This comes on the heels of IHG's disclosure in February of a separate malware attack exposing customer data at 12 U.S. IHG-managed hotels. IHG is not alone, as Wyndham Worldwide, Hard Rock Hotels, Omni Hotels & Resorts and Hilton Hotels, among others, have all been publicly cited as victims of cyber-attacks and resulting data breaches.

Who's ultimately liable?

While much has been reported on these incidents, less is understood about what liability may flow from a hotel data breach. Among the questions are which party or parties may bring actions after a data breach, against whom, and for what damages. Separately, as among the impacted hotel's operator and owner, and its general liability insurer, which party or parties are ultimately liable for any losses caused by a data breach.

Consumers. When a hotel guest's financial or personal information is compromised as a result of a data breach at a hotel, it stands to reason that the guest could bring suit against the hotel operator and/or owner. The answer is not as clear as one would think, and ultimately may depend upon the type of information that is compromised. In a recent decision by the Southern District of California in Dugas v. Starwood Hotels & Resorts Worldwide, No. 16-cv-00014, 2016 WL 6523428 (S.D. Cal. Nov. 3, 2016), a key issue was whether a consumer can sufficiently allege that she suffered an "injury in fact" such that she has standing to sue under Article III of the U.S. Constitution.

Related: Cyber (in)security: Can insurance solutions keep pace with threats?

The court distinguished between the theft of social security information or usernames and passwords, on the one hand, and theft of names, addresses, or credit card numbers, on the other hand. It noted that the former may constitute "real and immediate harm" to consumers so as to confer Article III standing because cyber-criminals can use such information to commit identity theft.

By contrast, the court found that billing information and credit card numbers — for since-canceled credit cards — are insufficient "for a third party to open up a new account in plaintiff's name or to gain access to personal accounts likely to have the information needed to open such an account (e.g., a social security number)."

Allegations of harm

In another class action, however, this time against Kimpton Hotel & Restaurant Group, a federal court held just weeks ago that "[t]he theft of [a consumer's] payment card data and the time and effort he has expended to monitor his credit are sufficient to demonstrate injury for standing purposes." Walters v. Kimpton Hotel & Restaurant Group, No. 16-cv-05387, 2017 WL 1398660, (N.D. Cal. April 13, 2017). This same rationale led the court to find that the plaintiff had sufficiently alleged "actual damages" for purposes of his claims for breach of implied contract, negligence, and certain violations of California's Unfair Competition Law.

Related: 10 emerging developments in liability insurance

Similar causes of action had been alleged in yet another data breach litigation against Trump International Hotels Management, although that action ultimately was voluntarily dismissed. Driscoll v. Trump Int'l Hotels Mgmt., No. 15-cv-01089 (S.D. Ill. Oct. 2, 2015). The plaintiff in that case sued for, among other things, violations of state consumer protection laws.

While the case law in this area is still developing, it appears that courts will rigorously scrutinize consumer suits with a particular focus on whether and how a consumer alleges to have been harmed by a data breach.

Hotel management agreement

It's generally the case that hotel operators, rather than hotel owners, are the entities that collect and store guests' financial and personal information. But that does not mean that hotel owners will escape liability in the event of a data breach, as most hotel management agreements contain language obligating the owner to indemnify the operator, depending upon the vintage of the contract.

While this language generally was envisioned to cover slip-and-fall/third-party type liability, and not liability arising out of a data breach, hotel operators are likely to take aggressive positions that such language places all risk on the hotel owner. Thus, owners would benefit from considering the implications of a potential data breach before it strikes.

GL insurer unlikely to cover damages

Importantly, as the Rosen case demonstrates, relying on a general liability insurance policy is risky. A hotel's general liability insurer is unlikely to cover damages arising from a data breach, and rather will take the position that such policies cover only bodily injury and property damage. "[C]ourts have consistently stated that data is not property and is considered intangible." Dena L. Magyar, "Understanding the Impact of a Data Breach on your Hotel or Resort," Wells Fargo Insurance (January 2014). As a result, purchasing cyber liability insurance may be the most effective way for hotel owners to protect themselves in the event of an unexpected data breach.

The hotel industry and the consuming public alike would prefer to avoid data breaches entirely. But in an age of rapid technological advancement — including for cyber-criminals — hotel owners should not underestimate the value of being prepared. This means both knowing to whom a hotel might be liable in the event of a breach and understanding which entity or entities will ultimately be responsible for footing the bill.

If your general liability insurance policy will not cover such costs, you should be aware of that and consider investing in a policy that will. Hotel owners negotiating a hotel management agreement also would be wise to pay careful attention to any indemnification language, and make every effort to protect themselves in situations where a data breach occurs through no fault of their own.

Todd Soloway ([email protected]) and Bryan Mohler ([email protected]) are partners at Pryor Cashman. Danielle Tepper ([email protected]), an associate at the firm, assisted in the preparation of this article.