Do as You Say (and as You Should Do): How the Hospitality Industry Can Brace for Data Privacy Actions
On October 2, 2015, Trump International Hotels became the latest in a growing line of data breach class action victims. Driscoll v. Trump International Hotels Management LLC, No. 15-cv-1089 (S.D. Ill.). Indeed, the hospitality industry as a whole is seeing increased scrutiny from both plaintiffs’ attorneys and federal regulators. Less than two months ago, the Third Circuit Court of Appeals affirmed the Federal Trade Commission’s broad authority to clamp down on the allegedly lax cybersecurity measures implemented by Wyndham Worldwide. F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015)
The Trump and Wyndham cases highlight a growing trend for both federal regulators and plaintiffs’ attorneys in the data privacy realm. That is, data privacy claims founded in large part on a defendant’s own privacy policies and industry standards, using those very policies and standards against it.
Given the amount of consumer information the hospitality industry maintains—and how vast and sprawling a hospitality chain’s own network can be—it is crucial going forward that hospitality companies consistently evaluate their own privacy policies and practices to ensure that they are in fact doing as they say.
Recent Data Privacy Litigation
The newly filed Trump class action stems from a data breach allegedly running from May 19, 2014 to June 2, 2015 in which hackers were able to access the Trump computer systems and obtain a variety of customer data, including payment card information. The foundation of the complaint—which alleges claims of unfair competition and common law claims of negligence, breach of contract and unjust enrichment—is Trump’s alleged failure to abide by industry standard data security practices, including the Payment Card Industry Data Security Standard.
Where to go From Here
As the above cases demonstrate, plaintiffs’ attorneys and federal regulators alike are heavily scrutinizing whether companies data privacy practices comport with their own consumer-facing privacy policies and basic industry standards. Industries like hospitality—where the amount of information a given entity maintains is voluminous, often encompassing dozens of locations across the country—are especially vulnerable because company-wide oversight is especially difficult.
Going forward, the hospitality industry, through their in-house and outside counsel, should make a concerted effort to consistently monitor, evaluate and audit their own privacy policies—both internal and external— and industry standards and ensure that their practices live up to what they preach. This simple measure can go a long way to avoiding legal scrutiny.