Navigating Hospitality Liability and Insurance Coverage in 2023
By Peter Halprin Partner, Pasich LLP | January 2023
Co-authored by Jacquelyn Heitman - Partner, & Tae Andrews - Senior Managing Associate, Pasich LLP
While the hospitality industry faced numerous challenges over the last year, there are three concerns, grabbed straight from the headlines, that should be top of mind for industry executives as we enter 2023.
Although renewed COVID surges will no doubt create further issues for the industry, liability from cyber and privacy exposures as well as human trafficking are likely to create serious legal and risk management challenges for hotel operators in the coming year.
As a risk mitigation measure, hotels should evaluate their insurance policies to determine the scope and extent of insurance coverage for these emerging risks. The case law on coverage for cyber and privacy exposures, as well as human trafficking, as detailed below, is evolving, so it is best to be proactive and work closely with insurance professionals to maximize coverage.
Privacy Liability for Biometric Data
Lawsuits alleging violations of biometric-information statutes present a growing source of potential liability and exposure for the hospitality industry. However, insurance can provide coverage for these kinds of claims. The COVID-19 pandemic has spurred changes in the hospitality industry, including new build-outs incorporating contactless technologies such as voice controls and the use of other biometric data, including retina or iris scans, scans of hand or face geometry, or any other information that can be used to uniquely identify an individual.
The use of biometric data can lead to claims alleging violations of biometric information laws, which protect individuals against the unauthorized collection, use, and dissemination of their biometric data. The leading statute is Illinois' Biometric Information Privacy Act (BIPA), which authorizes a private cause of action and allows damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation. Hotels that have their employees clock into and out of their shifts using fingerprint scanners have faced numerous BIPA lawsuits in the past few years, making this a frequently disputed subject and source of potential exposure for the hospitality industry.
In a heavily anticipated decision, the Illinois Supreme Court will soon weigh in regarding whether a BIPA violation occurs with each unlawful collection of biometric information or only after the initial collection for each affected individual. The calculation of the number of violations under BIPA will have major effects on companies using biometric data, as adverse judgments can lead to massive potential liability: in one recent decision, a jury found 45,600 BIPA violations and awarded $228 million in damages.
Fortunately for hospitality companies, insurance can cover biometric-data claims. In a landmark ruling, the Illinois Supreme Court held that a general liability insurance policy covered a BIPA claim brought by a customer alleging that a tanning salon improperly disclosed her fingerprint data to a vendor. Specifically, the Court held that the customer had alleged injury arising out of "publication of material that violates a person's right of privacy" covered under the policy's "personal and advertising injury" coverage. The ruling is significant because of the ubiquity of general liability insurance coverage. Other common types of coverage, such as Employment Practices Liability Coverage, can also cover these kinds of claims. An organization's preexisting policies may therefore cover biometric-data claims; hospitality companies can also negotiate coverage upon renewal.
Insurance coverage for BIPA claims is a heavily litigated arena and 2023 will see even more rulings handed down in this area of law. These rulings will be significant because more and more jurisdictions are enacting new legislation similar to BIPA. Having insurance coverage in place can help mitigate the risk presented to hospitality companies by these sources of potential exposure.
Privacy Liability for Data Breaches
Privacy risk extends beyond biometric data, and also includes the loss of sensitive customer data, such as passport numbers and credit card information. This has been a hot-button issue recently, as the headlines often feature reports of data breaches that have impacted leading hotel brands and millions of their customers.
Hotel owners and operators should review their insurance policies for first-party and third-party coverages relating to data breaches. The former will protect businesses against out-of-pocket losses (such as business income losses), while the latter protect businesses against lawsuits from customers or employees, or actions by regulators, arising out of data breaches.
Many such policies also provide incident response services, which can include technical/forensic services, legal services, public relations, and ransomware negotiation specialist services.
There has not been much litigation in this space, but a ruling involving a data breach at a retail company demonstrates that, in addition to specialized policies, general liability policies may also cover cyber risk.
In Landry's, Inc. v. Insurance Co. of the State of Pennsylvania, the hackers installed a program on the retail company's payment-processing devices that stole data from the magnetic strips on customers' credit cards, including the cardholders' names, card numbers, expiration dates, and internal verification codes. The terms of the company's contract with its payment-card processor required the company to comply with certain rules and security guidelines set by the card issuers and indemnify the processor for any fines or penalties resulting from failure to comply with those guidelines. After the data breach, the processor filed suit against the company, alleging breach of the contract. The retail operator requested a defense from its insurer, but the insurer denied coverage.
After an adverse trial court ruling, the company appealed. On appeal, the Fifth Circuit held that the company was entitled to a defense as there was a covered "publication" when: (1) the company "published" the customers' credit-card data to hackers during the data breach; and (2) when the hackers "published" the credit-card data by using it to make fraudulent purchases; both disclosures exposed or presented the credit-card data information to view. The Fifth Circuit also held that the processor's lawsuit "arose out of" publication of material that violated the customers' privacy rights, and it did not matter that the processor brought contract claims instead of tort claims because the insurer's defense obligation depends on the facts alleged in the underlying complaint, not the legal theories invoked.
As threat actors continue to target data maintained by the industry, insurance coverage is likely to continue to be utilized to address the associated financial burden.
Human Trafficking Liability
Awareness about human trafficking at hotels and motels has surged in recent years. Hotels are used in a myriad of ways for both sex and labor trafficking, by both traffickers and victims. One study found that 75% of trafficking survivors interacted with a hotel or motel during their trafficking situation. As human trafficking is a nationwide problem, there is no question that many hotels and motels countrywide may be unsuspectingly harboring trafficking victims.
More and more, hotels and motels are being sued in human trafficking-related lawsuits. The Trafficking Victims Protection Re-authorization Act (TVPRA) allows civil lawsuits against entities that benefit from human trafficking enterprises, even if they have not engaged in trafficking themselves. The TVPRA allows victims and their families to file suit under the theory that entities actually knew or should have known trafficking activities were occurring on their premises. Thus, even if a hotel or motel had no idea its premises were used in trafficking activities, they can be found liable nonetheless.
In recent years, leading global hotel chains have been named in lawsuits and accused of profiting from sex trafficking under the TVPRA and other anti-trafficking laws. In fact, in 2020, nearly half of the 149 sex trafficking defendants were hotels. Indeed, the majority of these lawsuits allege that the hotels knew or should have known that traffickers were using their premises for illicit activities.
As a result, the industry is increasingly looking to its insurance policies to cover these claims. Specifically, hospitality companies have focused on general liability insurance policies for such coverage. Trafficking claims may trigger a number of general liability coverages, including those for bodily injury and false imprisonment.
In response, insurers have argued that exclusions for "assault and battery" or "expected or intended injury" apply to bar coverage.
In one case rejecting the insurer's arguments, a federal district court held that an assault and battery exclusion did not apply because the underage victims did not specifically allege they were assaulted or battered. Instead, the victims were "tricked and manipulated " into participating in illegal acts. In finding coverage, the court rejected the insurer's argument and focused instead on the definitions of "assault and battery" in the policy to hold in favor of coverage.
Likewise, in another federal district court case, the court held that the insurer had a duty to defend the policyholder against a trafficking case, rejecting the argument that the "criminal acts" exclusion barred all possibility of coverage.
Given the liability associated with trafficking claims, clients should work closely with their insurance professionals to pursue coverage for such claims.
While 2023 presents the industry with new opportunities for growth, the potential for liability arising out of human trafficking, as well as cyber and privacy exposures, should be top of mind for hotel executives. In addition to legal and risk management policies aimed at limiting these exposures, the industry should also consider pursuing insurance coverage to reduce the financial impact of these risks.
Jacquelyn Mohr Heitman is a partner in Pasich LLP's Manhattan Beach office and a member of the firm's insurance recovery practice. Ms. Heitman has extensive experience representing commercial and individual clients in a wide range of complex coverage disputes, including coverage advice, pre-litigation disputes, international arbitrations, and coverage litigation. Her insurance coverage work includes first and third-party claims, bad faith litigation and indemnity recovery. Over her career, she has advocated for her clients under an array of forms and policies, including All Risk, Builder's Risk, Commercial Crime, Cyber, Directors & Officers (D&O), Employment Practices Liability (EPL), Environmental Liability, Errors & Omissions (E&O), Fiduciary Duty, General Liability (GL), Homeowners' Insurance, and Workers' Compensation.
Tae Andrews is a senior managing associate in the New York office of Pasich LLP. Mr. Andrews has recovered hundreds of millions of dollars for corporate policyholders in coverage disputes with their insurance companies. He has litigated in state and federal courts, representing clients in disputes under commercial general liability, directors and officers, commercial property, professional liability/errors and omissions, builder's risk, and other types of insurance policies.
HotelExecutive retains the copyright to the articles published in the Hotel Business Review. Articles cannot be republished without prior written consent by HotelExecutive.