Marriott announced on 30 November 2018 a data breach from the Starwood reservations system that has potentially affected around 500 million people who have been guests of Starwood hotels between 2014 and 2018. Of these around 327 million have had extensive information leaked including not only personal and contact details, but also passport numbers and possibly payment card details. This is possibly the second largest data breach reported ever, after Yahoo in 2013, but is possibly more serious due to the amount of payment card information that was not part of the Yahoo breach.
Hotel industry as prime target for hackers
It is a blow for the whole hotel industry that one of the most serious data breaches in history is affecting this industry, especially if it dents consumer confidence and their willingness to share personal data with hotel companies. However it is not a surprise, because the hotel industry is one of the few industries that needs to hold customer credit card details for extended periods of time as security for future bookings.
The online retail industry mostly processes payment data immediately and then discards it, unless customers specifically agree to store payment card details for regular purchasing. Hotels routinely take payment card details and keep them for weeks or months between the booking date and check-out. This make large hotel operators prime targets for hackers looking specifically for payment card details. Many of the large operators have announced previous data breaches of varying sizes, so this is not a first and will not be the last.
Regulatory investigations
The New York Attorney General and the UK Information Commissioner have already said they have received reports and are investigating. Following the implementation of GDPR which applied from May of this year, the potential fines for non-compliance with GDPR are very significant. Based on Marriott’s 2017 global turnover, the maximum fine just within the EU is just short of US$ 1 billion and that is not counting other non-EEA jurisdictions. Although for breaches before May 2018, the older regime with lesser penalties would apply. In addition, there is a risk of class action lawsuits in some countries (including potentially the UK after a recent decision from the Court of Appeal) from affected consumers and business partners if they suffer loss from the data breach. This does act as a serious wake up call for the whole industry.
Of course, we do not know whether Marriott (or Starwood prior to Marriott’s 2016 acquisition) have been at fault or whether this breach happened despite compliant cybersecurity and data protection systems, policies and processes in place. We will not know that until the regulatory authorities have completed their investigations and that will no doubt take some time. We do not know exactly when the regulators were informed of this incident. However they will no doubt be looking at whether Marriott notified them within 72 hours as required by GDPR, and whether the public were notified “without undue delay” even though it took them 11 days to notify the public after becoming aware of the full extent of the leaked data, which itself was over two months after becoming aware in September 2018 that their systems had been compromised.
Industry-wide issues on GDPR
This incident might provide an opportunity for the industry to properly discuss what GDPR compliance involves in circumstances where many different parties need to process a guest’s data in the pathway from booking through to the stay and check-out. These could include the online booking agent who takes the original reservation, the hotel chain who stores the data in their central reservation system, the hotel owner or franchisee who receives that data in order to provide the stay and any suppliers who provide invoicing, data storage, server processing or other outsourced IT services.
For an industry that is normally relative collaborative, there has been very little industry-wide discussion or guidance from trade associations on how the complex data sharing arrangements required to take a hotel guest from booking through to check-out is impacted by GDPR. And as a result, each major operator seems to have formed its own position in isolation, meaning that there is a great deal of inconsistency.
GDPR application to management and franchise agreements
In our experience of advising hotel owners, we have found that many of the larger operators are less than transparent on what their position is on these data processing arrangements for guest data. This is important for owners and franchisees because GDPR imposes new obligations on them as well to ensure their hotel comply with GDPR and that any contracts dealing with data processing, which will include management and franchise agreements, include mandatory contractual provisions governing how and what data is processed.
In particular certain hotel operators are taking the official line that the owner-manager relationship and the franchisor-franchisee relationship do not include any processor-controller relationships, nor any joint controller relationships, whether in relation to guest data or hotel employee data. Whereas other operators accept that it is likely that there is a controller-processor or joint controller relationship between the parties and are willing to amend their contracts and/or arrangements accordingly. This is ultimately a factual test and not something the parties can agree. So until we get more guidance from the regulators or a test case on the issue, the position remains uncertain within the industry.
| CMS Comment: We find it surprising that certain operators suggest there is no controller-processor or joint controller relationship between the parties to a hotel management or franchise agreement. The parties are agreeing to mutual restrictions on what each party can and cannot do with guest data. Both of them need to process the data to take the booking and provide the service and it is not true that both are completely free to control how they independently process such personal data, especially when one party (the owner or franchisee) is often processing that data via a central reservations system and sometimes proprietary software provided by the other party (the operator or franchisor). In addition, under a management agreement, an owner’s employees (eg front desk staff at check-in/out) are processing guest data under the control and supervision of the manager and the manager is often processing hotel employee data on behalf of the owner during the recruitment, bonus and appraisal processes. Taking this position also seems to be unnecessarily risky. If they are held to be wrong then all of their 1000s of contracts and/or arrangements in place are non-compliant, which could add to the level of fine they receive. If there is any uncertainty as to the form of the relationship, it is better to include the required wording and/or put the necessary arrangements in place, as best practice in any event. By refusing to do so, the operators are not just choosing to take this risk for themselves, but they are imposing that risk on owners and franchisees who cannot unilaterally amend existing contracts or arrangements and cannot persuade operators to amend their standard contracts or arrangements when signing up to a brand. We will wait to see whether this incident has an impact on owners’ and franchisees’ willingness to reluctantly accept the position imposed on them by some of the larger operators not to deal with GDPR issues in their contracts. Meanwhile, if any hotel owners or operators are breathing a sigh of relief that this is not them, they should be re-doubling their efforts to both ensure their cybersecurity is as tight as possible and also to ensure that their GDPR compliance is up to scratch to mitigate the risks associated with any data breach. It is generally recognised that this is a question of when, not if, a cyber-breach occurs. |
