Articles Posted in Data Technology, Privacy & Security

Published on:

10 January 2020

See how JMBM’s Global Hospitality Group® can help you.

Click here for the latest articles on Data Technology, Privacy & Security.

 

Hotel data breaches can have significant financial and reputational impacts on a brand, as evidenced by Marriott’s $123 million GDPR fine. In the article below, Bob Braun, senior member of JMBM’s Global Hospitality Group® and Co-Chair of the Firm’s Cybersecurity & Privacy Group, outlines the critical importance of data security for the hospitality industry.

— Jim
Hotel Managers and Owners Be Warned – You are Responsible for Your Hotel’s Data Security
by
Bob Braun, Cybersecurity Lawyer

The FTC Speaks

On January 6, 2020, the Director of the FTC’s Consumer Protection Bureau published a blog post with changes to the FTC’s approach to its orders and settlements of data breach enforcement actions.  One of the key elements of the report was a revision to the FTC’s routine enforcement practice to ensure that its remedial data security orders include greater specificity about compliance expectations for companies subject to enforcement action and for third-party assessors engaged to conduct FTC-mandated monitoring and audits of targeted companies’ data security practices.

Beyond greater detail guiding data security requirements, the blog post highlights that a core element of the FTC’s model for remedial orders is that senior management, on at least an annual basis, present the company’s written information security program to the board or other governing body for oversight and review, and that management certify to the FTC that the company has complied with data security obligations.

The Growing Role of Managers and Boards in Data Security

The decision by the FTC reflects a growing consensus about the roles and responsibilities of management and boards for the adequacy of enterprise programs to identify, evaluate, and manage data and information security risks.  While this is not the first time boards of directors have been held accountable for the security practices of the companies they represent, it shows that this obligation has become mainstream and should be noted by all companies, whether they

The FTC’s endorsement of data security-related corporate governance approaches, safeguards, and third-party monitoring methods is likely to impact enforcement expectations of other regulators, whether state, federal or local, responsible for administering data security compliance and breach notification regulations.

CONTINUE READING →

Published on:

02 January 2020

Click here for the latest articles on Data Technology, Privacy & Security.

 

My partner, Bob Braun, senior member of JMBM’s Global Hospitality Group® and Co-Chair of the Firm’s Cybersecurity & Privacy Group, has written extensively about the California Consumer Privacy Act that became effective January 1, 2010.  In his excellent article below, he describes how the CCPA will impact the hotel industry.

— Jim

CCPA: Loyalty Programs, Data Retention and the Brave New World of Privacy

by Robert E. Braun

This article first appeared in the Hotel Business Review and is reprinted with permission from www.HotelExecutive.com.

The California Consumer Privacy Act (the “CCPA” or the “Act”) is a piece of consumer privacy legislation which was signed by California Governor Jerry Brown on June 28, 2018, and goes into effect on January 1, 2020. The Act is, far and away, the strongest privacy legislation enacted in the United States at the moment (although there are a number of contenders for that honor), giving more power to consumers to control the collection and use of their private data, and is poised to have far-reaching effects on data privacy.

What is the CCPA?

It is estimated that more than 500,000 companies are directly subject to the CCPA, many of them smaller and mid-size business, where the detailed requirements of the Act – disclosure and notice procedures, opt-out rights, updating privacy policies, and revising vendor agreements – is daunting. As discussed below, many hotels and hotel companies will be directly impacted by the Act, either because their qualify as a “business” as defined in the CCPA, or because they are associated with companies – brands and management companies – that are subject to the Act. Hotel owners, managers and brands that have not grappled with the requirements of the CCPA need to move quickly to do so, or risk potential liability under the penalty provisions of the Act.

Where did the Act Come From?

In early 2018, Alistair McTaggart, a California real estate developer, led an effort to include a new privacy law – the Consumer Right to Privacy Act of 2018 – on the November 2018 California ballot. By June 2018, supporters of the initiative had gathered enough signatures to earn a place on the November ballot. In response, California legislators, working with California businesses and other interest groups, negotiated and passed a substitute bill – the CCPA – in exchange for an agreement to drop the more restrictive text in the Consumer Right to Privacy Act from the November ballot.

The Act is aggressive, and cites the March 2018 disclosure of the misuse of personal data by Cambridge Analytica, as well as the congressional hearings that followed which highlighted the fact that any personal information shared on the internet can be subject to considerable misuse and theft. This prompted the California legislature to move rapidly to protect Californians’ right to privacy by giving consumers much more control of their personal information. CONTINUE READING →

Published on:

07 August 2019

Click here for the latest articles on Data Technology, Privacy & Security.

Many hotels operate internationally and are frequently subject to the European Union’s 2018 General Data Protection Regulation. The financial consequences of a breach can be significant, as recent fines imposed on Marriott International demonstrate.

Bob Braun, senior member of JMBM’s Global Hospitality Group® and Co-Chair of the Firm’s Cybersecurity & Privacy Group, explores the impact of last year’s breach on the hotel brand below.
Marriott’s GDPR Fine – Lessons to be Learned
by
Bob Braun, Cybersecurity Lawyer

On August 5, 2019, Marriott International announced that it had taken a $126 million charge in the second quarter, primarily as a result of the data breach it announced in 2018. Coincidentally, on July 9, 2019, The United Kingdom’s Information Commissioner’s Office (ICO), which enforces the General Data Protection Regulation in the UK, announced that it intends to impose a fine of £99,200,396 ($123,705,870) on Marriott for last year’s data breach. CONTINUE READING →

Published on:

15 February 2019

$87 billion in hotel transactions involving more than 3,900 properties
LOS ANGELES—The hotel lawyers of JMBM’s Global Hospitality Group® are pleased to present their updated Hospitality Credentials, which include clients and projects that represent more than $87 billion in hotel transaction experience involving more than 3,900 properties worldwide – more than any other law firm.

“If you are a hotel owner, developer, or capital provider, our hospitality lawyers can provide expertise and experience you just won’t find elsewhere,” said Jim Butler, Chairman of JMBM’s Global Hospitality Group. “Whether you are buying or selling a hotel, developing a new one, need a privacy and cybersecurity plan, or defend an ADA lawsuit – we have lawyers who know the ropes, and can guide you every step of the way.”

JMBM’s Global Hospitality Group provides a full range of services to the hospitality industry including:

  • ADA compliance & defense
  • Cannabis
  • Celebrity chef agreements
  • Construction
  • Corporate governance
  • Cybersecurity
  • Data privacy
  • Development
  • Equity & joint ventures
  • Expert witness
  • Fiduciary duty
  • Financing
  • Foreign investment
  • Franchise & licensing
  • Hotel-specific contracts
  • Labor & employment
  • Land use & environmental
  • Leasing
  • Litigation
  • Management agreements
  • Mergers & Acquisitions
  • Opportunity Zone
  • Proposition 65
  • Purchase & sale
  • Shareholder disputes
  • Tax
  • Trademark & copyright
  • Trusts and estates
  • Union negotiations
  • Union prevention
  • Vacation ownership
  • Workouts, bankruptcies & receiverships
“Exceeding $87 billion in hotel transactions involving 3,900 properties is a new milestone, and one I am proud to announce,” said Butler. “I am grateful to all of our wonderful hospitality clients who have shown us their trust and confidence over the years and continue to provide us with challenging and meaningful work.”

About JMBM’s Global Hospitality Group
JMBM’s Global Hospitality Group is the premier hospitality practice in a full-service law firm and the most experienced legal and advisory team in the industry. The Group publishes the Hotel Law Blog and hosts the annual Meet the Money® National Hotel Finance & Investment Conference (May 6-9, 2019 in Los Angeles). For more information visit www.HotelLawyer.com.

Contact:

Jim Butler
jbutler@jmbm.com
+1 310-201-3526

Published on:

30 November 2018

Click here for the latest articles on Data Technology, Privacy & Security.

Data breaches are back in the news, and this time, it’s a well-known hotel industry player: Marriott International. The company announced today that unauthorized access to their systems going back several years has exposed the names and other personal details of over 500 million guests. For hoteliers, this situation can be avoided by using the Global Hospitality Group® Risk Assessment Audit™, a comprehensive tool that combines your internal resources with our expertise in analyzing your risk profile, both for compliance purposes and to create effective data security strategies.

Bob Braun, senior member of JMBM’s Global Hospitality Group® and Co-Chair of the Firm’s Cybersecurity & Privacy Group, sums up what Marriott is facing and what lessons other hotels can learn from this incident, below.
Not a Good Day for Marriott
by
Bob Braun

It’s unlikely that anyone in the hospitality industry – perhaps anyone who watches the news – hasn’t heard about the data breach at Marriott. Marriott’s pre-eminent position in the hotel industry, and the very size of the breach, with an estimated 500 million individuals impacted (putting it second behind the Yahoo breach) make this noteworthy.

What Happened?
While some of the information is available, most of the details have yet to be filled in. However, there are some key takeaways that every hotel owner, operator and brand should consider: CONTINUE READING →

Published on:

31 August 2018

Click here for the latest articles on Data Technology, Privacy & Security

Despite a general effective date of January 1, 2020, there are 5 steps that anyone doing business in California should take now to avoid problems under the California Consumer Privacy Act of 2018 (the Act) when it becomes effective. As a follow up to his original article explaining the important provisions of the Act, my partner Bob Braun provides us an important update on recent regulatory activity concerning the Act and provides practical guidance on what needs to be done now.

To read Bob’s original article about the Act, click California Adopts the California Consumer Privacy Act of 2018.
Update: California Consumer Privacy Act of 2018
5 steps to take NOW to avoid trouble
by
Bob Braun

Recent regulatory developments

Late last week, the California legislature published proposed technical amendments to the California Consumer Privacy Act of 2018. These amendments reflect almost two months of lobbying by both consumer and industry groups. In addition, the FTC has received a number of complaints that the Act, along with other proposed state actions, would create confusion in an already-fragmented approach to privacy and security in the United States.

5 steps to take now

While the changes in the Act and attacks on the Act continue to create uncertainty, businesses need to consider immediate steps to avoid the significant penalties for non-compliance. Businesses must be in full compliance on the effective date of January 1, 2020. It will not be adequate to start compliance efforts on that date.

In particular, there are 5 steps that businesses need to take to ensure compliance by the effective date: CONTINUE READING →

Published on:

02 July 2018

Editor’s Note: See article update: Take 5 steps NOW to avoid trouble with California’s new privacy act.
Click here for the latest articles on Data Technology, Privacy & Security


Privacy legislation is dominating the news cycle these days–and it’s unlikely to slow down. Now, as U.S. companies are adjusting to the requirements of the European Union’s General Data Protection Regulation, the State of California has introduced new laws that will apply to California companies or companies doing business in California. Senior member of JMBM’s Global Hospitality Group® and Co-Chair of the Firm’s Cybersecurity & Privacy Group Bob Braun discusses the implications of the new legislation and how it will impact hotels, below.
California Adopts the California Consumer Privacy Act of 2018
by
Bob Braun

On June 28, 2018, just more than a month after the EU’s General Data Protection Regulation (GDPR) went into effect, imposing broad obligations and restrictions on any entity collecting personal information of EU citizens and residents, the California legislature has passed AB 375, and the governor has signed, the California Consumer Privacy Act of 2018, providing many of the same protections and sure to upend privacy regulation in the United States. The Act was passed by the State Assembly and signed into law by Governor Jerry Brown on June 28, 2018.

Hotel companies have been grappling with the impact of the GDPR on their operations, and analyzing whether they need to adopt policies and procedures, appoint data privacy officers and register with a Data Privacy Agency as required under the GDPR. Since a privacy rule that impacts California effectively becomes a national standard, this new Act means that hotel companies will need to consider many of those issues, regardless of their foreign operations.

The Act goes into effect on January 1, 2020, and while it has broad implications that will become more apparent over time, there are some key initial takeaways. CONTINUE READING →

Published on:

25 May 2018

Click here for the latest articles on Data Technology, Privacy & Security.

The European Union’s General Data Privacy Regulation, rules protecting the privacy of personal information, has gone into effect and impacts every company that does business in the EU. This will impact hotel owners, developers, brands, operators and managers–any company with a hotel property in the EU or that collects information from EU citizens must adhere to the new regulations.

What does that mean for your business, and where should you start the process of compliance? Senior member of JMBM’s Global Hospitality Group® and Co-Chair of the Firm’s Cybersecurity & Privacy Group Bob Braun summarizes the issues, below.
Why should I Care About GDPR?
by
Bob Braun

The importance of May 25, 2018. If you are reading this, you have probably been inundated with emails from companies announcing that they have adopted new and better privacy and security policies and procedures. This isn’t a coincidence – as of May 25, 2018, the EU’s General Data Privacy Regulation (GDPR), requires every organization that does business in the EU, or that collects information from EU citizens, to guarantee the privacy and accuracy of personal information. While the purpose of the GDPR is to strengthen and unify data protection for all individuals within the EU, its effect is worldwide; every organization that does business in the European Union or collects personal information from individuals in the European Union is subject to this regulation. CONTINUE READING →

Published on:

22 January 2018

Click here for the latest articles on Data Technology, Privacy & Security.

Protecting guests’ information (and employees’ information) from hackers is one of the biggest business challenges faced by hotel owners today. Data breaches can result in loss of reputation and loss of revenue, and can trigger costly lawsuits and government investigations.

In his earlier article, Not Just Heads in Beds – Cybersecurity for Hotel Owners, my partner Robert Braun reminds hotel owners that they are generally required to indemnify brands and managers for costs incurred, which could include the cost of a data breach. Now, in his article below, he discusses why hotel data breaches are prevalent and what owners need to do to create a secure data environment for the properties they own.
Cyberattacks on Hotels — What Should Hotel Owners and Operators Do?
by
Robert E. Braun, Hotel Lawyer

This article was originally published by Hotel Business Review and is reprinted with permission from www.hotelexecutive.com.

Almost as soon as there were data breaches, hotels became a prime target of hackers, and the hospitality industry has consistently been one of the most commonly targeted businesses. Since 2010, hotel properties ranging from major multinational corporations to single location hotels have been impacted.

The recent report that Hyatt Hotels was a victim for the second time in as many years has raised more concerns about the industry’s ability to address cybersecurity. While consumers are so used to receiving breach notices that “breach fatigue” has set in, the second successful attack on Hyatt is sure to raise the eyebrows of regulators, plaintiffs’ lawyers, and guests. The data breach will affect the loyalty, trust and consumer perception of all Hyatt Hotels guests. So how can hotels prove to guests that they are safe and trustworthy?

“While the company claims that it has implemented additional security measures to strengthen the security of its systems, no explanation was given as to why these additional measures were not implemented after the first attack,” said Robert Cattanach of Dorsey & Whitney. “Estimates of actual harm have yet to be provided, which is typically the weak spot of any attempted class action, but the liability exposure seems problematic regardless.”

Hyatt is in no way alone. On November 2, 2017, the BBC reported that Hilton was fined $700,000 for “mishandling” two data breaches in 2014 and 2015. The attorneys general of New York and Vermont said Hilton took too long to inform their guests about the breaches and the hotels “lacked adequate security measures.” Hilton discovered the first of the two breaches in February 2015 and the second in July 2015, according to the article, but the company only went public with the breaches in November 2015. The company has said there is no evidence any of the data accessed was stolen, but the attorneys general said the tools used in the data breaches made it impossible to determine what was done.   Read More

 

Bob BraunBob Braun is a Senior Member of JMBM’s Global Hospitality Group® and is Co-Chair of the Firm’s Cybersecurity & Privacy Group. Bob has more than 20 years experience in representing hotel owners and developers in their contracts, relationships and disputes with hotel managers, licensors, franchisors and brands, and has negotiated hundreds of hotel management and franchise agreements. His practice includes experience with virtually every significant hotel brand and manager.

Bob also advises clients on condo hotel securities issues and many transactional matters, including entity formation, financing, and joint ventures, and works with companies on their data technology, privacy and security matters. These include software licensing, cloud computing, e-commerce, data processing and outsourcing agreements for the hospitality industry.

In addition, Bob is a frequent lecturer as an expert in technology, privacy and data security issues, and is one of only two attorneys in the 2015 listing of SuperLawyers to be recognized for expertise in Information Technology. Bob is on the Advisory Board of the Information Systems Security Association, Los Angeles chapter, and a member of the International Association of Privacy Professionals. Contact Bob Braun at 310.785.5331 or rbraun@jmbm.com.


This is Jim Butler, author of www.HotelLawBlog.com and hotel lawyer, signing off. Please contact us if you would like to discuss any issues or development that affect your hotel interests. We would like to see if our experience might help you create value or avoid unnecessary pitfalls. Who’s your hotel lawyer?


Picture of Jim ButlerJim Butler is a founding partner of JMBM and JMBM’s Global Hospitality Group® which provides business and legal advice to hotel owners, developers and investors. This advice covers hotel purchase, sale, development, financing, franchise, management, labor & employment, litigation, ADA, IP, EB-5 matters any many other areas.

Jim is recognized as one of the top hotel lawyers in the world and has led the Global Hospitality Group® in more than $125 billion of hotel transactions and more than 4,700 hotel properties located around the globe.

Jim’s group has advised on more than 100 EB-5 projects, closed more than $1.5 billion of EB-5 financing, and sourced more than half of that for our clients.

Contact Jim at +1-310.201-3526 or JButler@jmbm.com

Published on:

  25 October 2017
Click here for the latest articles on Data Technology, Privacy & Security

Cybersecurity breaches and risk management continue to be a concern for businesses of all sizes and types. A recent warning distributed by the U.S. Department of Homeland Security and the FBI regarding targeted hacks in several critical industries is an illustration that anyone can be vulnerable such tactics, including the hospitality industry. My partner Bob Braun, senior member of JMBM’s Global Hospitality Group® and co-chair of JMBM’s Cybersecurity and Privacy Group, summarizes the recent report and its conclusions below.

Homeland Security Warns Against
Threats to US Infrastructure
by
Robert E. Braun



The Department of Homeland Security and Federal Bureau of Investigation distributed an email warning late on Friday, October 20, 2017, that the nuclear, energy, aviation, water and critical manufacturing industries have been targeted along with government entities in attacks dating back to at least May. In particular, the agencies reported that hackers had compromised some targeted networks, but did not identify specific victims or provide other details.

While the report focused on threats to nuclear and conventional power, water, and other infrastructure, the very fact that the DHS and the FBI chose to make a public statement highlights how important the issue is to all industries, and the concern that an attack on infrastructure could have a devastating impact on all aspects of the American economy.

The report noted that, as in many malware attacks, hackers seek to compromise networks with “spear phishing” – emails tailored to reach specific individuals – with malicious attachments and tainted websites with a goal of obtaining credentials that allow the hackers to access computer networks. CONTINUE READING →

Contact Information