Articles Posted in Data Technology, Privacy & Security

Published on:

28 July 2023

See how JMBM’s Global Hospitality Group® can help you.
Click here for the latest articles on Data Technology, Privacy & Security.

This month, the Securities and Exchange Commission (SEC) announced new rules requiring companies who experience a cybersecurity attack to publicly disclose the impact of the attack within four days. Hotel companies whose securities are registered with the SEC should take note of these regulations and develop a robust incident response plan.

Bob Braun, senior member of JMBM’s Global Hospitality Group® and Co-Chair of the Firm’s Cybersecurity & Privacy Group, outlines the new regulations below.

Time is Short – Reporting your Data Breach
by Bob Braun, Hotel Lawyer

 

Over the past years, hotel companies – including brands, managers and owners – have increasingly sought the benefit of access to public markets and, in doing so, have become subject to the registration and disclosure requirements of the United States Securities Act and Securities Exchange Act. In doing so, these companies need to comply with a broad variety of detailed regulations addressing their disclosure and reporting obligations. The Securities Exchange Commission recently adopted regulations which will have an impact on publicly traded hotel companies that suffer a data breach.

Breach Notifications for the Past 20 Years. Ever since California became the first state to require companies to notify their customers of data breaches in 2003, the time between the date a breach was discovered and the time the breach was reported has been an issue of contention. Early reporting gives consumers a leg up in protecting their personal information, and lets investors, vendors and customers of companies know if key business information has been compromised. At the same time, companies want as much time as possible to investigate a breach, understand what happened, and provide accurate information – companies that give early notice often have to give multiple notices as more information becomes available, and may even find that the original notice wasn’t necessary. Regardless, lawsuits against companies that have suffered data breaches almost universally point to the gap in time between the discovery and notification of a breach. CONTINUE READING →

Published on:

21 March 2023

See how JMBM’s Global Hospitality Group® can help you.
Click here for the latest articles on Data Technology, Privacy & Security.

Data privacy and security continue to be significant issues for hotel owners, operators, brands, and managers, representing the potential for both financial and reputational impacts. One important piece of the puzzle is which of the many entities involved in a hotel property is responsible for collecting, sharing, using and storing the personal data of guests and employees.  Bob Braun, senior member of JMBM’s Global Hospitality Group® and Co-Chair of the Firm’s Cybersecurity & Privacy Group, gives an overview of current considerations.

 

 

Data Security and Privacy in Hospitality – Who’s Paying the Bill?
by Robert Braun, Co-Chair, JMBM Cybersecurity and Privacy Group;
Senior Member, JMBM Global Hospitality Group

 

One of the most valuable assets of a hotel brand is information – detailed personal information about guests at their hotels, participants in their loyalty programs, and visitors to their websites. This information allows hotel brands to focus on creating guest loyalty, acquiring potential guests, engaging in effective marketing, expanding market share, and creating properties and services that entice and satisfy hotel guests. Because of this, hotel brands have long contended that they “own” hotel guest data and have unencumbered rights to use it, without respect to the interests of hotel owners and even the guests themselves.

While this attitude may have been correct in the past, the world is changing. The EU’s General Data Protection Regulation, the California Consumer Protection Act, the California Privacy Rights Act, and similar laws throughout the United States and the world have turned this idea on its head. Anyone who collects personal data can do so only with the permission of the individual consumer; brands don’t own the personal information of guests, the guests do, and they are the ones who give the operator, brand or owner the right to collect and use it – and they can limit or revoke that right. CONTINUE READING →

Published on:

25 October 2022

See how JMBM’s Global Hospitality Group® can help you.
Click here for the latest articles on Data Technology, Privacy & Security.

In addition to protecting the personal information of guests in compliance with the EU’s General Data Protection Regulation and California’s Consumer Privacy Act, hotel operators and owners need to extend the same protections and rights to their employees and the information collected from them. Bob Braun, a senior member of the Global Hospitality Group and Co-Chair of JMBM’s Cybersecurity & Privacy Group outlines hotel employer obligations in the article below, along with suggested next steps.

 

Hotels, Hotel Owners and Employee Personal Information
by Bob Braun, Hotel Lawyer

 

Hotel operators and owners have long been focused on the privacy of the personal information they collect from guests – because of the global nature of the hospitality business, hotel brands have focused on complying with the European Union’s General Data Protection Regulation (GDPR), and beginning in 2018, the Consumer Privacy Act (CCPA), the first comprehensive law designed to protect the privacy of consumers’ personal information. Businesses that are subject to the GDPR and the CCPA are required, among other things, to respond to consumers who wish to view the personal information collected by the business, delete personal information, and opt-out of the sale of personal information; these obligations expanded in 2020 when California voters approved the California Privacy Rights Act of 2020 (CPRA).

Employee and Business Personal Information

While the CCPA is aimed at protecting consumers’ personal information, the terms of the law extend to the personal information of employees and business contacts. While the California legislature initially exempted employment information and “business to business” (B2B) personal information from many of the provisions of the CCPA until January 1, 2021, which was extended in the CPRA to January 1, 2023.

The Exemption and its Demise

While most observers believed that the California legislature would extend the exemptions of employee and B2B personal information, when the California Legislature adjourned on August 31, 2022, it did so without adopting an extension. As a result, it is a certainty that full consumer rights will apply to personal information obtained from employees or because of a B2B relationship.

Because hotel owners and operators are familiar with the requirements of the CCPA and the GDPR, the expiration of the exemption will be challenging. Owners and operators will need to adapt their policies to employee and B2B personal information. However, there are many hotel owners that have little or no contact with guests and have left compliance to hotel operators. These firms will be particularly impacted by the significant disclosure, policy and procedure issues that need to be addressed by the end of 2022.

This is especially the case for hotel owners that act as the employer of hotel personnel, but will extend to all hotel owners with employees, whether engaged at a hotel or not, since employers are obligated to collect vast amounts of personal information, including sensitive personal details (such as financial, health and intimate personal characteristics) to conduct businesses. These owners will need to address the information they collect, where it is held, who has access to it and how it is used. Moreover, hotel owners and operators will need to determine how consumer rights apply to employee and B2B personal information, and prepare to provide employees and B2B contacts with CCPA rights, including the right to know what personal information is collected, the right to delete personal information, the right to opt out of the sale or sharing of personal information, the right to limit use and disclosure of sensitive personal information, and the protection against retaliation following the exercise of opt-out or other rights. CONTINUE READING →

Published on:

8 March 2022

See how JMBM’s Global Hospitality Group® can help you.
Click here for the latest articles on Data Technology, Privacy & Security.

The rules around data privacy and cybersecurity are constantly evolving. In order to protect themselves from liability, hotel owners should pay attention to ongoing legal developments and learn more about their own data infrastructure.

Bob Braun, senior member of JMBM’s Global Hospitality Group® and Co-Chair of the Firm’s Cybersecurity & Privacy Group, explains why hotels need to understand exactly what data they hold, where it is stored and who has access to it.

Facing the Knowledge Gap: Why Hotels Need “Visibility” to
Avoid Data Privacy Liability

by
Bob Braun, Hotel Lawyer

Addressing privacy compliance and cybersecurity is becoming more and more challenging for companies. At least 26 states are considering various kinds of data privacy laws. At the same time the rate, depth, and impact of ransomware, wiperware and data breaches has become more intense and more expensive, and there is no indication that the trend will end soon.  Hotel companies, as holders of significant amounts of personal information and highly dependent on computer networks for daily operations, are particularly at risk in this environment.

A hotel company that seeks to comply with privacy mandates, and to prepare for and defend against a data breach, requires knowledge – it requires visibility.

What does that mean? To achieve visibility, a hotel brand, manager or owner needs to increase its knowledge of key elements of its data infrastructure:

See Your Network

Most hotel executives, other than chief technology officers and chief financial officers, have little knowledge of their network. But understanding what data is stored on the network, how the various parts of the network interact, and who has access to the network (and what kind) is essential to evaluating risks, complying with privacy laws, and preparing and defending against attacks. This means not only knowing what is supposed to be on the network, but the “silent” nodes as well – things like unused servers and the devices that attach to the network, such as personal laptops, smart phones and tablets.  As hotels become increasingly automated – by relying on smartphones to substitute for keys and allowing touchless registration – being able to see the full scope of the network is challenging but essential. CONTINUE READING →

Published on:

29 December 2021

See how JMBM’s Global Hospitality Group® can help you.
Click here for the latest articles on Data Technology, Privacy & Security.

As hotels find new ways to use technology to attract guests and enhance their properties, they need to remain aware of the security challenges these technologies present.

Bob Braun, senior member of JMBM’s Global Hospitality Group® and Co-Chair of the Firm’s Cybersecurity & Privacy Group, explains three basic issues for 2022 that all hotel owners need to be aware of to ensure their business and guest information remains secure.

Security Challenges in the Hotel Industry
by
Bob Braun, Hotel Lawyer

Like virtually all industries, the hotel industry continues to be challenged by cybersecurity concerns. As we approach 2022, hotel owners and operators need to address some basic issues that impact the security of their systems and their guests.

  • Wi-Fi. Providing wireless internet to guests has become a “must-do” for hotels – it’s not too much of an overstatement to say that a potential guest won’t stay at a hotel that doesn’t provide free Wi-Fi. But hotel Wi-Fi systems, particularly those in public areas, have long been a soft underbelly of cybersecurity. In the past 10 days, TechCrunch+ reported that “an internet gateway used by hundreds of hotels to offer and manage their guest Wi-Fi networks has vulnerabilities that could put the personal information of their guests at risk.” The system uses hardcoded passwords that are easy to guess and allow an attacker to gain remote access to the gateway’s settings and databases; they can then use that knowledge to access and exfiltrate guest records, or reconfigure the gateway’s networking settings to unwittingly redirect guests to malicious webpages.

CONTINUE READING →

Published on:

10 November 2020

See how JMBM’s Global Hospitality Group® can help you.
Click here for the latest articles on Data Technology, Privacy & Security.

On November 3rd, Californians voted to approve Proposition 24 which amends the California Consumer Privacy Act to include expanded consumer rights and greater privacy protections.

The California Privacy Rights and Enforcement Act – which also establishes an enforcement agency to guarantee strict compliance – places additional obligations on businesses to ensure that consumer data is transparent and secure. Given the scope of the Act and the short timeframe for compliance, hotels should immediately start looking at their data profiles and security to avoid running afoul of the new rules.

Bob Braun, senior member of JMBM’s Global Hospitality Group® and Co-Chair of the Firm’s Cybersecurity & Privacy Group, explains the major provisions of the Act and discusses the challenges hotels face as they look to address its requirements.

New Challenges for Hotels:
The New California Privacy Rights and Enforcement Act of 2020
by
Bob Braun, Hotel Lawyer

Many races and initiatives that California voters considered on November 3 are still undecided, but Proposition 24, the California Privacy Rights Act of 2020 (the “CPRA”) isn’t one of them.  The California electorate approved Proposition 24 by a comfortable margin – 56% of Californians voted in favor.

Like its predecessor the California Consumer Privacy Act of 2018 (the “CCPA”), the impact of the CPRA won’t be felt immediately.  It goes into effect on January 1, 2023, and many of its provisions are unclear and will require study.  But hotel companies with a presence in California will need to consider its requirements, and given the scope of the law, addressing its requirements early will be essential.

New Sheriff in Town

Perhaps the most significant development in the CPRA is the establishment of a new agency, the California Privacy Protection Agency, dedicated to handling enforcement and compliance with privacy regulations.  This makes California the first state with an agency focused solely on enforcing privacy laws.  This new agency will replace the California Attorney General in interpreting and enforcing the CCPA.  The ultimate impact of the agency will develop as its members are selected and interpret its mandate, but it is clear from the CPRA that it has broad authority to bring civil and criminal actions.

Select Key Provisions

The CPRA is an extension and modification of the CCPA.  It adds a number of new definitions and provisions that, in some cases, extend the scope of the CCPA and, in other cases, clarify the requirements of the CCPA.  The result is that hotel companies that already comply with the CCPA will need to revisit their policies and procedures to ensure compliance with the CPRA, and any firms that have not yet considered CCPA compliance have a steep learning curve.  Key provisions include: CONTINUE READING →

Published on:

01 July 2020

See how JMBM’s Global Hospitality Group® can help you.

Meet the Money® Online: Hotels and Information Security
Protecting Guests and the Bottom Line

Last week, speakers from Manhattan Hospitality Advisors, Tiered Communication Services Inc. and Willis Towers Watson joined Bob Braun of JMBM’s Global Hospitality Group® for the second in a series of Meet the Money Online webinars.

If you missed “Hotels & Information Security – Protecting Guests and the Bottom Line,” you can watch the full webinar here.

You can also find the presentations made by our expert panelists on the Resource Center page:

Where Technology and Security Meet in Hotels

Jonathan Adam, co-founder and Chief Technology Officer, Tiered Communication Services, Inc., covers the primary elements required for information security, and how a secure hotel network should be designed. Meet the Money® Online June 2020.

Best Practices and Imperatives for Information Security

Bob Braun, co-chair of JMBM’s Cybersecurity and Privacy Group, and senior member of JMBM’s Global Hospitality Group® discusses why information security is so difficult to achieve, the importance of documentation, and why verifying third parties is critical. Meet the Money® Online June 2020.

Cyber Security – A Must in Today’s Viral World

Jack Westergom, Managing Director and Founder of Manhattan Hospitality Advisors explains why hotels are frequent targets of cyber crime, areas in which hotels can be proactive, and why you shouldn’t count on your brand for protection. Meet the Money® Online June 2020.

Cyber Insurance in the Hospitality Industry

Heather Wilkinson, SVP, FINEX E&O/Cyber, Willis Towers Watson, discusses why hotels need to determine their specific exposure, the importance of understanding what your cyber insurance actually covers, and the 5 main cyber threats that hotels are facing today. Meet the Money® Online June 2020.

 

While we weren’t able to gather in person for the 30th year of Meet the Money®, the national hotel investment and finance conference, we are continuing to provide the industry with research analysis and insight through Meet the Money Online. Join us on July 8, 2020 for the next in this series of informative webinars, the CMBS Special Servicing FAQs Virtual Roundtable. CONTINUE READING →

Published on:

22 June 2020

See how JMBM’s Global Hospitality Group® can help you.

Meet the Money® Online: Hotels and Information Security
Protecting Guests and the Bottom Line

Speakers from Manhattan Hospitality Advisors, Tiered Communication Services Inc. and Willis Towers Watson will join Bob Braun of JMBM’s Global Hospitality Group® for this informative online program.

Please join us this week, on Thursday, June 25, 2020, when Meet the Money® Online addresses an issue of critical importance to the hospitality industry: information security.

As privacy laws demand companies do more to protect customer and employee data – and cyber hackers become more sophisticated – making sure your hotel’s information is secure has never been more important.

This free webinar will take place on Thursday, June 25 at 10:30 AM PDT / 1:30 PM EDT. Register Now.

Join our panel of cybersecurity experts and hospitality veterans for a 1-hour webinar to discuss:

  • What personal information hotels collect and how they use it
  • The role of hotel owners, operators and brands in guest information
  • Technology aspects of information collection, use and protection
  • Insurance issues – how to mitigate risk and cost using insurance
  • Legal obligations and compliance

This discussion will be moderated by Robert E. Braun, partner and co-chair of the Cybersecurity and Privacy Group at Jeffer Mangels Butler & Mitchell LLP who works with companies on their data technology, privacy and security matters. Bob is also a senior member of JMBM’s Global Hospitality Group® and has more than 20 years of experience in representing hotel owners and developers in hotel management and franchise agreements, condo hotel securities issues and many transactional matters, including entity formation, financing, and joint ventures.

Our speakers include:

  • Jonathan Adam, Co-Founder and Chief Technology Officer, Tiered Communication Services, Inc.Jonathan Adam is a founding member and CTO of Tiered Communication Services, Inc. With 17 years of hotel experience, he pairs high end development projects with extremely secure advanced technology systems for an unsurpassed guest user experience, driving amazing rates of return to owners. He holds multiple technology patents, and co-founded the ySuite Incubator in Austin and PracTECHal Solutions headquartered in Las Vegas. The ySuite team owns and operates multiple hotels in the Austin area, and utilizing the TCS technology infrastructure, they generate significant amounts of high margin add-on revenue through new hospitality revenue channels.
  • Jack Westergom, Managing Director and Founder, Manhattan Hospitality AdvisorsJack Westergom is Managing Director and Founder of Manhattan Hospitality Advisors. Jack is a veteran hotelier whose background includes asset management, hotel/resort operations, international marketing, investment relations and real estate development including many of the top 25 hotels and resorts in the world. Manhattan Hospitality Advisors has provided oversight on over $18 billion of hospitality assets around the world and has helped hotels to successfully navigate through four real estate downturns.
  • Heather Wilkinson, SVP, FINEX E&O/Cyber, Wills Towers WatsonHeather Wilkinson is SVP in the FINEX Cyber & E&O practice for Willis Towers Watson with over fourteen years of experience in the cyber insurance industry. Heather is a founding member of the Willis Towers Watson E&O and Cyber Broker Team; she joined the organization in 2006 and has been instrumental in placing some of the largest towers of E&O and Cyber insurance placements in the world. She is uniquely qualified to handle Cyber and Professional Liability issues and placements and is based in Los Angeles.

There is no fee for this program.

REGISTER NOW CONTINUE READING →

Published on:

10 January 2020

See how JMBM’s Global Hospitality Group® can help you.

Click here for the latest articles on Data Technology, Privacy & Security.

 

Hotel data breaches can have significant financial and reputational impacts on a brand, as evidenced by Marriott’s $123 million GDPR fine. In the article below, Bob Braun, senior member of JMBM’s Global Hospitality Group® and Co-Chair of the Firm’s Cybersecurity & Privacy Group, outlines the critical importance of data security for the hospitality industry.

— Jim
Hotel Managers and Owners Be Warned – You are Responsible for Your Hotel’s Data Security
by
Bob Braun, Cybersecurity Lawyer

The FTC Speaks

On January 6, 2020, the Director of the FTC’s Consumer Protection Bureau published a blog post with changes to the FTC’s approach to its orders and settlements of data breach enforcement actions.  One of the key elements of the report was a revision to the FTC’s routine enforcement practice to ensure that its remedial data security orders include greater specificity about compliance expectations for companies subject to enforcement action and for third-party assessors engaged to conduct FTC-mandated monitoring and audits of targeted companies’ data security practices.

Beyond greater detail guiding data security requirements, the blog post highlights that a core element of the FTC’s model for remedial orders is that senior management, on at least an annual basis, present the company’s written information security program to the board or other governing body for oversight and review, and that management certify to the FTC that the company has complied with data security obligations.

The Growing Role of Managers and Boards in Data Security

The decision by the FTC reflects a growing consensus about the roles and responsibilities of management and boards for the adequacy of enterprise programs to identify, evaluate, and manage data and information security risks.  While this is not the first time boards of directors have been held accountable for the security practices of the companies they represent, it shows that this obligation has become mainstream and should be noted by all companies, whether they

The FTC’s endorsement of data security-related corporate governance approaches, safeguards, and third-party monitoring methods is likely to impact enforcement expectations of other regulators, whether state, federal or local, responsible for administering data security compliance and breach notification regulations.

CONTINUE READING →

Published on:

02 January 2020

Click here for the latest articles on Data Technology, Privacy & Security.

 

My partner, Bob Braun, senior member of JMBM’s Global Hospitality Group® and Co-Chair of the Firm’s Cybersecurity & Privacy Group, has written extensively about the California Consumer Privacy Act that became effective January 1, 2010.  In his excellent article below, he describes how the CCPA will impact the hotel industry.

— Jim

CCPA: Loyalty Programs, Data Retention and the Brave New World of Privacy

by Robert E. Braun

This article first appeared in the Hotel Business Review and is reprinted with permission from www.HotelExecutive.com.

The California Consumer Privacy Act (the “CCPA” or the “Act”) is a piece of consumer privacy legislation which was signed by California Governor Jerry Brown on June 28, 2018, and goes into effect on January 1, 2020. The Act is, far and away, the strongest privacy legislation enacted in the United States at the moment (although there are a number of contenders for that honor), giving more power to consumers to control the collection and use of their private data, and is poised to have far-reaching effects on data privacy.

What is the CCPA?

It is estimated that more than 500,000 companies are directly subject to the CCPA, many of them smaller and mid-size business, where the detailed requirements of the Act – disclosure and notice procedures, opt-out rights, updating privacy policies, and revising vendor agreements – is daunting. As discussed below, many hotels and hotel companies will be directly impacted by the Act, either because their qualify as a “business” as defined in the CCPA, or because they are associated with companies – brands and management companies – that are subject to the Act. Hotel owners, managers and brands that have not grappled with the requirements of the CCPA need to move quickly to do so, or risk potential liability under the penalty provisions of the Act.

Where did the Act Come From?

In early 2018, Alistair McTaggart, a California real estate developer, led an effort to include a new privacy law – the Consumer Right to Privacy Act of 2018 – on the November 2018 California ballot. By June 2018, supporters of the initiative had gathered enough signatures to earn a place on the November ballot. In response, California legislators, working with California businesses and other interest groups, negotiated and passed a substitute bill – the CCPA – in exchange for an agreement to drop the more restrictive text in the Consumer Right to Privacy Act from the November ballot.

The Act is aggressive, and cites the March 2018 disclosure of the misuse of personal data by Cambridge Analytica, as well as the congressional hearings that followed which highlighted the fact that any personal information shared on the internet can be subject to considerable misuse and theft. This prompted the California legislature to move rapidly to protect Californians’ right to privacy by giving consumers much more control of their personal information. CONTINUE READING →

Contact Information