This is shaping up to be the year of data security in the United States. There are several trends to pay attention to within the hotel and hospitality industry: federal privacy enforcement actions; civil class actions; state data breach notice laws; and emerging consensus about best practices to plan for and respond to data breaches.
FTC AND WYNDHAM CASE
There is no national law in the United States governing data privacy or practices for the hospitality industry, but the Federal Trade Commission (FTC) has stepped in to fill the vacuum.
The FTC can fine companies for “unfair” or “deceptive” consumer practices and, since 2000, has launched more than 50 privacy claims on these grounds. This is an aggressive move because the agency has no direct authority over privacy claims. The FTC’s ability to act in this area is, therefore, being resolved in the courts.
The chief case to watch involves the Wyndham hotel reservation system. It was hacked three times for credit card data, leading to identity theft and fraud involving hundreds of thousands of customers. The FTC sued Wyndham, claiming that the hacks showed that Wyndham had breached its own privacy policy (which promised that the hotel used “reasonable” and “industry standard” measures to secure customer credit cards).
Wyndham fought back, saying that the FTC has no authority to pursue a claim and has issued no guidance regarding what are “reasonable” protective measures. A federal court upheld the FTC’s right to pursue the claims; Wyndham has appealed.
If ultimately the FTC is permitted to sue Wyndham over an unfair or deceptive privacy policy, the implications for the industry are clear: know your security practices, disclose them accurately, and follow them internally.
CLASS ACTIONS
In addition to FTC cases, plaintiffs’ lawyers are pursuing class action claims aggressively in response to the continued media coverage of data leaks. The theories used fall under a broad variety of national laws (for example, about confidentiality of movie rental habits) and state laws involving unfair or deceptive trade practices.
So far, consumers have not recovered much money through these class actions. They are a nuisance, however, and expensive to fight. Of course, if a judge does award damages one day, the dollars involved for any large class will be headline-making.
Hotel owners can minimize exposure by collecting and keeping only what data you absolutely need from customers, and consider workplace policies and practices that will keep the information secure.
STATE BREACH LAWS
For any company that suffers a data loss (via hack or via accident), there are 47 state laws requiring that consumers (and possibly the state authorities) be notified. The usual trigger for these laws is loss of electronically-stored “personally identifiable information” or “PII” (e.g., name, Social Security number or bank/credit card account number, account access information.)
Reservation systems, payment, retail/dining, and other on-site services all make use of PII in electronic form. Protecting those records is paramount. Hacks or leaks may require notice in several states, and generally there is no minimum number of affected customers before a company is required to act. Each state’s law is slightly different, but many have deadlines for action or prescribe what information consumers must be given.
Because coordinating all the state requirements can be tricky, it is imperative to call counsel immediately following any loss of data, even if no hacking was involved. For instance, if an employee accidentally e-mails a file of PII to persons outside the company, state law notice requirements may apply.
The costs of responding to a breach can be high: Target says it spent $148 million on its efforts. The state of New York reports that businesses there spent $1.3 billion on breach response in 2013. The average per-record cost to respond is about $200 in the United States. Multiply that by thousands of credit card transaction records or reservation notes, and it adds up fast. There also is the cost of counsel and other advisers to consider. Specialized insurance is available to help, if you have the right coverage: talk with your carrier about a cyber-liability policy.
BEST PRACTICES
It is wise to consider privacy, security, and incident response planning as part of ongoing business operations:
- Put your plan in writing.
- Designate a cross-functional team of support and operating divisions as well as executive management.
- Audit your security and workflow.
- Update your insurance coverage.
- Be sure you understand where, how, and why PII are available on your network (and to whom).
- Call your lawyer with questions.
Mitzi L. Hill is an attorney at Atlanta-based Taylor English Duma LLP where she focuses her practice on data security and privacy. She has significant experience assisting clients in responding to data breaches, entertainment and media issues, as well as technology licensing and development; mhill@taylorenglish.com.
