Managing the Rise in Hospitality Data Breaches
Data breaches for employers in the hospitality industry continue to grow at an alarming rate. According to a 2014 whitepaper, “resorts and hotels are becoming increasingly more appealing to hackers because of the volume of information residing on their systems, including credit card data, confidential information for loyalty programs [and] employee data.” More recently, a 2016 analysis by Verizon noted that “we see industries such as Accommodation and Retail accounting for a more significant percentage” of security incidents resulting in actual data loss. Studies conducted by Experian and the Association of Corporate Counsel have found that employee error is the number one cause of data security incidents.
The risk to hospitality employers that do not take appropriate steps to protect their data, as well as their employees and customers’ information, is significant. Traditionally, employers that failed to appropriately secure credit card and other sensitive information and then suffered a data breach have been sued by customers and employees whose data was compromised by the breach. Credit card companies and financial institutions have begun to file data breach lawsuits to recoup their losses, including the cost of refunding consumers for fraudulent purchases. This new development means that there is a highly sophisticated, motivated, and well-funded class of data breach plaintiffs who can allege that they suffered significant money damages.
The Federal Trade Commission has issued guidelines to help employers protect against data breaches. Plaintiffs’ counsels have cited the failure to abide by these guidelines as evidence that an employer is not using an appropriate standard of care. In addition, the failure to follow data security standards, such as the Payment Card Data Security Standard (known as “PCI DSS”), has been used as evidence of negligence.
Hospitality employers’ failure to update their equipment and/or software, such as credit card readers, has also been cited as a factor in negligence actions. Moreover, the recent WikiLeaks release exposed security flaws in Apple and Android devices that, in many cases, have been fixed by more recent security patches and updates to software. Yet, there is a constant arms race between hackers and security systems and, in a few years, or even a few months, employers will likely be expected to adopt new security measures to combat evolving threats. In the employment context, the Internal Revenue Service recently warned hospitality industry employers to alert their employees to Form W-2 (or CEO) email phishing, a data breach scam in which someone posing as a high-level executive seeks to surreptitiously obtain personal information.
When a security breach is detected, employers face significant liability for failing to immediately report the breach to affected parties. Many states, including New York and California, require prompt notification in the event of a data breach. Moreover, employers that delay notifying the victims of a data breach may face damages for losses that could have been prevented by timely notification.
What Hospitality Employers Should Do Now
Employers in the hospitality industry should do the following:
Adopt appropriate policies to prevent data breaches, and take special care to protect devices with access to point-of-sale information.
Be aware that drafting policies is effective only if employees are adequately trained to follow those policies.
Never assume that employees already know or follow data security best practices (a recent study found that millennials are more likely to be cavalier toward data security and not take appropriate precautions).
If you have a high employee turnover, consider conducting frequent trainings to ensure that recent hires are aware of applicable security policies.
In addition to taking steps to prevent security breaches, develop a security breach rapid response plan and team that includes a procedure for alerting impacted customers, employees, and financial institutions.
 The New York Attorney General’s office recently published a press release outlining best practices that New York organizations should follow to protect against data breaches.
 See e.g., California Civil Code § 179.80; Code of Virginia § 18.2-186.6; New York General Business Law § 899-aa; Mich. Comp. Law § 445.72; N.J. Stat. §§ 56:8-163.