Hotel CEOs, CTOs Could Be Held Personally Responsible for Cybersecurity Breaches After Drizly Precedent

A Federal Trade Commission (“FTC” or the “agency”) investigation alleging a CEO is personally responsible for a data breach highlights the continuing importance of cybersecurity issues in travel and hospitality.  The settlement imposes liability and compliance obligations on the CEO on a go forward basis even if he is not employed by the same company where the prior violations occurred.

In the last decade, cybersecurity-related liability and risks have gained particular attention with prominent data incidents at Starwood, which was acquired by Marriott, Sabre, and Wyndham Hotels resulting in various lawsuits and settlements including with the agency. Now, the FTC has gone after Drizly, an online alcohol marketplace, in an aggressive turn that should have executives paying attention. The agency has alleged that the company’s CEO was responsible for a 2020 data breach affecting 2.5 million consumers because “he did not implement, or properly delegate the responsibility to implement, reasonable information security practices.”  Given the importance and volume of guest data maintained by the hospitality industry, senior executives and organizations may want to take note of this emerging data security enforcement trend.

“Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “CEOs who take shortcuts on security should take note.”

Given the complex ownership and control structures involved in the hospitality industry, it may be difficult to predict who would ultimately be held personally liable if the FTC were to issue another similar order against, for example, a hotel or restaurant franchise. Although the FTC may change course moving forward, the 2015 FTC settlement involving Wyndham Hotels and Resorts potentially provides a glimpse into issues and disputes likely to arise again for hospitality organizations under investigation and how the agency may seek to handle future executive liability.

In 2015, after extensive litigation, the FTC reached a settlement with Wyndham Hotels and Resorts related to three separate data breaches occurring between May 2008 and January 2010 involving consumer personal and payment card data. The case affirmed the FTC’s ability to use Section 5 of the FTC Act to challenge unreasonable data security practices. But also, and perhaps most critical for the hospitality industry, the settlement specifically excluded an obligation upon Wyndham to oversee and assume responsibility for its franchisee data breaches and unreasonable security practices.  The byproduct of this outcome was that legal risk allocations and responsibilities in existing franchise agreements were undisturbed—something closely watched by many in the industry.

While legal observers often look to FTC settlements to guide clients on legal requirements and enforcement trends, the Drizly prosecution might be read to suggest a willingness to revisit direct, contributory and vicarious liability by the agency including holding franchisor hospitality executives individually responsible for security failures. Cybercrime has significantly increased over the past decade, and with it a renewed effort from regulators and lawmakers to hold organizations and executives accountable for lax cybersecurity controls, in particular the FTC.  The Biden administration recently stated in announcing its National Cybersecurity Strategy on March 1, 2023, that because “[s]oftware makers are able to leverage their market position to fully disclaim liability by contract,” the incentive to use “secure-by-design principles or perform pre-release testing” is reduced. As such, the U.S. must “begin to shift liability onto those entities that fail to take reasonable precautions to secure their software.”  While such requirements might provide some help to hospitality companies purchasing software, the underlying rationale might be used to support regulatory and enforcement efforts to broaden or expand supply chain liability among and between owners, operators and brands.

A recent Delaware decision also suggests heightened risk for failures of individual oversight of regulatory and other risks.  Not only have these courts increasingly scrutinized mission critical regulatory risk governance but, in January 2023, for the first time, the Delaware Court of Chancery held that corporate officers owe the same fiduciary duty of oversight owed by directors under Delaware law.

Under current FTC leadership, it seems likely that the agency will continue to seek personal liability for executives over alleged security failures.  With this in mind, hotel and restaurant franchisors may be wise to consider evaluating and revisiting cybersecurity responsibility and liability oversight. Additionally, franchisor executives – in particular CTOs, CIOs, and CISOs – may improve their organizations’ risk posture by developing baseline comprehensive cybersecurity strategies and programs for franchisees.  Franchisors may also benefit from providing franchisees with additional resources and support directed at cybersecurity strategy, program development and management.  In the healthcare industry, which also faces increased risk in this area, such programs are growing as part of supply chain and relationship management.  And, increasingly, regulators have grown dissatisfied with pure contractual allocations of responsibility as the Biden administration’s beefed up cybersecurity strategy makes clear.

Data minimization and hygiene may be one tool that could prove useful to many hospitality companies.  Minimizing data collection is an emerging consideration (and enforcement risk) for any company subject to the FTC’s jurisdiction, as evidence by the Drizly order which requires Drizly to destroy any personal data collected that is not necessary for it to provide products or services to consumers. While this may be an unwelcome suggestion to hospitality marketers, a business has less to safeguard if it promptly disposes of unnecessary data, especially sensitive data.  Additionally, the FTC’s recent proposed rulemaking on commercial surveillance and data security seems to foreshadow the agency’s intention to take an active role in encouraging data minimization and usage by businesses. This proposal suggests that the risk of being accused of and investigated for failing to abide by data minimization principles is expanding under present agency leadership.

Although the Wyndham settlement might have given some comfort to franchisors, in the wake of the recent Drizly settlement and other developments it seems efforts to hold individual executives personally liable are growing.  The Drizly case, along with these developments, suggests that a tenet of emerging policy is to focus on those in the best position to improve and enhance cybersecurity and to make them directly accountable to seek to address harm to consumers that is may otherwise be avoidable. 

ABOUT THE AUTHORS

Gerry Stegmaier is a partner with Reed Smith’s Tech & Data Group in D.C and a Certified Information Privacy Professional (CIPP/US). An experienced litigator, he advises boards and companies in a variety of industries on cybersecurity and incident response, as well as data protection, intellectual property, and emerging technologies.

Eric Manski is an associate with Reed Smith’s Tech & Data Group in Washington D.C. with experience in a wide range of cybersecurity-related issues, including navigating compliance requirements and responding to and investigating security incidents.