It’s up to every business to protect their customers from identity theft, but unfortunately data breaches are still bound to happen. And now, thanks to the European Union’s General Data Protection Regulation, holding onto guest data could open your hotel up to international liability.
The GDPR went into effect May 25, 2018, to regulate how companies collect, store and utilize customer data for EU citizens. Controllers of personal data must put in place technical and organizational measures to safeguard that data in order to protect guest privacy. If a company is found to be in breach of the GDPR, the organization can be fined up to €20 million or 4 percent of the annual worldwide revenue of the preceding financial year, whichever is greater. A U.S.-based company can be in breach of the GDPR if it is found to have mishandled EU citizens’ data. Furthermore, the GDPR endows EU citizens with the “right to be forgotten” by any company collecting their data.
David Reina, partner at Washington, D.C.-based law firm Morris, Manning & Martin, said by and large the hotel industry has prepared itself for compliance with the GDPR, but because data breaches will remain an ongoing threat it is important to remain up to date on the regulation’s terms and vigilant about your company’s data-management practices.
For now, hoteliers should determine whether or not they are controllers or processors of data, which will determine their level of liability. This can be difficult due to the makeup of the hotel industry, which is divided among brands, owners and operators, but determining that difference is key. Jackie Collins, senior director and VP of hospitality practice at insurance brokerage and risk management firm Arthur J. Gallagher & Co., said controllers typically decide which data to collect, who it is being collected from and what the purpose of the data collection is.
“It is important to distinguish whether or not you are the controller, processor or both as there are different regulations for the data controller versus the data processor,” Collins said.
Kevin Levy, chair of technology transactions at Florida law firm Gray Robinson, said most hotels would be considered data controllers because they gather data and then decide what to do with it. However, in instances where hotels are gaining information from a third party, such as an online travel agency, the hotel acts as a processor.
“Ultimately, someone is the controller of guest information,” Levy said. “That entity is most at risk.”
The situation is complicated by data-processing addendums, which can shift liability to U.S.-based entities doing business in Europe. For example, if a hotel is doing business with a third-party reservation company in Europe and it signs a data-processing addendum, then the U.S.-based hotel could be on the hook for European data rules.
“If you are a data controller in Europe and you are on the ball, you will have your hotel partners sign the addendum and then they will be forced to comply with European regulations,” Levy said. “This is not what a lot of companies were thinking about going into last May when the GDPR went live.”
Out of Sight, Out of Mind
In November 2018, Marriott International dropped a bombshell on the industry. The company had uncovered a data breach dating back to 2014 that originated with Starwood Hotels & Resorts Worldwide (which Marriott bought in 2016) and impacting as many as 500 million travelers. Since then the number has fluctuated and currently hovers around an estimated 383 million guests, which still makes it one of the largest security breaches ever recorded.
While guests are wondering what the fallout will be and how they will be compensated and security experts are poring over security measures to see just how this could have happened, lawyers are wondering what this means for Marriott under the GDPR.
“It’s the $950 million question,” Reina said. “It’s a little too early to make concrete predictions. Clearly all of the information has not been made available to the public, even the exact extent of the breach and the type of information that was disclosed. There is no precedent in the EU for regulatory authorities in assessing fines of this level.”
Kelly Geary, managing principal, U.S. cyber practice leader and coverage and claims leader at global insurance brokerage and specialty risk-management firm Integro USA, said while this breach may be a wakeup call for some in the corporate community, it also exposes many of the limitations of the current data-collections climate. While the GDPR was specifically founded to hold large corporations accountable for misusing guest data—specifically the Amazons, Facebooks and Googles of the world—actually getting a handle on useful data is proving difficult.
“It’s almost impossible to assess compliance in large companies,” Geary said. “This is among the most complex privacy legislation we have in the world today, and assessing compliance is no easy task regardless of the size of the organization.”
Furthermore, Reina said because the breach first started in 2014, before Marriott's acquisition of Starwood, the situation has the potential to become even more complex.
“There are many factors that could change this situation, but the timing of the Starwood purchase is a big one,” Reina said. “This will likely turn into a case study for [mergers and acquisitions] lawyers when dealing with data security breaches in M&A agreements.”
Looking the Wrong Way
Hoteliers based in the U.S. concerned with running afoul of Europe’s GDPR should pay close attention to events unfolding at home. The California Consumer Privacy Act was signed into law Sept. 23, 2018, and is set to go into effect Jan. 1, 2020, meaning hotels doing business with California residents will face restrictions similar to those found in the GDPR.
The CCPA stipulates California residents will have the right to know what personal information is being collected about them, know whether their personal information is sold or disclosed and to whom, say no to the sale of personal information, access their personal information and have access to equal service and price, even if they exercise their privacy rights.
According to Geary, the appearance and passage of the CCPA should not come as a surprise to U.S. companies seeking to comply with the GDPR.
“California has always been a leader in privacy regulation,” Geary said. “It was the first us state to enact a data breach notification law. Within four or five years we had 20-25 other states enact similar laws. If the federal government can’t agree on a federal law to take precedence on this matter, the states will run with [the CCPA].”
Levy said in some ways, the CCPA will be more strict than the GDPR. For instance, the CCPA prevents corporations from collecting any of a customer’s self-identifying data. In some cases, this would mean a name, phone number or Social Security number.
“It really comes down to disclosure and consent,” Levy said. “Businesses now need to get specific consent to collect or use consumer data.”
In order to prepare, Geary said hotel companies should consult with legal teams as well as technical experts to map the company’s data internally while clarifying potential liability concerns. Additionally, Collins said that this process should be ongoing for hoteliers because they have additional data protection concerns to consider, such as physical access to guest information and on-property equipment.
“Not only are hotel companies subject to having their reservations systems breached, their point-of-sale systems can also be exposed,” Collins said. “The hotel industry is responsible for protecting the data of their guests. Each state has its own set of regulations. To add to that, federal regulations are different from state regulations and international regulations differ as well. The penalties can be quite costly.”