Sandy Garfinkel discusses the protection of business travelers’ personal data and breach response (Business Travelers News)
February 24, 2016
Sandy Garfinkel, chair of the Data Security & Privacy Group, recently spoke with the Business Travelers News about the legal responsibility of hotels in protecting business travelers’ personal data and what to do in the event of a breach. In the article “Hotel Data Breaches: Can You Protect Business Travelers?” Garfinkel explains the regulation of data-security conduct can come from many places in the hotel industry – including through the Payment Card Industry Data Security Standard and through contracts.
After a breach occurs, things can get even more complicated. The United States doesn’t have a comprehensive federal data-security law. Instead, that power is handed over to the states. “Right now, there are 47 different states with 47 different data-breach response laws, which have a lot of consistencies but some of which are wildly inconsistent,” Garfinkel said.
These state laws vary in how customers should be notified of a breach, how soon they need to be notified and whether a hotel should have a written information security plan prior to any breach. Complicating matters further, when a breach does occur, a hotel is not beholden to the laws of the state in which it’s headquartered or even to the laws of the state in which breaches occurred. Instead, hotels must follow the notification laws of the state in which each individual guest resides. “If a hotel has a data breach and people from 25 different states have stayed at the hotel during the time of the breach and are affected by the breach,” Garfinkel said, “the hotel, by statute, must comply with all 25 of those state’s laws when it comes to responding to the breach.”
The full article is available on the Business Travelers News website. (Access to content on third-party websites may require subscription.)