Articles Posted in Data Technology, Privacy & Security

Published on:

25 May 2018

The European Union’s General Data Privacy Regulation, rules protecting the privacy of personal information, has gone into effect and impacts every company that does business in the EU. This will impact hotel owners, developers, brands, operators and managers–any company with a hotel property in the EU or that collects information from EU citizens must adhere to the new regulations.

What does that mean for your business, and where should you start the process of compliance? Senior member of JMBM’s Global Hospitality Group® and Co-Chair of the Firm’s Cybersecurity & Privacy Group Bob Braun summarizes the issues, below.

Why should I Care About GDPR?
by
Bob Braun

The importance of May 25, 2018. If you are reading this, you have probably been inundated with emails from companies announcing that they have adopted new and better privacy and security policies and procedures. This isn’t a coincidence – as of May 25, 2018, the EU’s General Data Privacy Regulation (GDPR), requires every organization that does business in the EU, or that collects information from EU citizens, to guarantee the privacy and accuracy of personal information. While the purpose of the GDPR is to strengthen and unify data protection for all individuals within the EU, its effect is worldwide; every organization that does business in the European Union or collects personal information from individuals in the European Union is subject to this regulation. CONTINUE READING →

Published on:

 
22 January 2018

Protecting guests’ information (and employees’ information) from hackers is one of the biggest business challenges faced by hotel owners today. Data breaches can result in loss of reputation and loss of revenue, and can trigger costly lawsuits and government investigations.

In his earlier article, Not Just Heads in Beds – Cybersecurity for Hotel Owners, my partner Robert Braun reminds hotel owners that they are generally required to indemnify brands and managers for costs incurred, which could include the cost of a data breach. Now, in his article below, he discusses why hotel data breaches are prevalent and what owners need to do to create a secure data environment for the properties they own.

Cyberattacks on Hotels — What Should Hotel Owners and Operators Do?
by
Robert E. Braun, Hotel Lawyer

This article was originally published by Hotel Business Review and is reprinted with permission from www.hotelexecutive.com.

Almost as soon as there were data breaches, hotels became a prime target of hackers, and the hospitality industry has consistently been one of the most commonly targeted businesses. Since 2010, hotel properties ranging from major multinational corporations to single location hotels have been impacted.

The recent report that Hyatt Hotels was a victim for the second time in as many years has raised more concerns about the industry’s ability to address cybersecurity. While consumers are so used to receiving breach notices that “breach fatigue” has set in, the second successful attack on Hyatt is sure to raise the eyebrows of regulators, plaintiffs’ lawyers, and guests. The data breach will affect the loyalty, trust and consumer perception of all Hyatt Hotels guests. So how can hotels prove to guests that they are safe and trustworthy?

“While the company claims that it has implemented additional security measures to strengthen the security of its systems, no explanation was given as to why these additional measures were not implemented after the first attack,” said Robert Cattanach of Dorsey & Whitney. “Estimates of actual harm have yet to be provided, which is typically the weak spot of any attempted class action, but the liability exposure seems problematic regardless.”

Hyatt is in no way alone. On November 2, 2017, the BBC reported that Hilton was fined $700,000 for “mishandling” two data breaches in 2014 and 2015. The attorneys general of New York and Vermont said Hilton took too long to inform their guests about the breaches and the hotels “lacked adequate security measures.” Hilton discovered the first of the two breaches in February 2015 and the second in July 2015, according to the article, but the company only went public with the breaches in November 2015. The company has said there is no evidence any of the data accessed was stolen, but the attorneys general said the tools used in the data breaches made it impossible to determine what was done.   Read More

 

Bob BraunBob Braun is a Senior Member of JMBM’s Global Hospitality Group® and is Co-Chair of the Firm’s Cybersecurity & Privacy Group. Bob has more than 20 years experience in representing hotel owners and developers in their contracts, relationships and disputes with hotel managers, licensors, franchisors and brands, and has negotiated hundreds of hotel management and franchise agreements. His practice includes experience with virtually every significant hotel brand and manager.

Bob also advises clients on condo hotel securities issues and many transactional matters, including entity formation, financing, and joint ventures, and works with companies on their data technology, privacy and security matters. These include software licensing, cloud computing, e-commerce, data processing and outsourcing agreements for the hospitality industry.

In addition, Bob is a frequent lecturer as an expert in technology, privacy and data security issues, and is one of only two attorneys in the 2015 listing of SuperLawyers to be recognized for expertise in Information Technology. Bob is on the Advisory Board of the Information Systems Security Association, Los Angeles chapter, and a member of the International Association of Privacy Professionals. Contact Bob Braun at 310.785.5331 or rbraun@jmbm.com.


This is Jim Butler, author of www.HotelLawBlog.com and hotel lawyer, signing off. Please contact us if you would like to discuss any issues or development that affect your hotel interests. We would like to see if our experience might help you create value or avoid unnecessary pitfalls. Who’s your hotel lawyer?


Picture of Jim ButlerJim Butler is a founding partner of JMBM and JMBM’s Global Hospitality Group® which provides business and legal advice to hotel owners, developers and investors. This advice covers hotel purchase, sale, development, financing, franchise, management, labor & employment, litigation, ADA, IP, EB-5 matters any many other areas.

Jim is recognized as one of the top hotel lawyers in the world and has led the Global Hospitality Group® in more than $71 billion of hotel transactions and more than 3,800 hotel properties located around the globe.

Jim’s group has advised on more than 100 EB-5 projects, closed more than $1.5 billion of EB-5 financing, and sourced more than half of that for our clients.

Contact Jim at +1-310.201-3526 or JButler@jmbm.com

Published on:

 
25 October 2017
Click here for the latest articles on Data Technology, Privacy & Security

Cybersecurity breaches and risk management continue to be a concern for businesses of all sizes and types. A recent warning distributed by the U.S. Department of Homeland Security and the FBI regarding targeted hacks in several critical industries is an illustration that anyone can be vulnerable such tactics, including the hospitality industry. My partner Bob Braun, senior member of JMBM’s Global Hospitality Group® and co-chair of JMBM’s Cybersecurity and Privacy Group, summarizes the recent report and its conclusions below.

Homeland Security Warns Against
Threats to US Infrastructure
by
Robert E. Braun

The Department of Homeland Security and Federal Bureau of Investigation distributed an email warning late on Friday, October 20, 2017, that the nuclear, energy, aviation, water and critical manufacturing industries have been targeted along with government entities in attacks dating back to at least May. In particular, the agencies reported that hackers had compromised some targeted networks, but did not identify specific victims or provide other details.

While the report focused on threats to nuclear and conventional power, water, and other infrastructure, the very fact that the DHS and the FBI chose to make a public statement highlights how important the issue is to all industries, and the concern that an attack on infrastructure could have a devastating impact on all aspects of the American economy.

The report noted that, as in many malware attacks, hackers seek to compromise networks with “spear phishing” – emails tailored to reach specific individuals – with malicious attachments and tainted websites with a goal of obtaining credentials that allow the hackers to access computer networks. CONTINUE READING →

Published on:

19 July 2017

Hotels rely on third-party vendors to help run their properties efficiently, and often must give them access to sensitive guest data. This leaves hotels vulnerable to cyber attacks; they’re only as secure as their vendors are, and may find themselves directly liable for a data breach.  My partner Bob Braun, senior member of JMBM’s Global Hospitality Group® and co-chair of JMBM’s Cybersecurity and Privacy Group, discusses recent hotel cybersecurity breaches and how hotel owners can protect themselves.

Hotel data breaches
It’s not you, it’s your “friends”
by
Robert E. Braun

July was another notable month for hotel data breaches – on a single day, several well-known hotel brands and managers, including Four Seasons, Trump Hotels, Hard Rock Hotels & Casinos and Loews Hotels all announced that customer data may have been compromised as a result of a security failure. Each of the incidents is related to Sabre Hospitality Solutions’ credit card data breach in its SynXis hotel-reservations system, which Sabre first announced in a quarterly filing with the Securities and Exchange Commission on May 17. Based on Sabre’s investigation, Sabre announced that the breach was contained to “a limited subset of hotel reservations,” but the incident did allow an unauthorized party to access cardholder names, payment card numbers, card expiration dates, card security codes for some, and, in some cases, guest name, email, phone number and address.

Moreover, the duration of the breach was long quite long. Sabre’s investigation determined that the unauthorized party first obtained access to payment card and other reservation information on August 10, 2016, and the last access to payment card information was on March 9, 2017. The hackers had potential access for seven months.

CONTINUE READING →

Published on:

1 February 2017

Theft of confidential data by hackers is a major threat to businesses worldwide and the hotel industry is no exception. Hoteliers remain vulnerable to hackers seeking confidential information such as guests’ credit card data and employees’ personal information. They are also vulnerable in other ways. In a recent hotel breach, the hackers did not go after confidential data, but rather sought a ransom payment after taking control of the hotel’s technology. My partner Bob Braun, senior member of JMBM’s Global Hospitality Group® and co-chair of JMBM’s Cybersecurity and Privacy Group, describes what happened, and shares what hotels can do in response to such threats.

Hotels and Ransomware — Something Special
by
Robert E. Braun

Last year, at the Global Hospitality Group’s Meet the Money™ Conference, I participated in a panel on Cybersecurity and we discussed how cybersecurity issues affect the hotel industry.  One of the comments was that hotels, more than most private industries, have to take into account the kind of physical harm that might be done by a hacker. We noted that not only are guest information systems targets, but also the life and safety systems – HVAC, elevators, electricity and so on.  We concluded that while financial theft could impact a hotel and its reputation, a hack of the physical structure of a business could put the hotel out of business.

Locked Out

Our discussion turned out to be prescient when, this week, Romantik Seehotel Jaegerwirt, in the Austrian Alps, had their systems frozen by hackers, which resulted in the complete shutdown of hotel computers.

The 111-year-old hotel had already been targeted by hackers twice.  This time, however, the hackers breached the key card system, made it impossible for guests to enter their rooms and prevented the front desk from reprogramming cards.

The hackers demanded €1500 in Bitcoin, promising that control of the key card system and room locks would be returned.  Management of the hotel, fully occupied at the beginning of the winter season, chose to pay the ransom, rather than attempt a solution that could have taken significant time and harmed their 180 guests. CONTINUE READING →

Published on:

 
10 May 2016
Click here for the latest articles on Data Technology, Privacy & Security

One of the great breakout sessions at our recent Meet the Money® hotel conference in Los Angeles was organized by my partner Bob Braun and moderated by Jeff Higley of HotelNewsNow. I was particularly impressed by the panel’s evidence of how costly cybersecurity breaches can be, how much can be done to prevent or limit exposure, and how reasonable the cost can be for a pro-active approach.

Here is Bob Braun’s summary of this panel last week in Los Angeles. This is a compelling call for an ounce of prevention. . .

 

5 Cybersecurity takeaways from Meet the Money®
by
Bob Braun, Hotel Lawyer and Data Security Advisor

Meet the Money® changes with the times, and the 2016 conference showcased the first panel on Cybersecurity in the hospitality industry – “Who’s Knocking at Your Digital Door,” featuring Bob Braun, from JMBM’s Global Hospitality Group and Co-Chair of the Firm’s Cybersecurity and Privacy Group; Bob Justus, of Optiv Security; Brad Maryman, from Maryman & Associates; Christian Ryan, from MARSH; and Kevin Shamoun, from Zeamster.  Jeff Higley, of STR/HotelNewsNow.com moderated the panel.

The panelists, representing technical, legal law, law enforcement, insurance and payment systems, identified key cybersecurity challenges for the hospitality industry.  Five key takeaways were:

  • Compliance does not equal security. Each of the panelists agreed that while meeting legal and business requirements is essential, compliance does not necessarily achieve real cybersecurity — completing checkboxes on a task list or questionnaire is only a first step. The panelists noted that each of the major hotel breaches in the last year, which involved every major hotel chain, implicated point of service credit card systems that complied with industry standards.  Hotels and hotel companies need to look beyond complying with standardized requirements and has to evaluate their own risk profile and apply meaningful security plans.
  • Informed response is better than instant response. Too many organizations make the mistake of reacting before they think, especially when reporting a breach. Data breaches can be complicated matters, and it is essential to understand the scope of the breach, the data and individuals involved, and how a firm can remediate the source of the problem before disclosure. There is no question that speed is important, but some breaches do not require notification, while acting without ascertaining the facts can require multiple notifications, which is damaging to reputation and sends the wrong message.
  • Credit cards are not the only risk. While much focus is placed on the theft of credit card numbers, hotels must consider other risks. Hotels and hotel companies hold massive amounts of sensitive personal information that can be used to steal a guest’s identity.  Moreover, hotels need to consider more than data; the interconnection of systems means that breaking into a financial structure can give a hacker access to door locks, heating and air conditioning systems, electrical, plumbing and other key structural and physical parts of the hotel.  What would happen if a hacker flooded a hotel, or opened the doors?  This damage can far exceed the damage from lost credit cards, and cause untold damage to the hotel, its brand and owners.

CONTINUE READING →

Published on:

11 January 2016

What part do hotel owners play in preventing a cyberattack and the resulting data breach? The hospitality industry relies on its reputation for confidence, and that confidence can be shattered when guests learn that their private information has been compromised. What can hotel owners do and how should they work with brands and management to prevent a cyberattack?

In the article below, my partner, Bob Braun reminds hotel owners that because they are generally required to indemnify brands and managers for costs the managers and brands incur – which could include a costly data breach – it is in the owners’ best interests to have a comprehensive plan in place.  This article first appeared in Hotel Business Review in December 2015, and is reprinted with permission from www.hotelexecutive.com.

Not Just Heads in Beds – Cybersecurity for Hotel Owners

by
Bob Braun, Hotel Lawyer and Data Security Advisor

The basics of the hotel business have traditionally been simple: good location, fair prices, appropriate amenities and good service were the keys to success. While those factors are important today, hotels are no longer simply a “heads in beds” business; hotels are increasingly brand-oriented. Brands focus not only on the services and products they sell, but on developing the perception and recognition of the brand associated with those goods and services. That means that hotels, like all brands, need to focus more and more on understanding their customers and how to reach them, whether through loyalty programs, advertising, social media or otherwise.

The upshot of the focus on branding in the hospitality business is that hotels gather lots of information about their guests, ranging from credit card data to addresses, phone numbers, travel plans and preferences, birthdays, and more – all of which are valuable not just to the hotel brands and operators, but to cyberthieves. While hotel companies have understood this for years, they are, along with other customer-intensive industries, learning that collecting that information comes with responsibilities and, possibly, liability.

Cybercrime is big business. In 2014, there were 42.8 million detected security incidents (and, most likely, many more that were never discovered). Estimates of annual cost of cybercrime to the global economy ranges from $375 billion to as much as $575 billion as companies face increased vulnerability, ranging from greater technology available to cybercriminals and new types of cybercrime, like crypto-ransom. Cybercriminals began targeting hotels years ago. In a 2010, a Forbes magazine article quoted Nicholas Percoco, who said that “The hospitality industry was the flavor of the year for cybercrime. These companies have a lot of data, there are easy ways in and the intrusions can take a very long time to detect.” The lesson for hotel owners is that they cannot stand idly by – hotel owners must be proactive by instituting best practices in their own operations, requiring the same from managers, and obtaining insurance coverage to fund the inevitable costs of a breach.

The Wyndham Case

The threat to the hospitality industry became particularly evident in the recent federal court case brought by the Federal Trade Commission (the FTC) against Wyndham Hotels. On August 24, 2015, the Third Circuit United States Court of Appeals issued its ruling in the case FTC v. Wyndham Worldwide Corporation. The case was highly anticipated by the data security community generally for its expected ruling on the authority of the Federal Trade Commission to regulate data security standards, but nowhere was the anticipation more keen than in the hospitality industry. After all, this decision didn’t deal with retailers, banks or dating sites – it addressed a major hotel player and, by implication, all operators, brands and owners in the industry. The decision should be a wake-up call to hotel owners because, as described below, hotel owners may ultimately bear the cost of data breaches involving their hotels. Owners should look at the Wyndham decision as an opportunity to consider whether their brands and managers have taken the steps necessary to protect guests and, ultimately, the hotel owner.

CONTINUE READING →

Published on:

03 November 2015

FCC takes two enforcement actions on Wi-Fi

On November 2, 2015, the FCC issued two separate news releases on Wi-Fi blocking. In one action, the FCC announced a $718,000 fine against M.C. Dean, one of the nation’s largest electrical contracting companies, for blocking personal mobile “hotspots” of convention visitors and exhibitors who tried to use their own data plans at the Baltimore Convention Center to connect to the Internet rather than paying M.C. Dean substantial fees to use the company’s Wi-Fi service.

FCC fines Wi-Fi hotspot provider M.C. Dean

According to the FCC, as the exclusive provider of Wi-Fi access at the Baltimore Convention Center, M.C. Dean charges exhibitors and visitors as much as $1,095 per event for Wi-Fi access. Last year, the Commission received a complaint from a company that provides equipment that enables users to establish hotspots at conventions and trade shows. The complainant alleged that M.C. Dean blocked hotspots its customers had tried to establish at the Baltimore Convention Center. After receiving the complaint, FCC Enforcement Bureau field agents visited the venue on multiple occasions and confirmed that Wi-Fi blocking activity was taking place.

The Enforcement Bureau’s investigation found that M.C. Dean engaged in Wi-Fi blocking at the Baltimore Convention Center on dozens of occasions in the last year. During the investigation, M.C. Dean revealed that it used the “Auto Block Mode” on its Wi-Fi system to block consumer-created Wi-Fi hotspots at the venue. The Wi-Fi system’s manual describes this mode as “shoot first, and ask questions later.” M.C. Dean’s Wi-Fi blocking activity also appears to have blocked Wi-Fi hotspots located outside of the venue, including passing vehicles. The Commission charged M.C. Dean with violating Section 333 of the Communications Act by maliciously interfering with or causing interference to lawful Wi-Fi hotspots.

FCC fines and warns Hilton

In a separate announcement, unrelated except as to the subject matter, the FCC proposed a $25,000 fine against Hilton Worldwide Holdings, Inc. for “apparent obstruction of an investigation into whether Hilton engaged in the blocking of consumers’ Wi-Fi devices”. A consumer complaint alleged that Hilton was blocking visitor’s Wi-Fi in Anaheim, California in order to force them to pay a $500 fee to access Hilton’s Wi-Fi. Other complaints alleged similar Wi-Fi blocking at other Hilton-brand properties. CONTINUE READING →

Published on:

02 September 2015

Blocking Wi-Fi connections is “patently unlawful”

On August 18, 2015, the FCC announced a $750,000 civil penalty and formal Consent Decree with Smart City Holdings for blocking consumers’ personal Wi-Fi access at various convention centers, meeting centers and hotels around the United States. Smart City is an internet and telecommunications provider for such facilities, and had been blocking personal mobile “hotspots” being used by convention and meeting attendees.

Apparently referring to the $80 daily fee charged by Smart City for use of its Wi-Fi at the events, Travis LeBlanc, Chief of the FCC’s Enforcement Bureau said, “It is unacceptable for any company to charge consumers exorbitant fees to access the Internet while at the same time blocking them from using their own personal Wi-Fi hotspots to access the Internet.”

The FCC Enforcement Chief went on to say, “All companies who seek to use technologies that block FCC-approved Wi-Fi connections are on notice that such practices are patently unlawful.”

The FCC is focused on preventing Wi-Fi blocking

The FCC action in the Smart City case really emphasizes how serious the FCC is about stopping the practice of hotels and related facilities from blocking consumer hotspots in order to sell their own more expensive access to the internet.

Starting with high-profile investigation and settlement with Marriott International last year, the FCC has taken the following steps: CONTINUE READING →

Published on:

31 August 2015

Massive data breaches affect hotels and their legal responsibilities. As unauthorized hacking of confidential data explodes in volume and seriousness, minimum expected standards are evolving that hoteliers and others must follow. Interestingly, the latest guidelines are provided in an August 24, 2015 appellate court decision involving Wyndham Worldwide as if to emphasize that these rules (really) apply to the hotel industry. How did this case arise? What are some basic steps that everyone with confidential data is expected to take? What happens if they don’t?

In the article below, my partner Bob Braun, explains the current situation and what it means to our industry.

FTC vs. Wyndham Worldwide – What it Means for Hotel Owners

by
Bob Braun, Hotel Lawyer and Data Security Advisor

Background on the case

On August 24, 2015, the Third Circuit United States Court of Appeals issued its ruling in the case FTC v. Wyndham Worldwide Corporation. The case was highly anticipated by the data security community generally for its expected ruling on the authority of the Federal Trade Commission to regulate data security standards, but nowhere was the anticipation more keen than in the hospitality industry. After all, this decision didn’t deal with retailers, banks or dating sites – it addressed a major hotel player and, by implication, all operators, brands and owners in the industry.

We know that cybercrime is big. In 2014, there were 42.8 million detected security incidents (and, most likely, many more that were never discovered). Estimates of annual cost of cybercrime to the global economy ranges from $375 billion to as much as $575 billion as companies face increased vulnerability, ranging from greater technology available to cybercriminals and new types of cybercrime, like crypto-ransom. CONTINUE READING →