By Jim Butler and the Global Hospitality Group® Hotel Lawyers | Authors of

Massive data breaches affect hotels and their legal responsibilities. As unauthorized hacking of confidential data explodes in volume and seriousness, minimum expected standards are evolving that hoteliers and others must follow. Interestingly, the latest guidelines are provided in an August 24, 2015 appellate court decision involving Wyndham Worldwide as if to emphasize that these rules (really) apply to the hotel industry. How did this case arise? What are some basic steps that everyone with confidential data is expected to take? What happens if they don’t?

In the article below, my partner Bob Braun, explains the current situation and what it means to our industry.

FTC vs. Wyndham Worldwide – What it Means for Hotel Owners

by Bob Braun, Hotel Lawyer and Data Security Advisor

Background on the case On August 24, 2015, the Third Circuit United States Court of Appeals issued its ruling in the case FTC v. Wyndham Worldwide Corporation. The case was highly anticipated by the data security community generally for its expected ruling on the authority of the Federal Trade Commission to regulate data security standards, but nowhere was the anticipation more keen than in the hospitality industry. After all, this decision didn’t deal with retailers, banks or dating sites – it addressed a major hotel player and, by implication, all operators, brands and owners in the industry.

We know that cybercrime is big. In 2014, there were 42.8 million detected security incidents (and, most likely, many more that were never discovered). Estimates of annual cost of cybercrime to the global economy ranges from $375 billion to as much as $575 billion as companies face increased vulnerability, ranging from greater technology available to cybercriminals and new types of cybercrime, like crypto-ransom.

The decision should be a wake-up call to hotel owners because, as described below, hotel owners may ultimately bear the cost of data breaches involving their hotels. Owners should look at the Wyndham decision as an opportunity to consider whether their brands and managers have taken the steps necessary to protect guests and, ultimately, the hotel owner.

Background The case arose out of a suit brought by the FTC against Wyndham, a global hotel company, for failing to adequately safeguard its computer network, allowing hackers to access customer information, resulting in the compromise of more than 600,000 credit card records and financial losses in excess of $10 million. Wyndham argued that, among other things, the FTC lacks authority to regulate data security standards of commercial entities. The lower court ruled in the FTC’s favor, and Wyndham appealed to the U.S. Court of Appeals for the Third Circuit. On August 24, 2015, the Third Circuit affirmed the district court, upholding the FTC’s data protection authority. The result is that for the first time, the United States has what amounts to a data security regulator.

Click here for the FTC’s official release on the Wyndham opinion. And click here to read the full opinion of the court in FTC v Wyndham Worldwide, which the FTC says characterizes as “a must-read for business executives and attorneys.”

What did Wyndham do wrong? The Wyndham decision is particularly helpful because it identifies clearly what Wyndham did – or did not do – that violates the FTC’s standards. Specifically, the FTC claimed that Wyndham:

Security professionals recognize that this list is a fair representation of minimum security requirements for any information system. Any company that does not address these requirements is likely to experience a breach. This list also amounts to an inventory of violations of Section 5 of the FTC Act – engaging in unfair or deceptive trade practices – and any firm that collects and maintains data and is guilty of these failures can expect that they, too, will be subject to action by the FTC, as well as private plaintiffs.

  • failed to use readily available security measures, such as firewalls
  • stored credit card information in clear text
  • failed to implement reasonable information security procedures prior to connecting local computer networks to corporate-level networks
  • failed to address known security vulnerabilities on servers
  • used default user names and passwords for access to servers
  • failed to require employees to use complex user IDs and passwords to access company servers
  • failed to inventory computers to appropriately manage the network
  • failed to maintain reasonable security measures to monitor unauthorized computer access
  • failed to conduct security investigations
  • failed to reasonably limit third-party access to company networks and computers

A call to action for hotel owners We know that many hotel owners don’t consider the impact of data security, because most hotel owners don’t directly collect, store or utilize personal information; they engage managers and brands to do that through reservation systems, loyalty programs and marketing. But hotel owners should be concerned, because they are generally required to indemnify brands and managers for costs the managers and brands incur. To put it simply, if there is a breach, and if the brand or manager has to pay money to manage the breach, the owner will likely have to pay the bill, or at least have a significant struggle over the issue.

The list also has a potential benefit to hotel owners, because it allows owners to express their expectations of hotel brands and managers. Owners can, and should require their managers and licensors to follow the standards set by the FTC as part of their duties, and bear the cost if they do not.

At the same time, hotel owners should be aware that they, too, are subject to this regime. Hotel owners have to consider that they own, hold and maintain sensitive personal information, such as employment records, health information, financial data and business secrets. As a result, they have a legal obligation to protect that information. Hotel owners must both protect their information, and require their business associates to do the same.

Owners should also consider one additional factor that isn’t addressed in the Wyndham decision, but permeates almost every data breach: The human factor. At least 95% of reported data breaches can be traced to an intentional or unintentional act by a person within or associated with the affected organization. The fact is that a company can comply with all of the deficiencies noted by the FTC and still be subject to a breach, because an individual employee or contractor can, effectively, bypass all technological protections, simply by responding to the wrong email or clicking on the wrong website. Hotel companies are, as we know, focused on individuals, whether it is serving guests or cultivating employees and associates. Hotel owners should demand of their brands and managers that they focus on the importance of individuals in thwarting these attacks and creating an industry that engenders the public’s trust.

A note for hotel operators Hotel operators will be concerned about meeting the rising standards for data security to avoid costly litigation by the FTC and other private parties, to fulfill their duties and expectations under their contracts with owners, and avoid embarrassing publicity on blunders that could have been avoided. Failing to meet minimum standards likely constitutes a breach of contractual obligations, will put the operator at a comparative disadvantage to competitors who offer greater data security, and will suffer bruises to their public image.

Besides, most operators will want to do they best they can because it is the right thing to do for all concerned.

Here are some of the ways JMBM helps clients with data security matters The JMBM Global Hospitality Group® and the JMBM Cybersecurity & Privacy Group work with clients to establish and enforce data security policies, and assists clients when there are breaches. We have helped a variety of clients, including hospitality companies, in developing compliance programs, addressing data breach issues, and negotiating contracts with vendors and providers.

Here are some of the ways we help clients with data security matters:

Click here for more information, including specific examples of projects undertaken for representative clients.

  • Respond to data breaches, including selecting appropriate technology and forensics experts
  • Develop and implement data breach response plans and procedures, and related privacy, information security and data retention policies and procedures
  • Address statutory and regulatory issues
  • Develop effective solutions for protecting and managing information assets and complying with legal requirements, using an approach that will contain costs and maintain operational efficiency
  • Advise clients on international privacy laws and rules on their businesses, including the U.S.–E.U. Safe Harbor Program
  • Address legal challenges posed by social media and mobile applications
  • Negotiate agreements for technologies and services to implement information management systems
  • Conduct internal investigations, particularly those involving sensitive electronically stored information
  • Assist companies in developing appropriate governance tools to the board of directors and executive management levels to address cyber risk

Other information about cybersecurity issues If this article was of interest, you may also wish to read other articles on “Data Technology, Privacy & Security,” which include the following articles:

This is Jim Butler, author of and hotel lawyer, signing off. Why don’t you give us a call (or send an email) and let us know what you working on? We would like to see if our experience might help you create value or avoid unnecessary pitfalls. Who’s your hotel lawyer?