web statistics
Hospitality Posts
Hospitality Posts

Hospitality Posts (140)


Social media can be used in a multitude of ways for savvy brands to promote their products. A popular approach is providing “celebrity bloggers” with free or discounted items in exchange for a picture, post, tweet or “shout-out”, which creates “organic” exposure for their brand. While social media has its own methods of operation, the Federal Trade Commission (FTC) rules must be taken into account when handling these promotions.

Under Section 5 of the FTC Act, 15 U.S.C. § 45, the FTC is given the power to direct persons and companies away from using unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in affecting commerce. This includes advertising and social media.

One of the FTC’s main concerns is that consumers may be misguided into believing that an endorsement is the honest opinion of an endorser when in actuality there is a relationship between an endorser and a company and/or marketer. If relationship exists or an agreement has been made, the FTC requires that the endorser disclose this information.

It is common practice for companies or advertisers to provide products, services or discounts to individuals who have a broad reach on social media. For example, celebrity bloggers who have Instagram accounts with hundreds of thousands of followers are often given free merchandise and/or compensation in exchange for posting pictures of the product or themselves using the product to their accounts. The FTC is concerned that consumers are being deceived by these posts. As a result, the FTC has released guidelines that advise the endorsers, marketers and companies that they must disclose a relationship if the relationship is not apparent to consumers. (https://www.ftc.gov/tips-advice/business-center/guidance/ftcs-endorsement-guides-what-people-are-asking#contests) Thus, if a blogger is writing a review, they must disclose whether the product was provided to them by a certain manufacturer or to at least disclose their relationship (i.e. if they’re sponsored or employed by the manufacturer).

In some forms of social media such as Twitter, Pinterest and Instagram, there is a limited amount of space in which one can post something, which makes disclosing this information more difficult. Further, the FTC has not mandated the specific wording of disclosures. However, it advises that inserting short statements such as “#sponsored”, “#promotion”, “paid ad” or even “ad,” may be enough to disclose a connection between the endorser and company.

Many bloggers and social media users feel that having such tags or wording would make their social media accounts feel non-organic or worse, they would be labeled a “sell-out.” While the FTC may choose who they would like to pursue, their rules still apply to bloggers. However, as a practical matter, the FTC has indicated that their enforcement efforts will focus on the companies and/or marketers whose products are the subject of the blogs.

Thus, while it certainly takes away from their organic publicity, companies should make an effort to advise their endorsers that they must disclose their relationship or if they received a particular item from the company or its marketing firm. Particular hash-tags such as “#sponsored” can be used, or even perhaps much more obvious hash-tags such as “ProvidedToMeBy[insertcompanyname]forfree”.

Companies and marketers know that they cannot control what is said on social media and that their endorsers may not follow these guidelines, but they must be mindful of these FTC guidelines in order to prevent being subject to an enforcement action by the FTC. The FTC advises that companies educate and instruct endorsers of such guidelines, make periodic attempts to search for what is said and if there is a problem, follow-up on it. Thus, at a minimum, companies should make a concerted effort to expressly communicate to endorsers that they must adequately disclose the relationship to consumers. The companies should then monitor the posts. Further, if the company re-tweets, re-grams, or re-pins an endorsed post, they need to also disclose the relationship.

Thus, companies and marketers should take note of the FTC’s guidelines and integrate them into their marketing plans and make the appropriate disclosures.


Editor's note: This article describes a hypothetical situation.

Bob has studied the rules of various arbitration providers. He knows an effective advocate chooses the arbitration forum that offers the rules best suited for the particular controversy. So, for instance, "If you want depositions, why not pick an arbitration forum whose rules expressly allow depositions?" Always the riddler, Bob put this question on his office wall.

Bob soon had a chance to put words into action. His client was involved in a messy business dispute that spilled over into a contentious litigation. Using his code words—more expeditious, more cost-effective, and confidential—Bob convinced the other side to arbitrate the dispute. The parties asked the court to enter an agreed order sending the case to arbitration.

Bob needed a couple depositions to prove his case. He drafted an arbitration agreement that identified ABC Arbitration Co. as the arbitration provider: "The parties agree that all disputes at issue in the current litigation shall be settled by arbitration administered exclusively by ABC Arbitration Co. Judgment on the award rendered by the arbitrator may be entered in any court having jurisdiction thereof."

Why ABC? Because its rules stated, "Each party may take two depositions of an adverse party." Deposition problem solved. Another example of brilliant drafting that anticipated and resolved a potential snare.

There was one problem: ABC Arbitration did not exist. Bob and his adversary could not find ABC's offices, website or anything having to do with ABC. "No matter," Bob assured his client. "The parties can select another arbitration provider and can proceed with the desired arbitration."

Except that Bob two days later received his adversary's motion to vacate the stipulation and order that directed the parties to arbitration in the first place. His adversary's argument was simple. The arbitration provision identifies ABC as the arbitral forum; ABC does not exist and cannot arbitrate the dispute; consequently, the parties cannot arbitrate their dispute in accordance with the arbitration clause.

Must the parties now return to court or can Bob salvage the arbitration?

Section 5 of the Federal Arbitration Act states: "If in the agreement provision be made for a method of naming or appointing an arbitrator or arbitrators or an umpire, such method shall be followed; but if no method be provided therein, or if a method be provided and any party thereto shall fail to avail himself of such method, or if for any other reason there shall be a lapse in the naming of an arbitrator or arbitrators or umpire, or in filling a vacancy, then upon the application of either party to the controversy the court shall designate and appoint an arbitrator or arbitrators or umpire, as the case may require, who shall act under the said agreement with the same force and effect as if he or they had been specifically named therein; and unless otherwise provided in the agreement the arbitration shall be by a single arbitrator."

How do courts determine whether the process for naming an arbitrator "lapses"? If the provision says the designated forum is the "exclusive" arbitral forum, there is a lapse and the court will not enforce the arbitration provision.

"If a designated arbitrator is unavailable, Section 5 of the FAA permits a court to appoint a substitute arbitrator in certain circumstances. Our court of appeals has not addressed the precise set of circumstances in which a court may appoint a substitute arbitrator, but other federal courts have held that Section 5 of the FAA generally permits a court to appoint a substitute arbitrator where the chosen arbitrator is unavailable, unless the selection of an arbitrator is 'integral' to the arbitration agreement, as opposed to an 'ancillary logistical concern,'" the court wrote in Clerk v. Cash Central of Utah LLC, 2011 U.S. Dist. LEXIS 95494, at *13-*14 (E.D. Pa. Aug. 25, 2011).

How does one determine if the selection of the arbitrator is "integral" to the arbitration agreement? The court in Clerk said, "An arbitral forum is an integral part of an arbitration agreement if the agreement includes an express statement designating a particular arbitral forum to administer arbitration." The Pennsylvania Superior Court agreed in Stewart v. GGNSC-Canonsburg, 9 A.3d 215, 219 (Pa. Super. 2010): "At a minimum, for the selection of an arbitrator to be deemed 'integral,' the arbitration clause must include an 'express statement' designating a specific arbitrator." In Khan v. Dell, 669 F.3d 350 (3d Cir. 2012), however, the U.S. Court of Appeals for the Third Circuit reversed the rule. It said the choice of forum is an integral part of the agreement to arbitrate only if "the parties ... have unambiguously expressed their intent not to arbitrate their disputes in the event that the designated arbitral forum is unavailable." So what is an arbitration-contract drafter to do?

• The drafter should decide whether this is an "all or nothing" situation. Is the chosen arbitral forum the only acceptable forum? If so, the drafter should expressly say the forum is "exclusive." Did Bob consider this issue? No. Would a forum other than ABC Arbitration have worked for Bob? Probably. Did Bob's arbitration provision achieve his avowed goal? No.

• If another provider can substitute for the chosen arbitral provider, the drafter should make sure to avoid saying—expressly or impliedly—that the chosen provider is "exclusive." Did Bob say the chosen provider was "exclusive"? Yes: "The arbitration [must be] administered exclusively by ABC Arbitration Co." Did Bob really mean that? Nope. Did he consider the consequences of this language? Nope.

Could Bob have gotten his cake and eaten it too by ensuring that the parties go to and stay in arbitration even if the designated provider is not available? You bet. As Bob often tells anyone who will listen, "You first have to decide what you want to achieve in arbitration; you then use the language to get there." Bob failed on both fronts. He is not going "there."


The Competition & Markets Authority (CMA), which investigates business practices and enforces anti-competition and consumer protection legislation in the UK, just released a report and call for information that signals more scrutiny for online reviews and endorsements. Though the report does not identify companies or sites that will be the subject of investigation, it expresses a general concern that a number of businesses are breaking the law. The report does not point fingers, but it’s worth noting that the hospitality industry is mentioned several times as an area of particular interest, based in part on a survey conducted by the British Hospitality Association in March of this year. Consumer reliance on reviews for vacation travel, the relatively higher cost for hospitality related services, and the sensitivity of the hospitality related services to negative reviews were cited by the CMA as reasons why the industry is an area of particular concern.

UK regulations are, of course, aimed at protecting UK consumers, but U.S. companies are well advised to take heed of the report’s warnings and recommendations because, as the report notes, the CMA plans to assume the Presidency of the International Consumer Protection and Enforcement Network (ICPEN), of which the U.S. is an active member. And, the practices flagged by the CMA, as well as the steps businesses can take to address the CMA’s concerns, closely parallel those identified by the Federal Trade Commission (FTC).

So, whether your customers are here in the States or abroad, the following practices may result in an investigation by the CMA (or FTC):

  • Writing or commissioning fake negative or positive reviews.(Your marketing firm could also be on the hook for setting up fake Twitter or Facebook accounts to submit reviews).
  • Cherry-picking positive reviews or suppressing negative reviews. (Your website user agreement or comments policy may well allow you to edit or delete user content containing expletives or other inappropriate material, but if those expletives all happen to be in negative reviews of your product or service, you need to consider what disclosures may be necessary to ensure the reviews as a whole are a fair and accurate representation of the actual comments received).
  • Failing to disclose paid reviews or endorsements(Whether its cash, a free dessert, or award points, you need to disclose compensation or incentives given to individuals submitting reviews or endorsements).

The best practices recommended by the CMA similarly echo the FTC’s guidelines:

  • Be clear with your marketing department or outside marketing firm that they may not write or solicit reviews. Documenting that parameter in a letter or agreement will provide a paper trail that could prove handy down the road.
  • If you do provide compensation or incentives for reviews or endorsements, be sure that that fact is clearly disclosed, e.g., by using a hash tag like “#paid ad.”
  • Promptly publish all reviews, even negative ones. If reviews have been edited or deleted (e.g., to remove expletives), clearly disclose your policy or basis for doing so.
  • Establish a procedure (whether in house or with your marketing firm) for detecting and removing fake reviews.

In conjunction with the report, the CMA published summaries on how to comply with UK consumer protection law on online reviews and endorsements.

Ultimately, the CMA and FTC share a common purpose: to protect consumers from unfair or deceptive business practices by protecting the consumer’s ability to make meaningful choices.  Disclosure of the connection between a review or endorsement and its source (i.e., an independent individual or a sponsoring company) is essential to meaningful consumer choice. So, in devising your marketing strategy, especially if it includes a forum for consumer reviews, ask whether you’ve given your customer the information necessary to make a meaningful decision about your product or service.  Doing so not only helps build brand loyalty, it could help avoid an investigation by the CMA (or FTC).


Twitter®, Instagram®, Facebook®, Pinterest® and other social media websites and apps are great ways to interact with friends, family and potential customers. They are great avenues for advertising and promotion of one’s business and brand. A brand owner can share their latest offerings, get people excited about new products, develop brand awareness, etc.—the possibilities are endless.

However, in using social media to promote one’s business, there are a number of pitfalls that one must avoid. Using social media in relation to a business is not the same as using it for personal, non-commercial use. While it may seem like everything online is fair game, it is not. Just because something is found online does not mean that it is ok to use. Trouble can and does arise rather quickly…

There are three primary legal considerations when using social media and they fall within the realm of intellectual property—copyrights, right of publicity and trademarks. Often times, it is difficult to distinguish whether you are using someone else’s intellectual property—one must be cautious not to do so when posting on social media. The issues with using someone else’s copyright, likeness and trademark in social media to promote one’s business is that one is profiting off of someone else’s property that does not belong to them and that can and does create a significant amount of conflict. Profiting from another’s property is what separates the use of social media in business from just personal use.

Copyrights protect works of authorship that are original and fixed in a tangible form or medium. This includes photographs, pictures, drawings, designs, songs, poems and other works. Many times, brand owners see pictures of celebrities out in public wearing their clothes on various blogs and websites. Although this can be extremely exciting for the brand owner, it is unwise to share these photos on social media without clearing it first.

Often times, those pictures found online are copyrighted. The photographers obtain copyright registrations for those photos and retain attorneys to protect their intellectual property. Attorneys have been known to use reverse image search software to find where those photos were posted online. If the photos appear on a business’s social media account, they will often times send a cease and desist letter and request compensation of $7,000 – $14,000. If you refuse to submit to their demands you will most likely be threatened with a lawsuit against you, or worse, they will just go ahead and file a lawsuit against you. Sadly, while it does seem disingenuous, many times they have a colorable case since their client has a copyright registration and their client’s photo was used without authorization for commercial purposes.

How does one avoid these situations? Determine where the photo came from. Get a license for the photo. Look to see if the photo is in the public domain. Do not just repost the photo. This happens not only with celebrity photos, but also with photos that appear to be stock photos online. Unless there is a license that comes with a photo, you should not use what you find online. Feel free to post all the photos you take, but be cautious when it comes to posting photos from unknown sources.

In addition to a potential copyright claim over the use of a celebrity’s photo, there could be a right of publicity claim. Right of publicity is the right to use one’s name, likeness or identity for a commercial purpose. It applies when someone uses a celebrity’s name, likeness or voice and can range anywhere from a picture or silhouette to a well-known quote. Thus, if you post a picture of a celebrity wearing your goods, a quote from them or anther item that would refer to them, it may create a false and misleading impression that they are endorsing your product. A famous person does not need to be alive for a claim to be made, their estate can still make the claim for them. The laws vary from state to state and the applicable law is determined by where the celebrity resides or died. In general, you should not use the image, name, likeness or even quotes from a celebrity to promote your products as it may cause a false impression that they have an affiliation with your company. If you would like to do that, contact them, speak with their agent and try to obtain a license or endorsement.

The last social media concern is trademarks. Trademarks protect brands and their identity. Trademarks can be a simple word, slogan, logo, design or even sound. Trademarks are used as source identifiers to help consumers identify where a particular product originates from.

Ideally, one does not wish to cause any confusion with another brand owner. Thus, in using social media, be aware of the potential trademarks of others. Do not use anyone’s brand name.1 There may be a funny slogan or brand name that you want to make a play on, but if there is a possibility consumers will immediately think of the other brand owner and be confused, then do not do it. It could cause the other brand owner to bring forth trademark infringement claims. It does not take much for someone to send a cease and desist letter.

In sum, while social media is a great marketing tool, exercise caution when using it. One must look to where they are obtaining their posts, pictures and inspiration from and one must review whether their post would cause any confusion with or false association with another. If there are any questions or potential confusion in one’s commercial use of social media, then it is best simply not to do it, but if you must, consult with an experienced attorney.

The U.S. Food and Drug Administration recently released two final rules for menu and vending machine labeling. “Nutrition Labeling of Standard Menu Items in Restaurants and Similar Retail Food Establishments” significantly expands FDA’s regulatory reach into restaurants and beyond. The rule stems from the Affordable Care Act and the compliance date is Dec. 1.

FaegreBD partner and leader of the firm’s food litigation and regulatory practice Sarah Brew, and associate Courtney Lawrence authored an article for Food & Drink explaining the new rules and what will be required to be in compliance.

Read Full Article Here



Sarah L. BrewSarah Brew leads the firm's food litigation and regulatory practice, which is nationally ranked byChambers USA, and is a leader of the firm's food and agriculture industry group. Sarah has a national reputation for effectively defending food industry clients against labeling and class action consumer fraud claims and representing food processors, distributors and retailers in foodborne illness and contamination cases and supply chain disputes. 

Courtney A. Lawrence : Courtney Lawrence is a member of the nationally ranked food litigation and regulatory practice and the national food and agriculture industry team. Her diverse practice encompasses litigation, regulatory and transactional matters for food and agribusiness clients.

By the time a case reaches an attorney’s desk, all too often pertinent evidence either has been lost — or was never collected in the first place. California’s statute of limitations for a personal lawsuit is two years; consequently, an attorney’s first involvement in an incident on your property usually happens more than two years after the incident has occurred. If your hotel or resort has not properly gathered and preserved evidence, it becomes very challenging to recreate what transpired. Hence, it is imperative that; your hotel have formal written evidence retention policies; that first responders and security teams are properly trained on how to gather the evidence; and that hotel staff take steps to ensure that this evidence is preserved. Failing to collect and preserve evidence can turn a defensible case into a major settlement.

Spoliation of Evidence

Incident investigators and the people your hotel has tasked with preserving evidence need to be aware of the severity of failing to do their job well from a legal perspective. The legal phrase ‘Spoliation of Evidence’ relates to the destruction of, failure to preserve key evidence. In certain circumstances, if a judge decides that your hotel has improperly destroyed or failed to preserve key evidence, the judge can instruct a jury that they must find a negative inference against the hotel. In other words, the judge will tell the jury that they are to assume that the hotel did not preserve the evidence because it was harmful to the hotel’s case.

An Effective Document Retention Policy

In the event of a lawsuit, an effective document retention policy will be helpful in anticipating the kinds of documents needed, and specify optimum hotel staff training to ensure the proper elements are saved and preserved. The policy should articulate an easy and secure method of storage including backup, with spot-check documenters in place to ensure the policy is followed correctly. Unfortunately, many hotels have policies but don’t use them, and this can look worse during litigation than if no policy existed at all. Plaintiffs’ attorneys are particularly fond of this practice, routinely remarking to judges and juries, “Clearly, they don’t even follow their own policies...”

Typically, incident-related evidence includes documents, photos, videos and objects. Documents consist of witness statements, incident reports, MOD logs, guest folios and activity waivers. It is also imperative to gather food and beverage receipts, as well as mini-bar inventories, which are often critical considering how many incidents on hotel properties can be linked to alcohol consumption.

Gathering and Preserving Photos and Videos

Frequently, even before first responders arrive by-standers and witnesses will be the first to use their phones to take photographs and film video footage of an incident. Be proactive and ask them to share the most pertinent material — they will usually be helpful and forthcoming. Once first responders (and later investigators) arrive, photographs and videos should be shot from both a micro and macro perspective, to show the incident area from both close up, as well as in context with its surroundings. Investigators should take a uniform approach here; conditions change so it is important to mitigate the variability from one incident to the next. Everything — even aspects that will hurt your case — should be photographed or shot on video. Should litigation arise, your insurance carrier and attorney need to see the good with the bad so they are never surprised by evidence presented by the opposition.

Videos can make or break a case. For example, in one case, video footage clearly showed that the plaintiff initiated the fist fight that was at the heart of his lawsuit. The video would have absolved the hotel from all liability, but the hotel failed to properly preserve this key piece of evidence. As a result, the case had to be settled instead of vigorously defended. Further, as digital surveillance systems continue to become the industry standard, judges have been less forgiving when it comes to claims that the pertinent footage was either lost or never preserved. If an incident warrants an incident report, then it is imperative that investigators check to see if the incident was captured on surveillance. If it was, then it should be preserved. Equally important, if it was not captured on video, then the contemporaneous effort to locate relevant footage and negative result needs to be documented. The video retention policy should provide specific direction to personnel, such as “within 24-48 hours, search screenshots and CCTV for video, and make sure that it’s preserved on a secure medium for future use.”

Save and Store Objects

Perhaps to a greater extent than any other kind of evidence, objects are frequently discarded. Nine out of ten times that someone falls through a lounge chair by the pool, the chair will be tossed in the trash—an often critical mistake. There needs to be a section of your evidence collection and retention policy that addresses object preservation. For example, in the lounge chair circumstance, there may be potential product defect issues and liability could be shifted to the manufacturer. However, this can be nearly impossible if the item is not saved and preserved.

While it’s easy to implement systems for the storage of digital files, many hotels will find it difficult to store physical objects for two to five years. Evidence storage facilities were created to meet this need, storing everything from automobiles to tractors and furniture. As a general rule, insurance companies have a line on these local facilities, and will usually offer to offset the cost of the storage because preserving the items could be instrumental in securing their defense.


It can take years for an incident to turn into a lawsuit. Hotels and their first responders need to approach incident response and investigation with a long term perspective when it comes to gathering and preserving incident-related evidence. Devising a comprehensive evidence gathering and preservation policy, training responders and staff, and using intermittent spot-checks can go a long way in shielding your hotel or resort from liability. Take a thorough approach, and do not take anything for granted; if something seems like it could be useful, it probably is and should be saved and preserved. Further, discussing your practices, questions and concerns with your insurance carrier and experienced legal counsel is also a highly recommended best practice.

Most IT leaders plan for cyberattacks by constructing firewalls and installing security hardware and software. Even so, with the widespread proliferation of malware, companies are finding that their IT infrastructure has been attacked, customer data has been compromised, the IT system is being held for ransom, and assets are missing.

Almost every day there are reports of cyberintrusions, attacks and related security breaches. If your company does not have the right insurance, it could be even more of a disaster. For example, according to regulatory filings, at the time of Target’s cyberbreach in 2014, it had about US$100 million in insurance coverage with a $10 million deductible, but that did not even make a dent in the estimated losses of $1 billion.

What company can afford not to have insurance for a potential cyberdisaster? Let’s look at some protective measures that can be taken to safeguard your business.

As a practical matter, you or your chief risk officer should examine your current insurance policies to see if you have insurance protection for these cyberrisks

  • Network and information security liability
  • Communications and media liability
  • Crisis management event expenses
  • Security breach remediation and notification expenses
  • Computer program and electronic data restoration expenses
  • Computer fraud
  • Funds transfer fraud
  • E-Commerce extortion

Of course, each business has its own insurance needs, so you will need to make your own decisions about the right coverage. For instance, if your company is in the healthcare industry, specific coverage for HIPAA data should be included.

Inspect Your Policies

Some insurance companies offer cyberprotection as an add-on policy to general commercial liability, while other insurance companies include cyberprotection in policies for cybercrime.

It would be wise to take a look at what coverage your company has, what is available, and make sure you do have cyberinsurance coverage.

Whether cyberinsurance is deemed a part of certain GCL policies is the subject of a declaratory judgment complaint brought by Travelers Indemnity Company in the U.S. District Court in Connecticut in October 2014. The Complaint alleged that P.F. Chang’s restaurant chain did not have cybercoverage with Travelers. Because there was no cybercoverage, Travelers claimed “that it is not obligated to defend or indemnify P.F. Chang’s...under GCL insurance policies issued by Travelers.”

It appears that Travelers filed the claim for two reasons. First, P.F. Chang’s had filed a claim for insurance coverage under its Travelers GCL policy for a cyberbreach involving seven million customers’ credit and debit cards. Second, class action cases were brought by P.F. Chang’s customers in several states, accusing P.F. Chang’s of failure to prevent the breach, and breach of implied contract.

Interestingly, the breach itself began on Sept. 18, 2013. However, P.F. Chang’s was unaware of the breach until nine months later, on June 10, 2014.

It will be interesting to follow this case to see how the Court views the CGL coverage.

Examples of Cyberinsurance Coverage

AIG, one of the largest insurance companies in the world, offers CyberEdge, which provides coverage for security or data breach losses as follows:

  • Direct first-party costs resulting from a breach
  • Lost income and operating expense resulting from a security or data breach
  • Threats to disclose data or attack a system to extort money
  • Online defamation

Travelers, another large insurance company, offers CyberFirst, which includes a number of related insurance coverage provisions:

  • Technology errors and omissions liability
  • Network and information security liability
  • Communications and media liability
  • Employed legal professional liability
  • Expense reimbursement

How to Assess a Cyberincident

Most IT leaders plan for cyberattacks by constructing firewalls and installing related security hardware and software. However, with the widespread proliferation of malware, companies are finding that their IT infrastructure has been attacked, customer data has been compromised, the IT system is being held for ransom and assets are missing. This obviously puts a burden on the IT leadership — CIOs, CISOs and CTOs — to do an immediate assessment of what transpired:

  • Identify malware within their networks
  • Review logs to see when and where the cyberintruders came in
  • Determine what if any data was remotely accessed
  • Determine what if any data was sent off the network
  • Determine whether backup files can be used to reconstruct encrypted data

Following the assessment, companies may need to report to customers, as well as to their own employees, under a variety of laws in 47 states. Plus, in addition to everything else that violoated companies must do, if credit card or banking information has been compromised, they may have a legal duty to provide credit protection services for up to one year. This happens more often than people want to know.

Report the Cyberincident — It May Be a Crime

Of course, it is important that the U.S. government learns about all cyberincidents so they can investigate in order to find the bad guys. The incidents should be reported to the Internet Crime Complaint Center which is a partnership between the FBI and the National White Collar Crime Center. The IC3 defines Internet crime:

...as any illegal activity involving one or more components of the Internet, such as websites, chat rooms, and/ or email. Internet crime involves the use of the Internet to communicate false or fraudulent representations to consumers. These crimes may include, but are not limited to, advance-fee schemes, non-delivery of goods or services, computer hacking, or employment/business opportunity schemes.

If your company has a cyberintrusion, consult your lawyer first to be sure you take the appropriate steps, including making a timely cyberinsurance claim.

While companies around the world are experiencing numerous benefits from online transactions and interactions, the accompanying risks remain less visible. Cyber threats continue to evolve and rapidly expand, in terms of sophistication, complexity and the scale of their consequences. Lone hackers have been replaced by well-funded and organized cyber-crime networks, state-backed groups, terrorist organizations, and even competitors seeking commercially valuable intelligence and intellectual property. As a result, companies must take new approaches to protection.

verizon-2014-data-breach 1

Verizon 2014 Data Breach Investigations Report


Traditional approaches to cybersecurity that focus on compliance and technology are not providing companies with the resilience that is required to seize new opportunities in the digital and hyper-connected world. Having originally developed as an offshoot of information technology security, cybersecurity is struggling to escape its origins and reshape itself in an effective form — in a world where company perimeters have become fluid, porous, and insecure.

Emerging Trends and Associated Risks 

  1. Expansion of the corporate perimeter – As available bandwidth and connectivity continue to increase, we are seeing an explosion in the volume of interconnected devices and advanced applications that employees, suppliers and customers are using to stay connected. The expansion of the traditional secure perimeter is bringing new challenges to protecting company data that resides on users’ personal mobile devices, laptops, tablets, and even smart watches. New legal hurdles are emerging as to what a corporation can or cannot do to secure its fluid perimeters and corporate data.
  2. Sweeping industrial espionage – 3D printing technology is becoming economical and more accessible to large numbers of users, creating the possibility for thieves to readily recreate complex objects based on stolen industrial designs. These technologies will likely trigger a significant increase in the theft of intellectual property, which in turn will drive a new black market for counterfeit products.
  3. Massive data aggregation – Companies will continue to migrate to cloud-based applications and vendors for managing employee and customer information. The aggregation of this data in “the Cloud” will provide criminals with tempting targets for theft of aggregated information and will trigger massive jumps in financial and reputational liabilities. Traditional defenses will be rendered inadequate.
  4. Cyber terrorism and death – Our lives will become more dependent on complex technologies such as driverless vehicles, personalized genetic-level medical treatment, and advanced communication technologies. There will be unimaginable benefits with these advances, and governments will need to rethink how to license and regulate them. Sadly, many of the new technologies will also attract the attention of cybercriminals or terrorists, which could result in widespread havoc.
  5. Increased regulation and legislation – The combination of increased attacks and breaches will drive stricter regulation in cybersecurity, with privacy a key focus. However, in many countries regulation will be a knee-jerk reaction to attacks, which will result in poorly designed directives that make it extremely difficult for multinational companies to comply with the standards and regulations across all jurisdictions.
  6. Digital forensics and law enforcement – New, powerful technologies that will be adopted by consumers and businesses will offer the same advantages to criminals, potentially hampering investigations and rendering many traditional law enforcement techniques obsolete. Already, encryption — a powerful tool that is necessary to protect company data — has become an essential part of the modern criminal’s toolbox. 

Balancing Cyber Risks with Business Opportunities

There are important implications for all businesses:

  • Every organization will encounter a crisis and needs to be prepared.
  • Attacks will cause massive leaps in financial and reputational liabilities, and render traditional defenses mostly inadequate.
  • All corporate leaders must own the company’s cyber risks and need to be cyber savvy.

Cybersecurity is an enterprise risk. But risk isn't bad — it is part of seizing opportunity. Cybersecurity is a strategic issue that has to be understood and led by boards and executive management. To manage and pilot the organization effectively, tomorrow’s leaders must be equipped to own technology risks and business risks — rather than handing off the cybersecurity “problem” to the chief information officer. Boards will need to be actively engaged and need to recognize how strategic plans may be exposing the business to new cyber threats.

The Chief Information Security Officers in this new age will be digital natives, born and raised in a hyper-connected world, and comfortable with the rapid pace of change. These essential skills will help them to deal with cybersecurity challenges that will have only increased in the years between now and then.

At the root, the thinking and approach around cybersecurity needs to shift from the traditional, narrow terrain of “Are we protected?” to the new and broader landscape of “Have we detected and are we aware of our security threats, and have we planned accordingly?” Once the company has a sound understanding of all of the cyber risks that it faces, then — and only then —it can develop the right cyber strategy that will generate demonstrable and measurable business benefits.

How Can Companies Prepare Today for the Uncertainties of the Future?

Four key questions:

  1. How will your company’s business model evolve in the future, and what cybersecurity opportunities / risks will it present?
  2. How will you identify and measure cybersecurity-related risks and evaluate them together with other business risks?
  3. What is your level of preparation with regard to resilience, and what needs to happen when incidents occur?
  4. How will you ensure compliance with cybersecurity regulations and standards, while not losing sight of other important cybersecurity issues?


A core principle of a modern and effective cyber strategy — and one that many organizations will struggle to accept — is the inevitability that attackers will get through company defenses and that breaches will occur, in ways that may elude existing indicators and warning bells.

Thus, defending against future cyber risks demands a focus on much more than technology. Truly protecting organizations against cyber threats requires deep business and operational understanding, and a pervasive risk-aware culture across and between organizations.

So why does cybersecurity need to be transformed? Put simply, as businesses have evolved, the threats to businesses have also evolved. However, cybersecurity has not kept pace with the risks, and the gap is widening.


William Beer, Managing Director : He brings more than 25 years of diverse international consulting experience advising on and managing cyber and information risk and fraud for large global clients.
Art Ehuan, Managing Director: His expertise focuses on information / data protection, privacy, risk management, advisory services and governance, and Computer Emergency Response Team (CERT).

Many municipalities have enacted ordinances that authorize local police agencies to enter a hotel during regular business hours and request an inspection of the guest register to obtain information as to who is in the hotel, when they checked in and their anticipated check out time, how long the guest has stayed in the hotel, manner of payment and private information given by the guest to the desk clerk regarding their home address, car license plate and drivers license information. The municipalities argue that such ordinances and warrantless searches are necessary to help stop prostitution and drugs or to ensure compliance with the length of time requirements for motel guests. Many hotel operators have allowed the police agencies to inspect the guest registers without objection as they did not want to be subject to arrest or citation for not complying with the police requests.

However, some managers have objected and have been convicted of failure to comply with the inspection request. They argue that the police need a warrant to search the hotel registers and further, that the ordinances are not specifically limited to time, scope and duration of the inspection allowed or an opportunity to seek judicial review of the ordinance before being subjected to arrest and conviction for refusing to comply with the police agency's request.

These issues were presented En Banc (all of the judges) to the Ninth Circuit Court of Appeals in Patel v. City of Los Angeles, Supra and the Court of Appeals ruled in favor of the motel owners who had been convicted of refusing to comply with the police request for an inspection. The Court of Appeals found the local ordinance unconstitutional as a warrantless search that did not give the motel owner an opportunity to seek judicial review of the ordnance before they were convicted. Recently the United States Supreme Court has accepted a Writ of Certiorari ( agreed to review ) of the Ninth Circuit ruling by the City of Los Angeles.

It has long been established that the legally registered hotel guest enjoys a right to privacy under the Fourth Amendment of the United States Constitution, including what they do, their bags and contents therein in their guest rooms from unwarranted searches and seizures by police. Further, historically the right to privacy under the Fourth Amendment precludes unwarranted searches and seizures of credit card charges and records from the telephone calls made from a hotel room.

In analyzing the searches and seizures from hotel rooms, the court recognized that while a guest is legally registered in a room, the hotel room is a temporary residence and thus, just like their primary residence, the guest is entitled to the same protections under the Fourth Amendment to their guest rooms in a hotel as they would for their primary residence. If the rental period ended, then the innkeeper could consent to a search of a guest room and if evidence against the former guest is found within the plain view of the officers, the evidence may be admissible.
Accordingly, as long as the guest is properly registered into the hotel the innkeeper must request a warrant from any police agency for private guest information. If they do not request and obtain a warrant for the private information of the guest, and the innkeeper produces such information to a police agency, they may be subject to a lawsuit for violating the Right to Privacy of the guest.

The LA City Municipal Ordinance, in part, stated:

“The record shall be kept on the hotel premises in the guest reception or guest check-in area or in an office adjacent to that area. The record shall be maintained at that location on the hotel premises for a period of 90 days from and after the date of the last entry in the record and shall be made available to any officer of the Los Angeles Police Department for inspection. Whenever possible, the inspection shall be conducted at a time and in a manner that minimizes any interferences with the operation of the business.”

In the Patel case, the motel owner refused to allow for the inspection of the guest registers arguing that such a search violated the Fourth Amendment of the United States Constitution. The motel owner was convicted of violating the Municipal ordinance and fined. He was not allowed to challenge the constitutionality of the ordinance before being arrested and tried for violating the section. The hotel owner appealed the conviction and the Ninth Circuit in an En Banc opinion reversed the trial court conviction. The City sought a Writ of Certiorari to the United States Supreme Court which was granted.

The Ninth Circuit reviewed the need for a search warrant for administrative inspections of business premises and records. The court first confirmed that the non-consensual search of the guest register by the police did violate the Fourth Amendment. There was no question but that the guest registers were the business records of the innkeeper and thus the innkeeper had an expectation of a right of privacy from their search and seizure. The court also opined that as the guest voluntarily provided their information to the innkeeper, the guest no longer had an expectation of privacy to the records that were now in the possession of the innkeeper.
The Court of Appeals was also concerned that the ordinance did not give an innkeeper an opportunity to seek judicial review of the ordinance and the penalties for violating the ordinance and thus left the innkeeper to the “unbridled discretion” of the police. Accordingly, the Court of Appeals found the local ordinance invalid and thus an unconstitutional search and seizure in violation of the Fourth Amendment.

A similar ruling was handed down in the City of Strongsville v Patel, Supra. In the City of Strongville case, the local ordinance also allowed for local police inspection of the guest register for among other reasons to determine the length of time the guest had stayed in the hotel for compliance with the length of time provision of the ordinance. The Strongville court ruled that the administrative search was unconstitutional as it did not sufficiently limit the time, place and scope of the inspection as required by the US Supreme Court in its decision of United States v Burger. The Strongville court reasoned that as the ordinance requires the registers to “always be open for inspection”, the ordinance was overboard and thus did not satisfy the Burger test for constitutionality.

Although the US Supreme Court will rule on whether or not the Los Angeles Municipal Ordinance is or is not an unwarranted search and seizure under the Fourth Amendment, innkeepers must still be careful in not complying with lawful requests for the inspection of guest information. The innkeeper should still request a warrant or subpoena before voluntarily producing guest information or access to a guest room while the guest is still registered into the room. But, for administrative inspections of the guest registers pursuant to a local ordinance, the innkeeper needs to seek local counsel interpretation of the local ordinance as to whether or not it meets the valid constitutional requirements as outlined in Burger and Patel. Currently, the Patel decision only applies to the specific local Los Angeles Ordinance and as there are many local ordinances of a similar nature, the innkeeper must confirm if the ordinance in their community is constitutional.

As the hospitality industry is highly regulated for health and safety reasons among others, a court my find that it is subject to administrative inspections as long as the ordinance is limited in scope and time requirements.

 Imagine that your hotel has hired a sales staff to develop conference or resort business. You have paid that sales staff to develop relationships with companies, travel agents and other key people. After years of work and expensive networking, 30 percent of your revenue is now tied to those relationships. Those contacts and relationships are all in a database on your computer. Things are going so well that you hire another sales representative. Six months later he leaves and goes to a competitor. Then you discover he took that database to the new job. Within six months, your revenue from conference or resort business falls by 20 percent. Those customers are now going to your competitor. That is not fair and it is upsetting. What could you have done to stop that from happening? What can you do now?

Now imagine that your hotel brand has developed a new concept. For the last two years you have designed this new concept, code named “Atlantis,” and even test marketed it. After numerous refinements you are the first in the industry to launch this concept. You are years ahead of the competition and the concept is as successful in reality as your test marketing predicted. Suddenly, another competitor announces a similar concept. Coincidentally, one of your executives who was involved with the new concept retired from your company a few months ago. Suspicious, you look into it and find that she downloaded thousands of documents before leaving, including all the information on Atlantis. Outraged, you call your former executive, who denies all wrongdoing, and even claims that the concept is nothing really new, and in any event she has no non-disclosure agreement. What now?

The first scenario is repeated over and over in different industries all over the country. What can companies do to prevent it? Obviously you cannot prevent your salesmen from having the information needed to do their job, but you need to keep them from taking it with them. There is technology available to help protect the information, but that can only go so far. Fortunately, the law provides some protections. The best protection is to have each employee enter into a non-compete, non-solicitation or non-disclosure agreement. The allowable scope and duration of these agreements varies from state to state, but the key is to have something in place before the employee leaves. The Uniform Trade Secret Act is also useful here. If you can prove that the information is a trade secret, then a Court can issue a temporary restraining order to protect your company and the trade secrets and/or award damages. However, as with the contractual protection, you need to take action in advance to make sure the court will later regard your information as a trade secret.

The second scenario is less common but more damaging. But if you doubt that it happens or that it happens in the hospitality industry, recall the case of Starwood's "W" hotel. In 1998 it was introduced as a new concept and others wanted to copy it. Another hotel brand hired former executives from Starwood, who allegedly brought confidential information from Starwood and began a similar concept for their new employer. Starwood took court action to protect its brand based on a non-compete agreement and trade secret laws. The end result was that the other brand was prohibited from developing anything similar for two years after the conclusion of the multi-year litigation.

 There are two lessons here. One: Protect your hotel by getting the proper contracts in place in advance of any defections (this gives you the protection you need down the road). Two: When you interview new-hires, ask if they are subject to one of these agreements. If they are, get the agreement and read it. This will help you avoid suits by your employees’ former employers.

Page 1 of 10
Go to top