Articles Posted in Data Technology, Privacy & Security

Published on:

10 May 2016

One of the great breakout sessions at our recent Meet the Money® hotel conference in Los Angeles was organized by my partner Bob Braun and moderated by Jeff Higley of HotelNewsNow. I was particularly impressed by the panel’s evidence of how costly cybersecurity breaches can be, how much can be done to prevent or limit exposure, and how reasonable the cost can be for a pro-active approach.

Here is Bob Braun’s summary of this panel last week in Los Angeles. This is a compelling call for an ounce of prevention. . .


5 Cybersecurity takeaways from Meet the Money®
Bob Braun, Hotel Lawyer and Data Security Advisor

Meet the Money® changes with the times, and the 2016 conference showcased the first panel on Cybersecurity in the hospitality industry – “Who’s Knocking at Your Digital Door,” featuring Bob Braun, from JMBM’s Global Hospitality Group and Co-Chair of the Firm’s Cybersecurity and Privacy Group; Bob Justus, of Optiv Security; Brad Maryman, from Maryman & Associates; Christian Ryan, from MARSH; and Kevin Shamoun, from Zeamster.  Jeff Higley, of STR/ moderated the panel.

The panelists, representing technical, legal law, law enforcement, insurance and payment systems, identified key cybersecurity challenges for the hospitality industry.  Five key takeaways were:

  • Compliance does not equal security. Each of the panelists agreed that while meeting legal and business requirements is essential, compliance does not necessarily achieve real cybersecurity — completing checkboxes on a task list or questionnaire is only a first step. The panelists noted that each of the major hotel breaches in the last year, which involved every major hotel chain, implicated point of service credit card systems that complied with industry standards.  Hotels and hotel companies need to look beyond complying with standardized requirements and has to evaluate their own risk profile and apply meaningful security plans.
  • Informed response is better than instant response. Too many organizations make the mistake of reacting before they think, especially when reporting a breach. Data breaches can be complicated matters, and it is essential to understand the scope of the breach, the data and individuals involved, and how a firm can remediate the source of the problem before disclosure. There is no question that speed is important, but some breaches do not require notification, while acting without ascertaining the facts can require multiple notifications, which is damaging to reputation and sends the wrong message.
  • Credit cards are not the only risk. While much focus is placed on the theft of credit card numbers, hotels must consider other risks. Hotels and hotel companies hold massive amounts of sensitive personal information that can be used to steal a guest’s identity.  Moreover, hotels need to consider more than data; the interconnection of systems means that breaking into a financial structure can give a hacker access to door locks, heating and air conditioning systems, electrical, plumbing and other key structural and physical parts of the hotel.  What would happen if a hacker flooded a hotel, or opened the doors?  This damage can far exceed the damage from lost credit cards, and cause untold damage to the hotel, its brand and owners.


Published on:

11 January 2016

What part do hotel owners play in preventing a cyberattack and the resulting data breach? The hospitality industry relies on its reputation for confidence, and that confidence can be shattered when guests learn that their private information has been compromised. What can hotel owners do and how should they work with brands and management to prevent a cyberattack?

In the article below, my partner, Bob Braun reminds hotel owners that because they are generally required to indemnify brands and managers for costs the managers and brands incur – which could include a costly data breach – it is in the owners’ best interests to have a comprehensive plan in place.  This article first appeared in Hotel Business Review in December 2015, and is reprinted with permission from

Not Just Heads in Beds – Cybersecurity for Hotel Owners

Bob Braun, Hotel Lawyer and Data Security Advisor

The basics of the hotel business have traditionally been simple: good location, fair prices, appropriate amenities and good service were the keys to success. While those factors are important today, hotels are no longer simply a “heads in beds” business; hotels are increasingly brand-oriented. Brands focus not only on the services and products they sell, but on developing the perception and recognition of the brand associated with those goods and services. That means that hotels, like all brands, need to focus more and more on understanding their customers and how to reach them, whether through loyalty programs, advertising, social media or otherwise.

The upshot of the focus on branding in the hospitality business is that hotels gather lots of information about their guests, ranging from credit card data to addresses, phone numbers, travel plans and preferences, birthdays, and more – all of which are valuable not just to the hotel brands and operators, but to cyberthieves. While hotel companies have understood this for years, they are, along with other customer-intensive industries, learning that collecting that information comes with responsibilities and, possibly, liability.

Cybercrime is big business. In 2014, there were 42.8 million detected security incidents (and, most likely, many more that were never discovered). Estimates of annual cost of cybercrime to the global economy ranges from $375 billion to as much as $575 billion as companies face increased vulnerability, ranging from greater technology available to cybercriminals and new types of cybercrime, like crypto-ransom. Cybercriminals began targeting hotels years ago. In a 2010, a Forbes magazine article quoted Nicholas Percoco, who said that “The hospitality industry was the flavor of the year for cybercrime. These companies have a lot of data, there are easy ways in and the intrusions can take a very long time to detect.” The lesson for hotel owners is that they cannot stand idly by – hotel owners must be proactive by instituting best practices in their own operations, requiring the same from managers, and obtaining insurance coverage to fund the inevitable costs of a breach.

The Wyndham Case

The threat to the hospitality industry became particularly evident in the recent federal court case brought by the Federal Trade Commission (the FTC) against Wyndham Hotels. On August 24, 2015, the Third Circuit United States Court of Appeals issued its ruling in the case FTC v. Wyndham Worldwide Corporation. The case was highly anticipated by the data security community generally for its expected ruling on the authority of the Federal Trade Commission to regulate data security standards, but nowhere was the anticipation more keen than in the hospitality industry. After all, this decision didn’t deal with retailers, banks or dating sites – it addressed a major hotel player and, by implication, all operators, brands and owners in the industry. The decision should be a wake-up call to hotel owners because, as described below, hotel owners may ultimately bear the cost of data breaches involving their hotels. Owners should look at the Wyndham decision as an opportunity to consider whether their brands and managers have taken the steps necessary to protect guests and, ultimately, the hotel owner.


Published on:

03 November 2015

FCC takes two enforcement actions on Wi-Fi

On November 2, 2015, the FCC issued two separate news releases on Wi-Fi blocking. In one action, the FCC announced a $718,000 fine against M.C. Dean, one of the nation’s largest electrical contracting companies, for blocking personal mobile “hotspots” of convention visitors and exhibitors who tried to use their own data plans at the Baltimore Convention Center to connect to the Internet rather than paying M.C. Dean substantial fees to use the company’s Wi-Fi service.

FCC fines Wi-Fi hotspot provider M.C. Dean

According to the FCC, as the exclusive provider of Wi-Fi access at the Baltimore Convention Center, M.C. Dean charges exhibitors and visitors as much as $1,095 per event for Wi-Fi access. Last year, the Commission received a complaint from a company that provides equipment that enables users to establish hotspots at conventions and trade shows. The complainant alleged that M.C. Dean blocked hotspots its customers had tried to establish at the Baltimore Convention Center. After receiving the complaint, FCC Enforcement Bureau field agents visited the venue on multiple occasions and confirmed that Wi-Fi blocking activity was taking place.

The Enforcement Bureau’s investigation found that M.C. Dean engaged in Wi-Fi blocking at the Baltimore Convention Center on dozens of occasions in the last year. During the investigation, M.C. Dean revealed that it used the “Auto Block Mode” on its Wi-Fi system to block consumer-created Wi-Fi hotspots at the venue. The Wi-Fi system’s manual describes this mode as “shoot first, and ask questions later.” M.C. Dean’s Wi-Fi blocking activity also appears to have blocked Wi-Fi hotspots located outside of the venue, including passing vehicles. The Commission charged M.C. Dean with violating Section 333 of the Communications Act by maliciously interfering with or causing interference to lawful Wi-Fi hotspots.

FCC fines and warns Hilton

In a separate announcement, unrelated except as to the subject matter, the FCC proposed a $25,000 fine against Hilton Worldwide Holdings, Inc. for “apparent obstruction of an investigation into whether Hilton engaged in the blocking of consumers’ Wi-Fi devices”. A consumer complaint alleged that Hilton was blocking visitor’s Wi-Fi in Anaheim, California in order to force them to pay a $500 fee to access Hilton’s Wi-Fi. Other complaints alleged similar Wi-Fi blocking at other Hilton-brand properties. CONTINUE READING →

Published on:

02 September 2015

Blocking Wi-Fi connections is “patently unlawful”

On August 18, 2015, the FCC announced a $750,000 civil penalty and formal Consent Decree with Smart City Holdings for blocking consumers’ personal Wi-Fi access at various convention centers, meeting centers and hotels around the United States. Smart City is an internet and telecommunications provider for such facilities, and had been blocking personal mobile “hotspots” being used by convention and meeting attendees.

Apparently referring to the $80 daily fee charged by Smart City for use of its Wi-Fi at the events, Travis LeBlanc, Chief of the FCC’s Enforcement Bureau said, “It is unacceptable for any company to charge consumers exorbitant fees to access the Internet while at the same time blocking them from using their own personal Wi-Fi hotspots to access the Internet.”

The FCC Enforcement Chief went on to say, “All companies who seek to use technologies that block FCC-approved Wi-Fi connections are on notice that such practices are patently unlawful.”

The FCC is focused on preventing Wi-Fi blocking

The FCC action in the Smart City case really emphasizes how serious the FCC is about stopping the practice of hotels and related facilities from blocking consumer hotspots in order to sell their own more expensive access to the internet.

Starting with high-profile investigation and settlement with Marriott International last year, the FCC has taken the following steps: CONTINUE READING →

Published on:

31 August 2015

Massive data breaches affect hotels and their legal responsibilities. As unauthorized hacking of confidential data explodes in volume and seriousness, minimum expected standards are evolving that hoteliers and others must follow. Interestingly, the latest guidelines are provided in an August 24, 2015 appellate court decision involving Wyndham Worldwide as if to emphasize that these rules (really) apply to the hotel industry. How did this case arise? What are some basic steps that everyone with confidential data is expected to take? What happens if they don’t?

In the article below, my partner Bob Braun, explains the current situation and what it means to our industry.

FTC vs. Wyndham Worldwide – What it Means for Hotel Owners

Bob Braun, Hotel Lawyer and Data Security Advisor

Background on the case

On August 24, 2015, the Third Circuit United States Court of Appeals issued its ruling in the case FTC v. Wyndham Worldwide Corporation. The case was highly anticipated by the data security community generally for its expected ruling on the authority of the Federal Trade Commission to regulate data security standards, but nowhere was the anticipation more keen than in the hospitality industry. After all, this decision didn’t deal with retailers, banks or dating sites – it addressed a major hotel player and, by implication, all operators, brands and owners in the industry.

We know that cybercrime is big. In 2014, there were 42.8 million detected security incidents (and, most likely, many more that were never discovered). Estimates of annual cost of cybercrime to the global economy ranges from $375 billion to as much as $575 billion as companies face increased vulnerability, ranging from greater technology available to cybercriminals and new types of cybercrime, like crypto-ransom. CONTINUE READING →

Published on:

4 October 2014

Have you ever wondered why your cell phone or personal Wi-Fi hot spot does not seem to work in some hotels?

As more business and leisure travelers equip themselves to stay in constant communication with their work place and families, they have accelerated the tendency to shun high-priced hotel room telephones and internet connections. But sometimes, even when you are in the middle of New York City (or other major urban gateway) on a high floor, your cell service or Mi-Fi just does not seem to work, and you wonder if it is being jammed intentionally by the hotel.

On Friday, October 3, 2014, the Federal Communications Commission (FCC) confirmed (at least in one case) what a lot of travelers have suspected of hotel operators when it announced that Marriott International had signed a Consent Decree and agreed to pay a $600,000 civil penalty to resolve the FCC’s Wi-Fi blocking investigation. This was an investigation into whether Marriott intentionally interfered with and disabled Wi-Fi networks established by consumers in the conference facilities of the Gaylord Opryland Hotel and Convention Center in Nashville, Tennessee, in violation of Section 333 of the Communications Act.

According to the official FCC announcement, the FCC Enforcement Bureau’s investigation revealed that Marriott employees had used containment features of a Wi-Fi monitoring system at the Gaylord Opryland to prevent individuals from connecting to the Internet via their own personal Wi-Fi networks, while at the same time charging consumers, small businesses, and exhibitors as much as $1,000 per device to access Marriott’s Wi-Fi network.

Interfering with private cell phones, Wi-Fi or similar equipment violates federal law

The FCC has set up a special area on its website for providing information about and enabling the public to report illegal jamming. See

On the website, the FCC prominently displays this warning: CONTINUE READING →

Published on:

14 January 2014

Hotel Lawyer: The growing problem of security breaches with sensitive customer information.

The recent headlines about the Target and Neiman Marcus security breach with customer credit cards highlights a growing crisis that concerns owners and operator of hotels as well as retailers. In this article, Bob Braun, one of the senior members of our Global Hospitality Group® who focuses on data security — when he is not working on hotel management or franchise agreements — gives us some thoughts on what to do about this problem.

The Target and Neiman Marcus breaches:
What hoteliers need to know
Robert E. Braun | Senior Member, Global Hospitality Group®

The Target and Neiman Marcus problem. The massive security breach of Target’s customer data may affect more than 110 million Americans — potentially about 1 in 3 persons living in the United States. Followed in quick succession by another 40 million customers of Neiman Marcus (and more disclosures expected soon from other retailers), it is time for us in the hotel industry to look at our own policies and procedures, and to think about how we should respond to these malicious attacks.

Hoteliers beware. Hotels are obvious targets for identity and financial theft for many reasons. Hotels transact business through credit cards, and those credit cards are kept on file and can be accessed multiple times during a guest’s stay. The possibility that a credit card charge will be recorded occurs with each night’s room charge, room service, bar or restaurant bill, spa charge, and so on. Every charge is another opportunity for an identity thief to access the information using sophisticated computer hacks and other malicious software, generally without the hotel’s knowledge.

The need to respond to guest demands is another source of insecurity. The Identity Theft Resource Center noted, “The ability to connect to the Internet is an integral part of many individual’s daily life. This has led to the increased demand for public WiFi.” As a result, hotels find themselves compelled to offer wireless internet, and that service is almost always unsecured. But an unsecured wireless network is “just as dangerous as leaving files of your most important personal documents on a street curb for all to see. Hackers can easily get into an unsecured wireless network and get financial information, business records or sensitive e-mails.” (PC World, “Got Wireless Security”). At the same time, hotels have little say in the matter. Guests demand wireless internet service.

Finally, hotels have employees — lots of employees — and many of them have access to the credit card and other personal information of guests. No matter how well trained and supervised, more personnel correlates to greater risk. The fact that low-level employees typically have access to key guest information, and that there is, historically, a high turnover in hotel employees, exacerbates the problem.

What happened to Target? While investigations are continuing, sources have reported that investigators believe the attackers used similar techniques and pieces of malicious software to steal data from retailers. One of the pieces of malware is a RAM scraper, or memory-parsing software, which allows cyber criminals to grab encrypted data by capturing it when it travels through the live memory of a computer, where it appears in plain text, the sources said. While the technology has been around for many years, its use has increased in recent years as retailers have improved their security, making it more difficult for hackers to obtain credit card data using other approaches.

The lesson? Even as merchants become more vigilant and focus on the security of their systems, criminals have become more sophisticated and are investing more time and effort in crafting their own systems.


Published on:

11 April 2013

Hotel Lawyer on technology challenges to your proprietary and sensitive corporate information. The continuing advances of technology continue to present a double edged sword. On the one edge are tremendous cost savings, efficiencies and power to manage information. On the other edge are daunting issues of information security and privacy.

In the article below, two of our Global Hospitality Group® lawyers talk about a recent court decision from the respected second circuit in New York that has important implications for every employer in the hospitality industry. It serves as a reminder that good employee handbooks and company policies are important to protecting your valuable business information and electronic data.

Here is what it is all about.


Published on:

5 January 2013

Hotel Lawyer on how new privacy law enforcement may affect your mobile apps used in marketing. Hotel lawyer Robert Braun has an alert that may save you an unnecessary class action or troublesome lawsuit (or enforcement action). Although, the California Attorney General has started the furor, the impact of this approach will affect any company who deals with even one consumer in the state of California, and thus is likely to affect most of the hospitality industry in the United States, and many companies outside the US.

Here is what it is all about.

Privacy on the Move
California Imposes New Requirements
on Mobile Apps

Robert E. Braun | Hotel Lawyer

Hotel companies are actively entering the mobile application space as a means of gaining market share and solidifying guest relations. In addition to online travel agents like, a number of brands including Omni, Choice and Starwood have developed mobile applications. However, as mobile applications gain popularity, hotel companies should consider how privacy and security laws will impact how they can use those applications.

For companies with operations in California, that issue was highlighted on December 6, 2012, when the California Attorney General filed a lawsuit against Delta Airlines for failing to include a privacy policy with a smartphone application. The lawsuit, the first of its kind, alleges that Delta violated California law requiring online services to “conspicuously post its privacy policy” by failing to include such a policy with its “Fly Delta” mobile application.

The California online privacy law

In 2004, California enacted the California Online Privacy Protection Act (“CalOPPA”). This law requires operators of websites and online services to “conspicuously post” privacy policies about the personal information that is collected, how the consumer can access or request changes to personal information, how the operator of the site will notify consumers of changes, and the effective date of the policy.

In the case of an online service, “conspicuously posting” a privacy policy requires that the policy be “reasonably accessible…for consumers of the online service.”


Published on:

7 October 2012

Hotel Lawyer on hotels’ liability for failure to protect hotel guests personal identities

My partner Robert Braun advises hotel owners in a wide range of operational issues, including information management. Because of the ubiquitous use of credit cards by hotel guests during a stay, as well as the growing demand for WiFi availability, hotels have been increasingly targeted by identity thieves. In his article below, Bob explains how hotels’ liability for this new type of guest security has grown and what hotels can do to protect their guests’ identities.

Hotel Liability for Guest Information and Identity
What you need to know
Robert E. Braun | Hotel Lawyer

A version of this article was first published in the September 21, 2012 issue of Hotel Business and is reprinted with permission.

Not too long ago, keeping guest information safe was a fairly straightforward process – perhaps the most innovative development was providing an in-room safe for valuables. This approach made sense at the time, when guest security was a matter of securing people and their physical possessions.

The industry now recognizes that hotel guests have valuables to protect that go far beyond watches and wallets, or even laptops and iPads – – perhaps the most valuable information a hotel guest has is his or her identity, and unless a hotel actively safeguards it, those valuables are at risk. The ubiquity of credit card, wireless internet and other options, while essential to hotel operations, is also a source of insecurity.