On October 2, 2015, Trump International Hotels became the latest in a growing line of data breach class action victims. Driscoll v. Trump International Hotels Management LLC, No. 15-cv-1089 (S.D. Ill.).  Indeed, the hospitality industry as a whole is seeing increased scrutiny from both plaintiffs’ attorneys and federal regulators.  Less than two months ago, the Third Circuit Court of Appeals affirmed the Federal Trade Commission’s broad authority to clamp down on the allegedly lax cybersecurity measures implemented by Wyndham Worldwide. F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015)

The Trump and Wyndham cases highlight a growing trend for both federal regulators and plaintiffs’ attorneys in the data privacy realm.  That is, data privacy claims founded in large part on a defendant’s own privacy policies and industry standards, using those very policies and standards against it.

Given the amount of consumer information the hospitality industry maintains—and how vast and sprawling a hospitality chain’s own network can be—it is crucial going forward that hospitality companies consistently evaluate their own privacy policies and practices to ensure that they are in fact doing as they say.

Recent Data Privacy Litigation

The newly filed Trump class action stems from a data breach allegedly running from May 19, 2014 to June 2, 2015 in which hackers were able to access the Trump computer systems and obtain a variety of customer data, including payment card information.  The foundation of the complaint—which alleges claims of unfair competition and common law claims of negligence, breach of contract and unjust enrichment—is Trump’s alleged failure to abide by industry standard data security practices, including the Payment Card Industry Data Security Standard.

Similarly, the Wyndham FTC action was predicated on the alleged failure of Wyndham to adopt and abide by basic security precautions over a period of years in which it suffered three separate cyberattacks.  The alleged failure to do so was made all the worse in light of the fact that Wyndham adopted and published a public-facing privacy policy touting its “industry standard” and other security measures.  Following the three attacks, the FTC filed suit, alleging that Wyndham’s lax security practices amount to unfair and deceptive practices under the FTC Act.

Notably, Wyndham is not the first time the FTC (or plaintiffs’ attorneys) has pursued data privacy claims in part based on a company’s failure to abide by its own privacy policy.  Indeed, just a few months ago the FTC settled a suit brought against in-store beacon technology company Nomi Technologies brought in large part because its data security practices violated the letter of its own privacy policy.  Likewise, Google is currently embroiled in a class action stemming from its information sharing practices relating to Google Wallet.  Svenson v. Google, Inc. et al, Case No. 13-cv-04080 (N.D. Cal.).  There, the Court permitted a handful of the plaintiff’s claims to pass the pleading stage based on the theory that Google failed to honor its very own privacy practices.

Where to go From Here

As the above cases demonstrate, plaintiffs’ attorneys and federal regulators alike are heavily scrutinizing whether companies data privacy practices comport with their own consumer-facing privacy policies and basic industry standards. Industries like hospitality—where the amount of information a given entity maintains is voluminous, often encompassing dozens of locations across the country—are especially vulnerable because company-wide oversight is especially difficult.

Going forward, the hospitality industry, through their in-house and outside counsel, should make a concerted effort to consistently monitor, evaluate and audit their own privacy policies—both internal and external— and industry standards and ensure that their practices live up to what they preach. This simple measure can go a long way to avoiding legal scrutiny.