January 21, 2020

January 20, 2020

Subscribe to Latest Legal News and Analysis

Managing the Rise in Hospitality Data Breaches

Data breaches for employers in the hospitality industry continue to grow at an alarming rate. According to a 2014 whitepaper, “resorts and hotels are becoming increasingly more appealing to hackers because of the volume of information residing on their systems, including credit card data, confidential information for loyalty programs [and] employee data.” More recently, a 2016 analysis by Verizon noted that “we see industries such as Accommodation and Retail accounting for a more significant percentage” of security incidents resulting in actual data loss. Studies conducted by Experian and the Association of Corporate Counsel have found that employee error is the number one cause of data security incidents.

The risk to hospitality employers that do not take appropriate steps to protect their data, as well as their employees and customers’ information, is significant. Traditionally, employers that failed to appropriately secure credit card and other sensitive information and then suffered a data breach have been sued by customers and employees whose data was compromised by the breach. Credit card companies and financial institutions have begun to file data breach lawsuits to recoup their losses, including the cost of refunding consumers for fraudulent purchases. This new development means that there is a highly sophisticated, motivated, and well-funded class of data breach plaintiffs who can allege that they suffered significant money damages.

The Federal Trade Commission has issued guidelines to help employers protect against data breaches. Plaintiffs’ counsels have cited the failure to abide by these guidelines as evidence that an employer is not using an appropriate standard of care. In addition, the failure to follow data security standards, such as the Payment Card Data Security Standard (known as “PCI DSS”), has been used as evidence of negligence.[1]

Hospitality employers’ failure to update their equipment and/or software, such as credit card readers, has also been cited as a factor in negligence actions. Moreover, the recent WikiLeaks release exposed security flaws in Apple and Android devices that, in many cases, have been fixed by more recent security patches and updates to software. Yet, there is a constant arms race between hackers and security systems and, in a few years, or even a few months, employers will likely be expected to adopt new security measures to combat evolving threats. In the employment context, the Internal Revenue Service recently warned hospitality industry employers to alert their employees to Form W-2 (or CEO) email phishing, a data breach scam in which someone posing as a high-level executive seeks to surreptitiously obtain personal information.

When a security breach is detected, employers face significant liability for failing to immediately report the breach to affected parties. Many states, including New York and California, require prompt notification in the event of a data breach.[2] Moreover, employers that delay notifying the victims of a data breach may face damages for losses that could have been prevented by timely notification.

What Hospitality Employers Should Do Now

Employers in the hospitality industry should do the following:

  • Adopt appropriate policies to prevent data breaches, and take special care to protect devices with access to point-of-sale information.

  • Be aware that drafting policies is effective only if employees are adequately trained to follow those policies.

  • Never assume that employees already know or follow data security best practices (a recent study found that millennials are more likely to be cavalier toward data security and not take appropriate precautions).

  • If you have a high employee turnover, consider conducting frequent trainings to ensure that recent hires are aware of applicable security policies.

  • In addition to taking steps to prevent security breaches, develop a security breach rapid response plan and team that includes a procedure for alerting impacted customers, employees, and financial institutions.

[1] The New York Attorney General’s office recently published a press release outlining best practices that New York organizations should follow to protect against data breaches.
[2] See e.g., California Civil Code § 179.80; Code of Virginia § 18.2-186.6; New York General Business Law § 899-aa; Mich. Comp. Law § 445.72; N.J. Stat. §§ 56:8-163.

©2020 Epstein Becker & Green, P.C. All rights reserved.


About this Author

Daniel J. Green, labor, employment, attorney, Epstein Becker, law firm

DANIEL J. GREEN is an Associate in the Labor and Employment practice, in the New York office of Epstein Becker Green.

Mr. Green:

  • Defends clients in EEOC investigations

  • Defends clients against unfair labor practice complaints involving, among other things, ambiguities in collective bargaining agreements

  • Opposes the class certification of plaintiffs in actions alleging misclassification as independent contractors

Donald S. Krueger, Epstein Becker, Labor and Employment Lawyer,
Senior Counsel

DONALD S. KRUEGER is a Senior Counsel in the Labor and Employment practice in the Firm's New York office. He represents employers in all aspects of labor and employment law, in a wide range of industries, including health care, financial services, real estate, manufacturing, construction, hospitality and transportation.

  • Counsels clients on all aspects of compliance with federal, state or local laws affecting labor and employment relations

  • Represents management on traditional labor law issues, including union organizing campaigns, decertification proceedings, unfair labor practices and related proceedings before the National Labor Relations Board, corporate campaigns, collective bargaining, arbitrations, injunction proceedings and strikes, lockouts, picketing and demonstrations

  • Strategizes and advises management on complex labor relations issues such as reductions in force, plant closings, work relocations and outsourcings

  • Litigates labor, employment, and civil rights disputes in federal and state courts and before administrative agencies

  • Conducts wage and hour, labor and employment relations audits