To celebrate Data Privacy Day, on January 28, California Attorney General Rob Bonta announced an investigative sweep of businesses offering loyalty programs in California. This should come as no surprise, as Attorney General Bonta highlighted loyalty programs as one of the areas of non-compliance his office addressed during the first year of California Consumer Privacy Act (CCPA) enforcement. In this sweep, the Attorney General’s office sent letters of non-compliance to businesses across different industries, including in the travel and food services industries. Those companies have 30 days to cure their non-compliance or will be subject to further enforcement action and penalties.
This blog post was originally published as a Legal Alert on GSB's website on July 3, 2018. The post was also authored by Victoria Redman, GSB’s 2018 Summer Associate, located in the Seattle office.
On Thursday, June 28, 2018, the California Consumer Privacy Act of 2018 (the Act) passed with resounding support from both Republicans and Democrats, who voted in favor of the bill 73-0-7 in the Assembly and 38-0-3 in the Senate. The Act, which takes effect on January 1, 2020, imposes requirements on the processing and protection of personal data similar to, and in some cases, more extensive than the requirements under the EU General Data Protection Regulation (GDPR), which went into effect on May 25, 2018.
Lawyers often say “bad facts make bad law”. Combine that with weak legal arguments and, well, things can get really bad, really fast. That’s precisely what happened to Wyndham yesterday when the Third Circuit affirmed a federal District Court decision that the Federal Trade Commission (“FTC”) has authority to regulate cybersecurity under the unfairness prong of § 45(a) of the Federal Trade Commission Act. While commentators may disagree on the result from a legal or policy perspective, one thing is for certain, it was a bad result for Wyndham. The decision rejected in no uncertain terms Wyndham's argument that the FTC lacked authority; and not kindly.
Benjamin Lambiotte, technology and data privacy attorney in Garvey Schubert Barer’s D.C. office, shares key points from two significant survey reports analyzing trends in data security breaches during 2014 that were released this week; one from Verizon, and the other from IBM and the Poneman Institute. It should come as no surprise to anyone that once again, the hospitality industry is featured prominently in both reports. Thank you, Ben! – Greg
How secure is the data on your office copier? Today's post from Benjamin Lambiotte, technology and data privacy attorney in Garvey Schubert Barer's D.C. office, outlines the data security risks associated with office machines, as well as the warning signs and steps that you can take to reduce those risks. Thank you, Ben! - Greg
I’m pleased to introduce guest author, Nick Montera, Vice President, Account Executive and head of the hospitality practice at Parker, Smith & Feek. PS&F is an insurance and risk management brokerage firm headquartered in Bellevue, Washington, providing innovative insurance solutions to clients nationwide. We appreciate Nick sharing his expertise and insights on this important and timely subject. - Greg Duff
In September, 2013, Governor Jerry Brown of California signed into law Assembly Bill No. 370, which amends the California Online Privacy Protection Act (CalOPPA) to require that website and mobile app operators disclose whether they honor web browser “Do Not Track” signals. AB 370 took effect on January 1, 2014.
Over the past 2 days, MPI hosted its annual Cascadia Educational Conference in Portland, Oregon. I had the pleasure of participating at this year's event, presenting on group sales issues and privacy. Copies of my presentations are available here: Group Sales Contracts: Interesting Case Studies and The Rising Significance of Guest Information.
Congratulations to MPI for another terrific event. I look forward to hopefully seeing everyone at next year’s Conference.
- failed to use strong (and in some cases any) passwords to limit access to computer files;
- failed to use firewalls to separate corporate and hotel computer systems;
- improperly stored payment information in clear text;
- failed to implement reasonable measures to detect security breaches;
- failed to implement proper incident response procedures or remedial steps after learning of a data breach; and
- failed to adequately restrict access to company systems by third party vendors.
The claims stem from three separate data breaches over a period of two years in which hackers obtained the private information of more than 600,000 customers, which led to more than $10.6 million in fraudulent charges.
A pair of recently effected state laws makes clear that information security remains a significant issue that receives and will continue to receive considerable legislative and commercial attention. Hoteliers, restaurateurs and others in the hospitality industry use personally identifiable information (PII) of their guests and customers to improve services and create a personalized experience.
Greg and I attended the annual Hospitality Law Conference in Houston this February, which devoted an entire track to data privacy issues. It’s the definition of a hot topic, and important, so please take note!
Greg Duff founded and chairs Foster Garvey’s national Hospitality, Travel & Tourism group. His practice largely focuses on operations-oriented matters faced by hospitality industry members, including sales and marketing, distribution and e-commerce, procurement and technology. Greg also serves as counsel and legal advisor to many of the hospitality industry’s associations and trade groups, including AH&LA, HFTP and HSMAI.