In their latest article for the New York Law Journal, Todd Soloway, Chair of Pryor Cashman's Hotel + Hospitality Group, and Partner Bryan Mohler evaluate the risks borne by hotel owners, operators and insurers in the event of a data breach.

"The hospitality industry has not been spared from exposure to breaches, and in fact several of the most widely publicized incidents involve some of the largest hotel brands in the world," Soloway and Mohler wrote. "InterContinental Hotels Group, Wyndham Worldwide, Hard Rock Hotels, Omni Hotels & Resorts and Hilton Hotels, among others, have all been publicly cited as victims of cyber-attacks and resulting data breaches."

Who May Bring Suit?

While these incidents have been widely covered in the media, the potential liability stemming from each breach has been less reported.

Following a breach, questions arise regarding which parties may bring actions, against whom, and for what damages. A hotel guest whose financial or personal information was compromised as a result of a data breach may bring suit against the hotel owner and/or operator. The Federal Trade Commission (FTC), which has the authority to regulate cybersecurity, may also pursue an action against the hotel following a breach.

Additionally, credit card companies may be entitled to bring suit against a hotel in the wake of a data breach pursuant to certain provisions in service agreements which allow the credit card issuer to sanction merchants when a breach occurs.

Who is Liable in the Event of a Breach?

"It is generally the case that hotel operators, rather than hotel owners, are the entities that collect and store guests' financial and personal information. But that does not mean that hotel owners will escape liability in the event of a data breach, since most hotel management agreements contain language obligating the owner to indemnify the operator, depending upon the vintage of the contract," the authors explained.

"While this language generally was envisioned to cover slip-and-fall and third-party type liability, hotel operators are likely to take aggressive positions that such language places all risk on the hotel owner. Thus, owners would benefit from considering the implications of a potential data breach before it strikes."

To read Soloway and Mohler's full NYLJ article, please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.