Identity Theft in Hospitality Businesses: An Exploration of Related Legal Precedents and Industry Wide Precautions to Protect Sensitive Data

Introduction

This paper will explore the legal and constitutional issues surrounding data breaches within the field of hospitality. By discussing three cases in which the identities of millions of unsuspecting guests’ identities were compromised due to the neglectful maintenance of databases on the behalf of three major hoteliers. Outlining causal factors ranging from weak security practices, malware, and the use of fraudulent instruments to either steal directly from customer accounts or to gain access to sensitive data from customer profiles to bypass banking or credit identity verification processes. Consequently, leaving patrons under imminent threat of identity theft due to the failure to install the proper security systems to shield against the intrusion of cybercriminals.

Subsequently, contributing negligence is the major theme of the case study portion of this paper. A section dedicated to the discussion of the legal precedents set by Dugas v. Starwood Hotels & Resorts Worldwide., 2016 U.S. Dist. LEXIS 152838, In re Marriot Int’l, Inc.,440 F. Supp. 3d 447 United States District Court for the District of Maryland Southern Division, and Sandra Smith v. Sabre Corporation. Cases used to highlight how the lack of preparedness against cybercrimes can be interpreted by courts as a breach of duty.

History

Prior to listing the reasons that courts will find a property to be negligent for not installing the necessary fail safes to protect customers, it is important to understand why hotels are highly targeted by cybercriminals. Industry insider and author of Why Do Cybercriminals & Identity Thieves Target the Hospitality Industry, Holly McCulloh asserts that hackers do so because hotels maintain systems that contain millions of guests records which are highly valuable on the dark web.

Hence, hackers will seek to find easily accessed vulnerabilities within a hotel’s network infrastructure, which they can easily exploit to access customer data. Generally, using phishing attacks to infiltrate hotel Wi-Fi networks to steal passwords and other sensitive data. An evolving technique which will grow in its sophistication as travelers demand more complete technology experiences while staying at hotels. (Advanced Hospitality Technologies)

Additionally, the entire hospitality industry has been noted for having some of the highest rates of security scams. According to the Report to the Nations on Occupational Fraud & Abuse approximately “one-third of all credit card fraud cases originate in hotels.” (Shah 2018) Resulting in an estimated loss of 5% to 6% of annual revenue from fraud perpetrated by hotel employees and guests. (Shah 2018) Therefore, it is imperative that hotels find ways to secure their network infrastructures to maintain their profitability, brand reputation, and to reduce all subsequent legal and financial penalties.

The article, Data Security in Hospitality – Why Is It So Important, offered another compelling reason as to why data breaches are a relatively common occurrence within hospitality. When it stated that “businesses in the hospitality sector such as hotels, and restaurants, often have a complex ownership structures consisting of a management company which runs the business, a separate owner or group of owners, and a franchisor.

These entities may store important data in computer systems and such information may be moved around frequently and such complex ownership structures could result in breaches.” (hospitalitynet.com) Structures that enable hackers to access a customer profiles and credit information through a property’s virtual private network (VPN) using the hotel’s public Wi-Fi networks.

Cybercriminals also access hotel networks by using malware to scrape card information from infected POS systems. As hotels increasingly rely on POS systems to streamline processes it is becoming more important that they “implement stringent measures to ensure user security.” Using an all -encompassing approach that ensures “user security, guest device security, network security, and personal security across their properties.” (Advanced Hospitality Technologies)

Other pervasive forms of fraud involve the use of false account credits, skimming devices, and fraudulent credit cards. Although much work has been done industry wide to document the use of these instruments, several large hotel chains have still managed to fall prey to scams incorporating their use. Due to their lack of preparedness, which courts have deemed to be a form of negligence.

In re Marriott Int’l, Inc. 440 F. Supp. 3d 447 United States District Court for the District of Maryland, Southern Division

One of the most well- known data breaches in hospitality is In Re: Marriott International, Inc., Customer Data Security Breach Litigation, Consumer Actions. A lawsuit brought the United States District Court for the District of Maryland, Southern Division against Marriott and Starwood Hotel’s Resorts Worldwide for the failure to protect its guests’ personal data.

On November 20,2018 Marriott announced that it suffered one of the largest data breaches in history. For a cybercrime gang, named Fin 7, was able to “infiltrate 383 million guest records, 24 million passport numbers, and a million credit and debit cards.” (In Re: Marriott International, Inc., Customer Data Security Breach Litigation, Consumer Actions) During its announcement the public was made aware that Marriott and Starwood were targeted because Fin 7 knew that its guest reservations system required the collection of sensitive customer data upon guest check-in requiring guests to provide their name, address, email address, phone number, and payment card information. In addition, it was known throughout the industry that Marriott and Starwood’s reservation’s system possessed the capability of storing patrons room preferences, travel destinations, and other personal information as a means of offering a greater level of customizable service. Arguably, one of the most valuable features of its reservations system, but what was readily accessed by hackers to steal data.

A fact worsened by Marriott & Starwood’s failure to immediately notify patrons of the data breach. For upon later discovery, it was revealed that Marriott executives were made aware of Fin 7 offenses on September 8, 2018 and withheld this critical information from the public until November 30,2018. It was also noted that if Marriott’s clientele were informed of the data security problems the brand was facing that guests “would have chosen to stay at other hotels, purchase, products or services at other properties, and/or would have paid less” for their stays. Depriving unsuspecting guests of the right to chose uncompromised hotels for their travel accommodations.

Marriott and Starwood’s failure to protect its customers’ data was deemed by the courts to be a breach of duty. Under Georgia Law, the lawsuit brought against both parties was defined as a Negligence per se claim. It also violated the Internet Business, Data Protection in E-commerce Environments Act, Maryland Personal Information Privacy Act, and the Michigan Identity Theft Protection Act. Laws requiring businesses to “implement and maintain reasonable security practices and procedures based on the personal information collected. Requiring businesses to conduct quick investigations and to provide immediate notification of security breaches without reasonable delay if a client’s unencrypted and unredacted personal information was accessed by an unauthorized person.” (In Re: Marriott International, Inc., Customer Data Security Breach Litigation, Consumer Actions)

For the plaintiffs’ argument stated compromised guests were under imminent threat of identity theft. Subsequently, leaving victims to manage “all costs related to the data breach and the loss of the value of their personal information.” The reported damages incurred by the plaintiffs included the loss of the benefit-of -the bargain, loss of time and money spent mitigating harms, and as previously mentioned the loss of value of personal information.

The courts ruled to partially grant Marriott’s motion to dismiss the claims brought against it by the plaintiffs. And the requirement of “plaintiffs to bring individual cases against Marriott proving the damages that they incurred because of the data breach.”

Dugas v. Starwood Hotels & Resorts Worldwide, Inc., 2016 U.S. Dist. LEXIS 152838 United States District Court for the Southern District of California

In 2016, a case was filed against Starwood for similar reasons. Plaintiff, Paul Dugas, filed a lawsuit against Starwood Hotels & Resorts Worldwide, Inc. for damages he incurred after his credit card was compromised after purchasing spa services at a Sheraton San Diego Hotel Marina. Stating that his credit card was later used by an unauthorized third party for multiple purchases.

Additionally, had it not been for the provision of his personal data his credit card would not have been compromised by the third party who used his account for “unauthorized purchases, unnecessarily exposing him to losses, frustration, and on-going requirements to protect himself from identity theft.” Leading Paul Dugas to file a grievance within the United States District Court for the Southern District of California courts stating that Starwood violated the California Customer Records Act, California’s Unfair Competition Law. Defined as such because under the California Customer Records Act when a business that “owns, licenses, or maintains personal information about a California resident it shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” (Dugas v. Starwood Hotels & Resorts Worldwide, Inc., 2016 U.S. Dist. LEXIS 152838)

Starwood’s actions were also considered an invasion of privacy and to fit the definitions of two forms of negligence. First, under the general definition of negligence because Starwood failed implement “adequate security measures to protect the information they obtained from customers.” Secondly, Dugas’ case fit the definition of negligence per se because he had a reasonable expectation of privacy under the circumstances, a legally protected privacy interest, and that third party’s actions were a serious invasion of the privacy interest.

In its ruling, the courts determined that the plaintiff, Paul Dugas, was not entitled to damages for the fraudulent charges because in his initial complaint “he did not allege out of pocket losses or monetary damages resulting from the data breach due to the defendant’s negligence or failure to maintain reasonable security procedures.” (Dugas v. Starwood Hotels & Resorts Worldwide, Inc., 2016 U.S. Dist. LEXIS 152838)

The plaintiff’s motion to dismiss was granted and denied in part. Stating that Mr. Dugas’ “failure to meet the twenty-day deadline to amend the complaint or failure to cure the deficiencies identified within the case would result in the dismissal of his case with prejudice.” (Dugas v. Starwood Hotels & Resorts Worldwide, Inc., 2016 U.S. Dist. LEXIS 152838)

Sandra Smith v. Sabre Corporation United States District Court for the Central District of California

Unlike Dugas v. Starwood Hotels & Resorts Worldwide, Inc., 2016 U.S. Dist. LEXIS 152838 and In re Marriott Int’l, Inc., 440 F. Supp. 3d 447 United States District Court for the District of Maryland, Southern Division , Sandra Smith v. Sabre Corporation United States District Court for the Central District of California is a frivolous case brought to the Central District of California by Sandra Smith to exploit the Sabre corporation for illegitimate damages.

On May 2, 2017 she filed a claim stating that her identity was compromised and that she suffered damages when she did not. Conveniently, timed after Sabre made public that its new SynXis system was breached by hackers. In her complaint she stated that because she was a frequent guest of “hotels that were known to use Sabre’s system.” The courts immediately dismissed her complaint without prejudice because it was a frivolous case that failed to rise to the level of a legitimate identity theft claim.

Analysis & Management Suggestions

In closing, it is imperative that hoteliers find strategic means of securing hotel networking systems, to circumvent avoidable lawsuits. Hotel management can achieve this objective by using firewalls, networking monitoring, traffic filtering, and anti-malware security systems. Also, by encrypting credit card information and creating a detailed response plan if a data breach should occur.