Assessing Risk to Hotels in an Age of Data Breaches
In their latest article for the New York Law Journal, Todd Soloway, Chair of Pryor Cashman’s Hotel + Hospitality Group, and Partner Bryan Mohler evaluate the risks borne by hotel owners, operators and insurers in the event of a data breach.
“The hospitality industry has not been spared from exposure to breaches, and in fact several of the most widely publicized incidents involve some of the largest hotel brands in the world,” Soloway and Mohler wrote. “InterContinental Hotels Group, Wyndham Worldwide, Hard Rock Hotels, Omni Hotels & Resorts and Hilton Hotels, among others, have all been publicly cited as victims of cyber-attacks and resulting data breaches.”
Who May Bring Suit?
While these incidents have been widely covered in the media, the potential liability stemming from each breach has been less reported.
Following a breach, questions arise regarding which parties may bring actions, against whom, and for what damages. A hotel guest whose financial or personal information was compromised as a result of a data breach may bring suit against the hotel owner and/or operator. The Federal Trade Commission (FTC), which has the authority to regulate cybersecurity, may also pursue an action against the hotel following a breach.
Additionally, credit card companies may be entitled to bring suit against a hotel in the wake of a data breach pursuant to certain provisions in service agreements which allow the credit card issuer to sanction merchants when a breach occurs.
Who is Liable in the Event of a Breach?
“It is generally the case that hotel operators, rather than hotel owners, are the entities that collect and store guests' financial and personal information. But that does not mean that hotel owners will escape liability in the event of a data breach, since most hotel management agreements contain language obligating the owner to indemnify the operator, depending upon the vintage of the contract,” the authors explained.
“While this language generally was envisioned to cover slip-and-fall and third-party type liability, hotel operators are likely to take aggressive positions that such language places all risk on the hotel owner. Thus, owners would benefit from considering the implications of a potential data breach before it strikes.”
To read Soloway and Mohler’s full NYLJ article, please click here.
More About the Authors
Todd Soloway leads Pryor Cashman’s Hotel + Hospitality and Real Estate Litigation Groups. He has been named a leading attorney in real estate law by Best Lawyers in America and Super Lawyers, and is a frequent contributor to industry publications.
Bryan Mohler is a partner in Pryor Cashman’s Hotel + Hospitality and Real Estate Litigation Groups. He has been recognized as a “Rising Star” by Super Lawyers. Both he and Soloway were members of the litigation team from Pryor Cashman that won a $44M judgment against Starwood Hotels in a matter involving breaches of the operative HMA.
Danielle Tepper, an associate in Pryor Cashman’s Litigation Group, also assisted with the preparation of this article.
