Data Privacy and Security Challenges During Re-Opening

The COVID-19 crisis and stay-at-home orders drastically changed corporate cybersecurity landscapes within an extremely compressed period of time. Almost every industry, including hospitality, rushed to introduce or increase the use of remote technology tools for work-related communication, including:

  • Video Conferencing
  • File Sharing
  • Virtual Desktops
  • Group Chat
  • VPN
  • Web-Based Applications and Tools

Cyber criminals wasted little time exploiting these rapidly-introduced changes, which produced cyber vulnerabilities from hasty or non-existent policies, training, risk assessments, and systems testing. Remote access controls, including safe login credentials and multi-factor authentication, have not been universally adopted by businesses, and fraudsters have successfully lied or hacked their way into home computers, stealing credentials and accessing sensitive work systems. Clever fraudsters have also capitalized on chaos and fears surrounding the virus outbreak, creating false narratives to entice individuals into clicking on links or attachments promising information on disease transmission, treatments and testing. PPP program frauds, stimulus program fraud and widespread unemployment compensation scams emerged. As a result, news sources have reported an increase in cybercrime ranging from social engineering/credential stealing to ransomware to business e-mail compromise.

Returning employees to work will cause more confusion, at least in the short term. By and large, returning to work will be done gradually or in phases. That will mean reactivating on-site networks and systems while maintaining remote access protocols, resulting in more chaos and more opportunities for cyber mischief. Stolen credentials stockpiled by cyber thieves and malware hidden in systems during the course of the lockdown period can be expected to be activated and utilized by cyber thieves over the coming months.

On the privacy side, coinciding with efforts to reopen the economy is the July 1, 2020 enforcement kickoff for the California Consumer Privacy Act (CCPA). The California Attorney General will begin investigating and pursuing businesses covered by the CCPA for noncompliance. The CCPA is a sweeping privacy law loosely modeled after Europe’s GDPR, with some major differences. The CCPA gives Californians rights over their personal data collected by businesses, including the right to demand deletion and that the business not sell the individual’s personal information. To the extent hospitality companies are doing business in California and meet certain other criteria, they must quickly prepare the appropriate privacy statements and employee disclosures, and ready processes to respond to consumer information requests in a timely and fully-compliant fashion.

Many hotels across the country have announced plans to perform temperature scans on individuals entering the premises. Operators and owners need to be aware that thermal data constitutes protected biometric information under the CCPA. If the hotel is covered by CCPA and the individual is a California resident, the hotel cannot collect temperature readings without first making required disclosures. Even outside the context of CCPA, hotels must be careful about collecting and sharing healthcare information about guests, so as not to run afoul of other laws restricting those activities.

This article is part of our Conference Materials Library and has a PowerPoint counterpart that can be accessed in the Resource Libary.® provides numerous resources to all sponsors and attendees of The Hospitality Law Conference: Series 2.0 (Houston and Washington D.C.). If you have attended one of our conferences in the last 12 months you can access our Travel Risk Library, Conference Materials Library, ADA Risk Library, Electronic Journal, Rooms Chronicle and more, by creating an account. Our libraries are filled with white papers and presentations by industry leaders, hotel and restaurant experts, and hotel and restaurant lawyers. Click here to create an account or, if you already have an account, click here to login.

Sandy Garfinkel

Sandy Garfinkel is a business litigator who serves as the chair of the firm’s Data Security & Privacy Group. As a nationally regarded authority on data security and privacy matters, Sandy is regularly published and speaks at numerous industry conferences on preparing for and responding to data breaches. In addition to his data breach response practice, Sandy works closely with the firm’s business clients concerning all aspects of General Data Protection Regulation (GDPR) compliance and enforcement. He works with clients on data security and privacy matters across a variety of industries and sectors, including hospitality, consumer products, insurance, education, health care, manufacturing, and telecommunications. Businesses struggle to stay ahead of the increasing threats to sensitive data and the emerging regulatory requirements, which is why Sandy counsels his clients on laws relating to the collection, use, and protection of personal information as well as mitigating risks and reducing exposure to investigations and litigation arising from the loss, theft, or exposure of personal data. He guides clients through all stages of breach matters, including advance planning and preparation, response and notification, government investigations and regulatory response, and, when necessary, litigation. Sandy also maintains a busy and diverse business litigation practice with a particular emphasis in the hospitality industry. He has deep trial and appellate experience and enjoys a long, consistent track record of producing cost-effective, positive results for his litigation clients.

Leave a Reply

Your email address will not be published. Required fields are marked *