This past year saw a number of developments domestically and internationally in the area of privacy and cybersecurity, many of which have had – and will continue to have – a significant impact on the hospitality industry.  From the European Court of Justice’s historic ruling in the Schrems case to the EMV liability shift, the following are four of the most significant legal developments in privacy and cybersecurity law from 2015:

Maximillian Schrems v. Data Protection Commissioner
On October 6, 2015, in a widely reported decision, the European Court of Justice found the U.S. Safe Harbor framework to be invalid.  Safe Harbor had been an agreement established by the United States and the European Union to facilitate the transfer of personal data by U.S. companies between Europe and the United States.  Under Safe Harbor principles, companies could self-certify to having complied with certain data protection principles. More than 4,500 U.S. companies were registered under the Safe Harbor agreement prior to the Court’s decision striking it down. The decision itself raised more questions than it answered, leaving companies that had relied on Safe Harbor to wonder how quickly authorities might seek to enforce compliance with the decision, and how long they might have to seek out alternative methods to comply with European laws relating to the transfer of personal data.  Since the original decision, the European Union Commission issued further guidance, addressing alternative methods for the transmission of data between Europe and the United States that were not invalidated by the Schrems decision.  This decision has had a significant impact on the hospitality industry, and in particular on hotels that operate internationally.  The decision has implications for the transfer of data relating to both employees and guests.  Further guidance is still forthcoming, but in the meantime, hotels must rely on alternative methods for satisfying European data protection laws when they transmit data between Europe and the United States. 

FTC v. Wyndham Worldwide Corporation
The FTC brought this lawsuit against Wyndham after hackers accessed Wyndham’s computer systems and stole personal and financial information relating to hundreds of thousands of customers.  The lawsuit alleged that Wyndham had failed to adequately safeguard its computer network, leading to the breach. Wyndham argued that the FTC’s statutory authority did not extend to the regulation of cybersecurity and that Wyndham did not have fair notice of what cybersecurity practices could subject it to enforcement action by the FTC.  The Third Circuit Court of Appeals rejected Wyndham’s arguments, upholding the FTC’s data protection authority.  The Wyndham decision is significant to the hospitality industry both because it establishes the FTC’s right to take enforcement action against companies like Wyndham for data protection failures, and because the FTC’s claims against Wyndham included a specific list of alleged security failures that businesses can study to better identify some of the standards by which the FTC may judge the adequacy of their data security measures. 

EMV Liability Shift
The long-awaited liability shift for counterfeit credit card fraud between card issuers and merchants occurred in October of 2015.  The liability shift, which was industry-adopted and not dictated by any regulatory entity or legislative mandate, resulted in merchants assuming liability for card-related fraud if they did not replace or upgrade their card acceptance and processing systems to use chip-enabled devices to process payment transactions.  This EMV (EuroPay, Mastercard and Visa) smartcard technology, already in use in many other countries, has the potential to significantly reduce the risk of a breach of customer and guest payment card information, providing an added measure of security to hospitality industry businesses that support it, while also limiting their liability in the event of a breach. 

Class Action Lawsuits
In October 2015, Trump International Hotels Management became the latest victim of the plaintiff’s class action bar, facing a lawsuit stemming from a data breach that occurred between May 2014 and June 2015 in which hackers placed malicious software on payment card systems.  The complaint in Driscoll v. Trump International Hotels Management LLC essentially claims that the Trump organization failed to adhere to industry standard data security practices, resulting in the breach.  This litigation is one in a growing list of class action lawsuits filed across industries as a result of data breaches, including highly publicized lawsuits against Target and Neiman Marcus, among others.  Standing – whether a class of consumers can demonstrate that they suffered a sufficient injury to maintain their lawsuit – continues to be a hotly contested issue in many of these cases, with the Seventh Circuit weighing in this past July in favor of the plaintiffs in Remijas v. Neiman Marcus Group, LLC.  The United States Supreme Court is currently considering a similar standing issue in the context of a Fair Credit Reporting Act class action lawsuit, Spokeo v. Robins, the outcome of which could impact data breach class actions as well.