior of EU residents as that behavior occurs in the EU?
The GDPR also applies to non-EU organizations that monitor the behavior and activities of EU residents within the EU. This includes tracking EU residents on the internet to create profiles or to analyze or predict individual preferences and behavior.

What Is Protected Personal Data Under the GDPR?
The GDPR protects “personal data,” which is broadly defined in Article 4(1) to encompass:

“…any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier…”

The definition provides a broad range of identifiers, including “a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” For example, personal data may include a photo, racial or ethnic data, an email address, bank details, posts on social networking websites, political opinions, health and genetic information, a computer IP address and so on.

The GDPR also refers to sensitive personal data as “special categories of personal data,” which include genetic data and biometric data, where processed to uniquely identify an individual, and data concerning health. Processing of such data is prohibited unless the data subject gives explicit consent. Otherwise there are very few exceptions in which processing of such special categories of personal data also is possible (e. g., if it is necessary to defend or enforce a legal claim).

When a data controller collects personal data from an individual, including a third party, the controller must provide information to the data subject regarding processing activities, including:

• Contact information for the controller and Data Protection Officer, if applicable
• Purpose of the collection and processing of personal data
• Intended recipients of the personal data, if any
• Whether personal data will be transferred outside the EU
• Time period for which the personal data will be stored
• Individuals’ right to request access to, correction or erasure of their personal data
• Individuals’ right to file a complaint with an EU privacy regulator (Supervisory Authority) with respect to the collection or use of their personal data.

What Are Consent Requirements for Processing Personal Data?
Consent remains one of six lawful bases to process personal data, as listed in Article 6 of the GDPR. However, the requirements for validly obtaining consent have been increased to place a higher burden on data controllers. Article 7 sets out what is meant by consent, and the Information Commissioner’s Office (ICO) has published detailed guidance on consent under the GDPR. In brief, consent must be “freely given, specific, informed and unambiguous.” Organizations should review how they seek, record and manage consent, and whether they need to make any changes to their policies and procedures. In evaluating compliance with the GDPR’s expanded consent requirements, organizations should note the following characteristics:

• Active Opt-in: There must be “clear affirmative action”; consent cannot be inferred from silence, pre-ticked boxes or inactivity.
• Unbundled: Consent requests must be separate from other terms and conditions and should not be a precondition of signing up to a service unless necessary for that service.
• Granular: Granular options to consent separately to different types of processing should be given wherever appropriate.
• Named: Name your organization and any third parties that will be relying on consent; even precisely defined categories of third-party organizations will not be acceptable under the GDPR.
• Verifiable: Keep records to demonstrate what the individual has consented to, including what they were told and when and how they consented.
• Easy to Withdraw: There must be simple ways for people to withdraw consent – tell people about their right to withdraw and offer them easy ways to withdraw consent at any time.
• No Imbalance in the Relationship: Consent is not “freely given” if there is imbalance in the relationship between the individual and the data controller.

What Rights Do Individuals Have to Protect Personal Data?
One of the key premises of the GDPR is to expand the rights of individuals to protect their personal data. This includes an individual’s right to access, rectify and/or seek erasure of their personal data.

Right to Access
Individuals have the right to access their personal data and request the following information from a data controller:

• Copy of their personal data
• Purpose of processing the personal data
• Categories of personal data
• Recipients of the personal data
• Time period the personal data will be stored
• Individual’s right to request alteration (rectification), erasure and/or restrictions on processing their personal data
• Right to file a complaint with a Supervisory Authority
• Extent to which decisions about the individual are made based on automated processing or profiling of personal data
• Appropriate safeguards for transfers of personal data outside the EU.

Right to Rectification
An individual has the right to request the data controller to correct their personal data without undue delay.

Right to Be Forgotten
The GDPR recognizes an individual’s so-called “right to be forgotten,” subject to limited exceptions. In other words, an individual has the right to request the data controller to erase their personal data without undue delay in certain circumstances, including the following:

• Personal data is no longer required for processing
• Individual withdraws consent to the processing of their personal data
• Individual objects to the processing of their personal data
• Personal data has been unlawfully processed.

What Are the Record-Keeping Requirements Under the GDPR?
Data controllers and processors must maintain written documentation of all activities related to the processing of personal data (including documentation of all steps made in order to be GDPR compliant). These records should include the following information:

• Contact information for the data controller
• Purpose for processing the personal data
• Description of the personal data
• Recipients of the personal data
• Safeguards to protect personal data transferred outside the EU
• Anticipated time frame for erasing personal data
• Technical safeguards employed to protect personal data.

These records of processing activities must be produced to a Supervisory Authority upon request. Notably, the GDPR’s record-keeping requirement does not apply to organizations with fewer than 250 employees.

What Security Measures Are Required to Safeguard Personal Data?
The GDPR does not dictate specific technical security measures that must be implemented by data controllers or processors to safeguard personal data. However, the Regulation does require organizations to conduct a risk assessment to ensure an appropriate level of security based on a cost-benefit analysis. The size of the organization and the nature and scope of processing activities are key factors to consider. Such security measures may include the pseudonymization of personal data (so that data cannot be linked to a specific individual); encryption of personal data; ability to restore and back up personal data; periodic security audits to test and evaluate processing activities; and adherence to recognized industry standard certification requirements to protect data.

What Is a Data Protection Officer?
The GDPR requires data controllers and processors to appoint a Data Protection Officer (DPO) when an organization’s “core activities” consist of processing personal data on a “large scale.” Germany qualifies this requirement to include instances where there is a minimum of 10 people processing personal data automatically. An organization may designate an employee or hire a third party to serve as a DPO, based on their expert knowledge of data protection laws and regulations. A DPO is responsible for monitoring an organization’s compliance with the GDPR, training employees and staff, oversight of any data protection impact assessments, cooperating with the Supervisory Authority, and acting as the liaison between the organization and the Supervisory Authority. In addition, the DPO may be responsible for responding to inquiries by individuals concerning their personal data.

Is an Organization Required to Report a Data Breach?
The GDPR introduces additional mandatory data breach reporting requirements. A data controller must report security breaches to the relevant Supervisory Authority “without undue delay, and where feasible, not later than 72 hours” after it first becomes aware of the incident. If the notification is made after 72 hours, a reasonable justification for the delay must be provided. The breach only needs to be reported if it is likely “to result in a risk for the rights and freedoms” of data subjects – if, for example, the breach could result in discrimination, damage to reputation, financial loss, loss of confidentiality, or any other significant economic or social disadvantage.

A data controller also must notify individuals of a security breach “without undue delay” where the breach “is likely to result in a high risk” to the rights and freedoms of data subjects. However, notification to individuals is not required if (1) the organization has implemented appropriate security measures that render the data unintelligible to any unauthorized person (i.e., encryption); (2) the organization has taken subsequent measures to ensure that a high risk to data subjects does not materialize (i.e., remediation); or (3) it would involve a disproportionate effort, in which case a public communication will suffice (i.e., media notice or publication on the organization’s website).

The contents of the breach notification communication should include the following information where available in “clear and plain” language:

• Nature of the incident
• Type of personal data
• Number of affected persons
• Number of personal data records
• Contact information for the DPO
• Likely consequences of the data breach
• Steps taken by the organization to contain and mitigate the exposure.

Notably, the breach notification requirements set forth above apply to data “controllers.” However, in the event of a breach experienced by a data “processor,” the processor is required to notify the controller “without undue delay.”

Are There Any Repercussions for Failure to Comply with the GDPR?
The most serious infringement of the GDPR can result in administrative fines by a Supervisory Authority of up to €20 million or 4 percent of the offending company’s global annual revenue, whichever is higher. For lesser noncompliance offenses, company audits and a tiered fine structure may be imposed.

Under the GDPR, data controllers and processors also may be subject to liability and damages for legal proceedings commenced by a data subject in a court of law or a complaint lodged with a Supervisory Authority. Such complaints may be filed in the jurisdiction where the data subject resides or works, or the location of the alleged infringement of the Regulation concerning the processing of the individual’s personal data. Data controllers and processors may have joint liability for compensatory damages awarded to an individual to ensure they are made whole.

The GDPR also grants Supervisory Authorities the following powers to:

• Conduct investigations of data controllers and processors
• Perform data protection audits
• Issue warnings or reprimands
• Order an organization to comply with a data subject’s request regarding personal data (including rectification, erasure and restrictions on processing)
• Require an organization to bring its processing activities into compliance with the GDPR
• Order an organization to notify individuals of a data breach
• Order the suspension of data flows.

Summary
In summary, U.S. companies are well advised to consider their compliance obligations, if any, under the GDPR. The extraterritorial reach of the EU’s new privacy Regulation means that non-EU companies may be subject to the law. A critical factor in evaluating the potential application of the GDPR to U.S. companies is whether a company collects, stores, transfers or otherwise processes personal data of EU residents. If so, the company may be required to obtain an individual’s express consent to the use of their personal data, in addition to maintaining internal records of the company’s personal data processing activities. Moreover, companies may have a mere 72 hours to notify EU regulatory authorities of a data breach involving the personal data of EU residents. Failure to comply with the GDPR’s extensive requirements may result in regulatory investigations, legal proceedings, compensatory damages, injunction orders or hefty administrative fines.