Archives

Published on:

31 August 2018

Click here for the latest articles on Data Technology, Privacy & Security

Despite a general effective date of January 1, 2020, there are 5 steps that anyone doing business in California should take now to avoid problems under the California Consumer Privacy Act of 2018 (the Act) when it becomes effective. As a follow up to his original article explaining the important provisions of the Act, my partner Bob Braun provides us an important update on recent regulatory activity concerning the Act and provides practical guidance on what needs to be done now.

To read Bob’s original article about the Act, click California Adopts the California Consumer Privacy Act of 2018.

Update: California Consumer Privacy Act of 2018
5 steps to take NOW to avoid trouble
by
Bob Braun

Recent regulatory developments

Late last week, the California legislature published proposed technical amendments to the California Consumer Privacy Act of 2018. These amendments reflect almost two months of lobbying by both consumer and industry groups. In addition, the FTC has received a number of complaints that the Act, along with other proposed state actions, would create confusion in an already-fragmented approach to privacy and security in the United States.

5 steps to take now

While the changes in the Act and attacks on the Act continue to create uncertainty, businesses need to consider immediate steps to avoid the significant penalties for non-compliance. Businesses must be in full compliance on the effective date of January 1, 2020. It will not be adequate to start compliance efforts on that date.

In particular, there are 5 steps that businesses need to take to ensure compliance by the effective date: CONTINUE READING →

Published on:

02 July 2018

Editor’s Note: See article update: Take 5 steps NOW to avoid trouble with California’s new privacy act.
Click here for the latest articles on Data Technology, Privacy & Security


Privacy legislation is dominating the news cycle these days–and it’s unlikely to slow down. Now, as U.S. companies are adjusting to the requirements of the European Union’s General Data Protection Regulation, the State of California has introduced new laws that will apply to California companies or companies doing business in California. Senior member of JMBM’s Global Hospitality Group® and Co-Chair of the Firm’s Cybersecurity & Privacy Group Bob Braun discusses the implications of the new legislation and how it will impact hotels, below.

California Adopts the California Consumer Privacy Act of 2018
by
Bob Braun

On June 28, 2018, just more than a month after the EU’s General Data Protection Regulation (GDPR) went into effect, imposing broad obligations and restrictions on any entity collecting personal information of EU citizens and residents, the California legislature has passed AB 375, and the governor has signed, the California Consumer Privacy Act of 2018, providing many of the same protections and sure to upend privacy regulation in the United States. The Act was passed by the State Assembly and signed into law by Governor Jerry Brown on June 28, 2018.

Hotel companies have been grappling with the impact of the GDPR on their operations, and analyzing whether they need to adopt policies and procedures, appoint data privacy officers and register with a Data Privacy Agency as required under the GDPR. Since a privacy rule that impacts California effectively becomes a national standard, this new Act means that hotel companies will need to consider many of those issues, regardless of their foreign operations.

The Act goes into effect on January 1, 2020, and while it has broad implications that will become more apparent over time, there are some key initial takeaways. CONTINUE READING →

Published on:

25 May 2018

The European Union’s General Data Privacy Regulation, rules protecting the privacy of personal information, has gone into effect and impacts every company that does business in the EU. This will impact hotel owners, developers, brands, operators and managers–any company with a hotel property in the EU or that collects information from EU citizens must adhere to the new regulations.

What does that mean for your business, and where should you start the process of compliance? Senior member of JMBM’s Global Hospitality Group® and Co-Chair of the Firm’s Cybersecurity & Privacy Group Bob Braun summarizes the issues, below.

Why should I Care About GDPR?
by
Bob Braun

The importance of May 25, 2018. If you are reading this, you have probably been inundated with emails from companies announcing that they have adopted new and better privacy and security policies and procedures. This isn’t a coincidence – as of May 25, 2018, the EU’s General Data Privacy Regulation (GDPR), requires every organization that does business in the EU, or that collects information from EU citizens, to guarantee the privacy and accuracy of personal information. While the purpose of the GDPR is to strengthen and unify data protection for all individuals within the EU, its effect is worldwide; every organization that does business in the European Union or collects personal information from individuals in the European Union is subject to this regulation. CONTINUE READING →

Published on:

 
25 October 2017
Click here for the latest articles on Data Technology, Privacy & Security

Cybersecurity breaches and risk management continue to be a concern for businesses of all sizes and types. A recent warning distributed by the U.S. Department of Homeland Security and the FBI regarding targeted hacks in several critical industries is an illustration that anyone can be vulnerable such tactics, including the hospitality industry. My partner Bob Braun, senior member of JMBM’s Global Hospitality Group® and co-chair of JMBM’s Cybersecurity and Privacy Group, summarizes the recent report and its conclusions below.

Homeland Security Warns Against
Threats to US Infrastructure
by
Robert E. Braun

The Department of Homeland Security and Federal Bureau of Investigation distributed an email warning late on Friday, October 20, 2017, that the nuclear, energy, aviation, water and critical manufacturing industries have been targeted along with government entities in attacks dating back to at least May. In particular, the agencies reported that hackers had compromised some targeted networks, but did not identify specific victims or provide other details.

While the report focused on threats to nuclear and conventional power, water, and other infrastructure, the very fact that the DHS and the FBI chose to make a public statement highlights how important the issue is to all industries, and the concern that an attack on infrastructure could have a devastating impact on all aspects of the American economy.

The report noted that, as in many malware attacks, hackers seek to compromise networks with “spear phishing” – emails tailored to reach specific individuals – with malicious attachments and tainted websites with a goal of obtaining credentials that allow the hackers to access computer networks. CONTINUE READING →

Published on:

 
9 October 2017

It is budget season again — that time when operators and owners sit down to agree on the financial blueprint for the next year. My partner Bob Braun has worked on many hundreds of hotel management agreements and issues arising under them. Today, he shares some insights about the how to maximize the budget opportunity for constructive dialog between owners and operators.

It’s Budget Season
What are you doing about it?
by
Robert E. Braun, Hotel Lawyer

Importance of budgets

It’s hard to overstate the importance of a budget in the relationship between a hotel manager and owner. The budget is the way that a manager describes, in black and white, how it plans to operate the owner’s property; it is the document that translates operating standards into action, and how the owner can expect to profit from the manager’s efforts. It is also an important opportunity to be sure that the operator is giving due consideration to the owner’s financial expectations and/or exit strategies.

Many of the larger independent management companies present a budget with little opportunity for dialog. In significant part, they diminish the direct impact of asset and property management teams. This means people sitting in an office 3,000 miles away make key budget decisions for properties that they have not seen or on markets they have not visited, based on STR reports and raw data. Generally, one would think that the property-level asset management team would be the best to guide the budget process because of their hands-on knowledge – not the corporate budgeting team.

Budget challenges owners face

Unless owners have a wealth of operating experience or hire experienced asset managers, they will likely be at a severe disadvantage when they review budgets. Consider typical challenges of the budget timing and process:

  • Managers typically deliver budgets to owners in early- to mid-November, which leaves only 45 to 60 days before the beginning of the new fiscal year. While an owner may be able to analyze and comment on the budget and propose changes, the process itself is lengthy and makes it difficult to complete in a timely manner. Operators have scheduling conflicts during that busy period, and typically take two to three weeks, or more, to prepare a response for the owner’s review. Managers work on budgets almost year-round, and larger management companies have staffs that are dedicated solely to creating budgets. They have developed expertise in creating a budget that owners can only match by expending the necessary time and expertise, which takes a commitment that many owners don’t understand; after all, didn’t they already engage a manager for its expertise?
  • No matter the level of owner approval rights – which range from what might be complete control to very limited influence – managers run the budget process and establish the assumptions underlying the budget, making it difficult to make changes. Leveling the playing field requires owners to engage asset managers to conduct a “shadow” budgeting process.
  • The budget for any single year will impact budgets for years to come. While budgets are generally “zero-based,” a budget for any given year is more realistically derived from the budget for the prior year, and budgets ultimately contain a variety of “legacy” items. While the old budget should, reasonably, provide a setting for the new budget, a variety of factors should (but often don’t) get adequate consideration, including new labor agreements or laws, renovations and their implications, new supply, addition of new product internally (such as restaurants or bars), and outside influences, such as changes in the convention market and other drivers for the hotel market.
  • Operators rarely provide great detail on the most significant cost to owners – labor expenses – and therefore do not give owners the opportunity to identify potential savings. Similarly, operators often give greater weight to occupancy than rate, which may actually reduce the profitability of a hotel.

CONTINUE READING →

Published on:

19 July 2017

Hotels rely on third-party vendors to help run their properties efficiently, and often must give them access to sensitive guest data. This leaves hotels vulnerable to cyber attacks; they’re only as secure as their vendors are, and may find themselves directly liable for a data breach.  My partner Bob Braun, senior member of JMBM’s Global Hospitality Group® and co-chair of JMBM’s Cybersecurity and Privacy Group, discusses recent hotel cybersecurity breaches and how hotel owners can protect themselves.

Hotel data breaches
It’s not you, it’s your “friends”
by
Robert E. Braun

July was another notable month for hotel data breaches – on a single day, several well-known hotel brands and managers, including Four Seasons, Trump Hotels, Hard Rock Hotels & Casinos and Loews Hotels all announced that customer data may have been compromised as a result of a security failure. Each of the incidents is related to Sabre Hospitality Solutions’ credit card data breach in its SynXis hotel-reservations system, which Sabre first announced in a quarterly filing with the Securities and Exchange Commission on May 17. Based on Sabre’s investigation, Sabre announced that the breach was contained to “a limited subset of hotel reservations,” but the incident did allow an unauthorized party to access cardholder names, payment card numbers, card expiration dates, card security codes for some, and, in some cases, guest name, email, phone number and address.

Moreover, the duration of the breach was long quite long. Sabre’s investigation determined that the unauthorized party first obtained access to payment card and other reservation information on August 10, 2016, and the last access to payment card information was on March 9, 2017. The hackers had potential access for seven months.

CONTINUE READING →

Published on:

1 February 2017

Theft of confidential data by hackers is a major threat to businesses worldwide and the hotel industry is no exception. Hoteliers remain vulnerable to hackers seeking confidential information such as guests’ credit card data and employees’ personal information. They are also vulnerable in other ways. In a recent hotel breach, the hackers did not go after confidential data, but rather sought a ransom payment after taking control of the hotel’s technology. My partner Bob Braun, senior member of JMBM’s Global Hospitality Group® and co-chair of JMBM’s Cybersecurity and Privacy Group, describes what happened, and shares what hotels can do in response to such threats.

Hotels and Ransomware — Something Special
by
Robert E. Braun

Last year, at the Global Hospitality Group’s Meet the Money™ Conference, I participated in a panel on Cybersecurity and we discussed how cybersecurity issues affect the hotel industry.  One of the comments was that hotels, more than most private industries, have to take into account the kind of physical harm that might be done by a hacker. We noted that not only are guest information systems targets, but also the life and safety systems – HVAC, elevators, electricity and so on.  We concluded that while financial theft could impact a hotel and its reputation, a hack of the physical structure of a business could put the hotel out of business.

Locked Out

Our discussion turned out to be prescient when, this week, Romantik Seehotel Jaegerwirt, in the Austrian Alps, had their systems frozen by hackers, which resulted in the complete shutdown of hotel computers.

The 111-year-old hotel had already been targeted by hackers twice.  This time, however, the hackers breached the key card system, made it impossible for guests to enter their rooms and prevented the front desk from reprogramming cards.

The hackers demanded €1500 in Bitcoin, promising that control of the key card system and room locks would be returned.  Management of the hotel, fully occupied at the beginning of the winter season, chose to pay the ransom, rather than attempt a solution that could have taken significant time and harmed their 180 guests. CONTINUE READING →

Published on:

6 January 2017

ADA Hospitality Defense and Compliance Lawyer: Hotel mixed-use projects have proliferated over the past decade or two — projects that combine a hotel with retail, residential, entertainment, office and other uses. In recent years, many of these projects combine hotel and shopping center elements. We are big fans of hotel mixed-use.

Over the years, we have written about the numerous advantages that accrue to both hotels and shopping centers, when hotels are added to the right shopping or retail center.  One study showed that the right hotel can boost gross sales at shopping centers 20% – 40% — and hotels can get 30% – 40% RevPAR advantage over hotels in their competitive set.

But those of you with these hotel in mixed-use projects with shopping centers or other retail elements know that mixed-use projects inject numerous additional legal and business issues that hoteliers usually don’t deal with in stand-alone hotel projects. One such critical issue is that of “common areas.”

In the article below, my partner, Marty Orlick, writes about one aspect of common area liability that you may have overlooked in defense to ADA violations. Of course, the ultimate analysis will depend on the precise facts of the situation at hand and the structure of the hotel’s participation in the mixed-use project — particularly whether or not the hotel is owned in fee or is a tenant in the project.

How many judges does it take to rule that shopping center tenants
are not liable for ADA violations in common areas?
by
Marty Orlick

First published in the October 2015 issue of the California State Bar’s Real Property Law Section E-Bulletin

Congress passed the Americans with Disabilities Act of 1990 (“ADA”) “to provide clear, strong consistent, enforceable standards addressing discrimination against individuals with disabilities” in employment, public accommodations, transportation and federal, state and local government services. 42 U.S.C.§12101(b)(2). Title III of the ADA applies to public accommodations including shopping centers, theaters, arenas, restaurants, health clubs, hotels, banks, public space in office buildings, and nearly every manner of retail premises. Virtually every leased location which serves the general public and is engaged in commerce is subject to the accessibility requirements of the ADA. CONTINUE READING →

Published on:

7 November 2016

Hotel Lawyer on multi-branded hotels.

Hotels with more than one brand are increasingly common, but it wasn’t always so. Although some compelling advantages are driving this trend in many situations, developers and owners should weigh the advantages against other considerations.

My partner Bob Braun is a senior member of our Global Hospitality Group® and has experience with many hundreds of hotel management and franchise agreements. Bob is also co-author of the Hotel Management Agreement & Franchise Agreement Handbook (3rd edition), and has first-hand experience with branding and management for every major traditional hotel brand, including a number of multi-branded properties. Today he explores the phenomenon in greater detail.

Dual-branded & multi-branded hotels:
Opportunities and challenges
by
Bob Braun, Hotel Lawyer

The trend of dual-branded and multi-branded hotels

Over the past few years, the popularity of multi-branded properties has exploded. Less than a decade ago, a dual-branded hotel was an oddity. Then dual branding became more common, and some properties began to use more than two brands, so “multi-branding” was born in the hotel industry. In the early days, multi-branding resulted from unique circumstances. Today, it is driven by a number of factors discussed below, and there are nearly 100 properties with multiple brands and nearly that many again in construction. CONTINUE READING →

Published on:

21 September 2016

Have you noticed the explosion of new brands from hotel companies over the past few years? At JMBM, we do a lot of work with branding through license agreements, management agreements and other arrangements. So we asked my partner Bob Braun to give us some insights on what this is all about and what significance it has.

Here are Bob’s thoughts, along with some practical advice on what owners and developers should do in this situation.

Hotels – Brand Expansion or Brand Explosion?
by
Bob Braun, Hotel Lawyer

Consumer oriented companies commonly use “brand extension” to launch a new product by using an existing brand name on a new or related product, often in a different category. These companies use brand extension to leverage their existing customer base and brand loyalty to increase profits with a new product offering. CONTINUE READING →