With each passing day, the public is inundated with more reports of data breaches affecting companies of all shapes, sizes and types. The hospitality industry has not been spared from exposure to such breaches, and in fact several of the most widely publicized incidents involve some of the largest hotel brands in the world. Just weeks ago, InterContinental Hotels Group (IHG) announced it had suffered a data breach at multiple IHG-branded franchise hotel locations in the United States and Puerto Rico in late 2016. This comes on the heels of IHG’s disclosure in February of a separate malware attack exposing customer data at 12 U.S. IHG-managed hotels. IHG is not alone, as Wyndham Worldwide, Hard Rock Hotels, Omni Hotels & Resorts and Hilton Hotels, among others, have all been publicly cited as victims of cyber-attacks and resulting data breaches.
While much has been reported on these incidents, less is understood about what liability may flow from a hotel data breach. Among the questions are which party or parties may bring actions after a data breach, against whom, and for what damages. Separately, as among the impacted hotel’s operator and owner, and its general liability insurer, which party or parties are ultimately liable for any losses caused by a data breach. This article explores these issues.
