Lawyers often say “bad facts make bad law”. Combine that with weak legal arguments and, well, things can get really bad, really fast. That’s precisely what happened to Wyndham yesterday when the Third Circuit affirmed a federal District Court decision that the Federal Trade Commission (“FTC”) has authority to regulate cybersecurity under the unfairness prong of § 45(a) of the Federal Trade Commission Act. While commentators may disagree on the result from a legal or policy perspective, one thing is for certain, it was a bad result for Wyndham. The decision rejected in no uncertain terms Wyndham’s argument that the FTC lacked authority; and not kindly. Continue Reading
Our friends (and former contributors) at Seattle-based BrandVerity produced an infographic showing that the average hotel brand is losing 26,500 website visitors on direct web traffic each month, leading to a real loss in revenue as these bookings are made elsewhere. Their findings are based on the information found in the hotel selection of their quarterly report on The State of Branded Keywords in Paid Search.
The report assesses the paid search landscape on branded keywords of over 250 consumer-facing brands. Looking at Q1 2015, it found that trademark bidding has cost the typical brand tens of thousands of visitors each month. The full report is available for download today at https://www.brandverity.com/branded-keywords/.
The Competition & Markets Authority (CMA), which investigates business practices and enforces anti-competition and consumer protection legislation in the UK, just released a report and call for information that signals more scrutiny for online reviews and endorsements. Though the report does not identify companies or sites that will be the subject of investigation, it expresses a general concern that a number of businesses are breaking the law. The report does not point fingers, but it’s worth noting that the hospitality industry is mentioned several times as an area of particular interest, based in part on a survey conducted by the British Hospitality Association in March of this year. Consumer reliance on reviews for vacation travel, the relatively higher cost for hospitality related services, and the sensitivity of the hospitality related services to negative reviews were cited by the CMA as reasons why the industry is an area of particular concern.
UK regulations are, of course, aimed at protecting UK consumers, but U.S. companies are well advised to take heed of the report’s warnings and recommendations because, as the report notes, the CMA plans to assume the Presidency of the International Consumer Protection and Enforcement Network (ICPEN), of which the U.S. is an active member. And, the practices flagged by the CMA, as well as the steps businesses can take to address the CMA’s concerns, closely parallel those identified by the Federal Trade Commission (FTC).
So, whether your customers are here in the States or abroad, the following practices may result in an investigation by the CMA (or FTC):
- Writing or commissioning fake negative or positive reviews.(Your marketing firm could also be on the hook for setting up fake Twitter or Facebook accounts to submit reviews).
- Cherry-picking positive reviews or suppressing negative reviews. (Your website user agreement or comments policy may well allow you to edit or delete user content containing expletives or other inappropriate material, but if those expletives all happen to be in negative reviews of your product or service, you need to consider what disclosures may be necessary to ensure the reviews as a whole are a fair and accurate representation of the actual comments received).
- Failing to disclose paid reviews or endorsements. (Whether its cash, a free dessert, or award points, you need to disclose compensation or incentives given to individuals submitting reviews or endorsements).
The best practices recommended by the CMA similarly echo the FTC’s guidelines:
- Be clear with your marketing department or outside marketing firm that they may not write or solicit reviews. Documenting that parameter in a letter or agreement will provide a paper trail that could prove handy down the road.
- If you do provide compensation or incentives for reviews or endorsements, be sure that that fact is clearly disclosed, e.g., by using a hash tag like “#paid ad.”
- Promptly publish all reviews, even negative ones. If reviews have been edited or deleted (e.g., to remove expletives), clearly disclose your policy or basis for doing so.
- Establish a procedure (whether in house or with your marketing firm) for detecting and removing fake reviews.
In conjunction with the report, the CMA published summaries on how to comply with UK consumer protection law on online reviews and endorsements.
Ultimately, the CMA and FTC share a common purpose: to protect consumers from unfair or deceptive business practices by protecting the consumer’s ability to make meaningful choices. Disclosure of the connection between a review or endorsement and its source (i.e., an independent individual or a sponsoring company) is essential to meaningful consumer choice. So, in devising your marketing strategy, especially if it includes a forum for consumer reviews, ask whether you’ve given your customer the information necessary to make a meaningful decision about your product or service. Doing so not only helps build brand loyalty, it could help avoid an investigation by the CMA (or FTC).
The sharing economy requires a new look at work relationships. Many of the business models in the sharing economy are based on individuals being creative and entrepreneurial as they seek to provide services to others. Drivers for companies such as Uber and Lyft share their cars using a license to access software that connects drivers and riders. Residences are rented out on a short term basis using software that markets to prospective travelers on sites like VRBO and Airbnb. SnapGoods provides a mechanism for lending or borrowing high-end household items. DogVacay provides host homes to animals whose owners are travelling. TaskRabbit allows others to bid to do your tasks and odd jobs. There is a never-ending list of creative sites looking to maximize the sharing economy. But, when is the line crossed from independent contractors providing services to others to employees of the “hosting” company? This is the question that has been the focus of recent administrative rulings and lawsuits involving Uber.
In Florida, a driver for Uber filed for unemployment after his car was damaged in an accident. As reported in the Miami Herald, the state agency agreed he was an employee for the purposes of unemployment benefits. Meanwhile, in California the Labor Commission also found that an Uber driver was an employee not an independent contractor. Both Uber and Lyft are currently facing lawsuits that are wending their way through the Northern California Courts alleging the same thing. So, what does this mean to other sharing economy ventures outside of the transportation industry, such as the short term rental market?
A quick look at the reasoning of the California Labor Commission is the best place to start in the quest for an answer. Under California law, there is an inference of “employment” if personal services are performed as opposed to business services. The factors considered when determining independent contractor status are:
- Whether the person performing services is engaged in an occupation or business distinct from the alleged employer;
- Whether or not the work performed is a part of the regular business of the alleged employer;
- Whether the alleged employer or the worker supplies the tools and the place where the person performs the work;
- The amount invested by the worker in the equipment or materials required by the task and whether or not the worker has employees of their own;
- Whether the service rendered requires a special skill;
- The kind of occupation and whether the work is usually done under the direction of the alleged employer or by a specialist without supervision;
- The alleged employee’s opportunity for profit or loss depending on his or her managerial skills;
- The length of time for which the services are to be performed;
- The degree of permanence of the working relationship;
- The method of payment, whether by time or by job; and
- Whether or not the parties believe an employer-employee relationship is being created.
In the recent California case, the driver claimed she was owed unpaid wages, reimbursement of business expenses, liquidated damages and penalties. Uber disagreed saying she was an independent contractor who had complete control over her schedule, if she even took any riders, and she had to obtain her own license from the state to carry passengers. Uber simply provided the iPhone and the platform for matching riders and drivers. The Labor Commissioner sided with the driver, finding that the type of work performed by the driver was integral to Uber’s business. Specifically, without drivers such as the Plaintiff, Uber’s business would not exist. Uber was involved in every aspect of the operation. They vet the drivers, control the tools the drivers use, set the price for the trip, accept the cancellation fee without necessarily sharing it with the driver, and discourage the acceptance of tips by drivers because doing so would be counterproductive to the Company’s advertising and marketing strategy. The Labor Commission said all of these activities pointed to an excessive amount of control, thus demonstrating an employment relationship – not that of an independent contractor.
So what does this potentially mean to the rest of the sharing economy, in particular, the short term rental market? Likely, not much, but that could vary based on how the service operates. For example, VRBO provides a web platform and marketing, but the property owner needs to do the majority of the work to get her property on the site, manage the property and deal with reservations. One of the big distinctions is that the short term rental companies provide a marketing platform for a business service (renting a piece of property) as opposed to a personal service (renting a driver). The risk for such companies is not so much with the property owners, but with the service personnel who provide housekeeping, or maintenance services or other similar services to support the properties. The short term rental company may insulate itself from a claim that the service personnel are its employees if it limits its involvement in the hiring and supervision of such services, leaving that to each individual property owner. If, however, the short term rental company acts more as a property manager, such as Vacasa, then there may be an argument that the service personnel are employees of the short term rental company. No matter the industry, if there is any question regarding the employment/independent contractor status of your workers, it is always best to involve legal counsel sooner rather than later.
Joy Ellis, member of our Labor and Employment Group and Hospitality, Travel and Tourism practice team, brings us the very latest news about Oregon’s Statewide Paid Sick Leave Bill. Thank you, Joy! – Greg
In a healthy victory for Democrats that left some Republicans feeling ill, Oregon’s legislature voted to enact a statewide paid sick leave law that will take effect January 1, 2016. Governor Brown signed the bill into law on June 22, 2015. The law requires Oregon employers with 10 or more employees to provide up to five paid sick days a year – except in Portland, where employers need only to have six or more employees to be subject to Portland’s paid sick leave ordinance, in effect since 2014. Oregon employers with fewer than 10 employees (or six, in Portland) need to provide unpaid sick leave to employees who qualify. The statewide law negates the city of Eugene’s controversial sick leave ordinance that was passed in 2014 but has not yet been implemented.
Under the law, employees will accrue one hour of paid sick time for every 30 hours worked, up to five days (40 hours) a year, the same as the Portland ordinance. Employees may take time off to care for themselves or a family member. It is expected that employers already complying with Portland’s sick leave ordinance will not have to change their practices. Employers with paid time off policies with substantially equivalent benefits will not need to convert their policies. Now is the time to plan ahead and make sure your policies are ready to go on January 1, 2016.
The law also protects employees from retaliation or discrimination for using sick time.
Oregon is now the fourth state to enact statewide paid sick leave, following the lead of Connecticut, California, and Massachusetts.
In the hospitality industry, dress code policies are very important. Diana Shukis, member of our Labor and Employment Group, brings us the latest US Supreme Court ruling regarding image-based policies. Thank you, Diana! – Greg
On June 1, 2015, the US Supreme Court ruled in favor of the US Equal Employment Opportunity Commission (EEOC), concluding that an employer cannot refuse to hire a qualified job applicant in order to avoid accommodating a religious practice – even if the applicant did not request an accommodation. An applicant must only show that her need for a religious accommodation was a motivating factor in the potential employer’s decision not to hire.
In EEOC v. Abercrombie & Fitch, Samantha Elauf, a Muslim who wore a headscarf for religious reasons, interviewed for a sales floor position at Abercrombie. Ms. Elauf wore a headscarf to the interview, but did not discuss her religion or say that she wore the headscarf for religious reasons. The assistant store manager who interviewed Ms. Elauf did not ask about the headscarf, but later testified that she assumed Ms. Elauf was Muslim. The assistant store manager gave Ms. Elauf a rating that qualified her to be hired, but was concerned that Ms. Elauf’s headscarf conflicted with Abercrombie’s dress code, which prohibited headwear of any kind. The assistant store manager checked with the district manager, who directed the assistant store manager not to hire Ms. Elauf because her headscarf would violate Abercrombie’s dress code.
The EEOC sued on Ms. Elauf’s behalf, claiming that Abercrombie’s refusal to hire Ms. Elauf because of her religious practice violated Title VII of the Civil Rights Act of 1964 (Title VII), which prohibits discrimination based on race, color, sex, religion or national origin. Abercrombie argued that it did not violate Title VII because its dress code banned all headwear, whether religious or not, and because Ms. Elauf had not requested an accommodation due to her religion.
The Supreme Court rejected Abercrombie’s argument that Ms. Elauf had to prove Abercrombie knew she needed a religious accommodation, noting that Title VII does not include a knowledge requirement. Title VII outright prohibits certain motives, including making employment decisions based on religion, regardless of an employer’s actual knowledge. The evidence showed that Abercrombie at least suspected Ms. Elauf wore the headscarf because of her religion and it refused to hire her because of it.
- Don’t stick your head in the sand. If you suspect that an applicant may need a religious accommodation if hired, you should engage in an interactive process with her. Typically this would include explaining the relevant policy and asking whether she can comply with it. If not, ask why. If it is because of religion, ask whether she would need an accommodation and what that might be. Then, evaluate whether granting the accommodation would impose an undue hardship. Remember to use caution in asking the follow up questions. Focus on the job requirements and whether the applicant can meet them – not on the applicant’s religious beliefs and practices.
- Train interviewing teams. Be sure that you provide regular training to those who interview in your organization. They need to understand what they can and cannot ask in the interview process and when they need to call in reinforcements to assist with more challenging issues. Also make sure that higher level managers have appropriate training, including on when to contact HR before making a decision. I bet Abercrombie & Fitch wishes its district manager had called HR before giving the “do not hire” instruction as to Ms. Elauf.
- Review your appearance policy. Dress codes and appearance policies are very important in the hospitality industry, but this case is a good reminder of some of the dangers lurking in and around them. The EEOC is very skeptical of image-based policies that seem to exclude people based on how they look and/or what they wear. Be sure your appearance policy is updated and in-line with what is truly important for your business.
In today’s post, Malcolm Seymour, a member of our New York office who specializes in commercial litigation and regulatory enforcement actions, discusses the benefits and legal considerations for those who provide free WiFi to their hospitality customers.
Whether booking a hotel, reserving a flight or choosing a café, hospitality customers are increasingly influenced by the quality and availability of high-speed wireless internet networks (“WiFi”) at their chosen destination. One third of all hotel guests, and two thirds of all business travelers, say that they would refuse to return to a hotel with substandard WiFi. And with the advent of free web services that monitor hotel WiFi performance, it is easier than ever for customers to vote with their feet.
But the road to free WiFi is not without peril. Hosts of open WiFi networks risk loss of service, or potential liability under United States and international copyright laws, for infringing acts committed by their users.
The good news is that hotspot operators in the United States can, through the adoption of best practices, shield themselves from most legal liability under the Digital Millennium Copyright Act (“DMCA”). Under the DMCA, Internet service providers — including WiFi hosts — are not supposed to be liable for copyright infringements committed by users if they act as “mere conduits” for user traffic. The DMCA creates a safe harbor for such conduits, provided they meet several criteria:
- The WiFi host must not initiate the transmission (upload or download) of information over their network;
- The host must not mediate this transmission in any way, i.e. by specifying a recipient for the transmission, specifying the material to be transmitted, or modifying the content transmitted;
- The host must not store copies of the content transmitted for longer than necessary to complete the transmission;
- The host must adopt and reasonably implement a “take-down” plan for responding to notices of infringement and for banning repeat infringers; and
- The host must not interfere with standard technical measures used for copyright protection, such as watermarks on images, password protection, or other digital rights management devices.
Hotels should ensure that their wireless networks are enabled to comply with these requirements, especially when it comes to suspending service to repeat infringers. Hotels that have implemented reasonably thorough policies to guard against copyright infringement should be safe if litigation erupts over piracy committed by a hotel guest or visitor.
The bad news — we are lawyers after all — is that copyright violations can still cause law-abiding hotspot operators big headaches with their service providers, even placing them at risk of service suspension. What’s more, copyright law varies between countries, and not all travel destinations have kept pace with the United States in modernizing their laws to accommodate open sharing of WiFi connections.
Germany is perhaps the most notorious outlier, thanks to a 2012 decision and subsequent enactment that hold operators of unsecured WiFi networks liable for the copyright infringement of their users. Backlash against these laws has prompted Germany’s current parliament to propose a repeal of this law. New Zealand is another destination known for its harsh “three strikes” rule, which may necessitate implementation of special software protocols to prevent peer-to-peer sharing over WiFi networks.
With the rise of smartphones and handheld devices, hospitality customers increasingly view open WiFi as a necessity rather than a luxury. Customers, while rarely grateful for strong service or fast connection speeds, will notice and complain if service is lacking. But as these examples show, operating a WiFi hotspot introduces serious risks that can only be mitigated by someone with knowledge of local law.
We are excited to announce that attorney, Steve Goldman, has joined our Hospitality, Travel and Tourism Practice Team in our Washington D.C. office! Steve has extensive experience representing brand and hotel-owner clients in all aspects of the life cycle of hotel contracts and brand and franchise systems, including launching and modifying new brands and systems in the U.S. and overseas; negotiating franchise and management agreements; developing and implementing quality assurance, e-commerce and revenue and management systems; and franchised and managed hotel transfers, workouts, receiverships and terminations. His in-depth knowledge of the hospitality industry was honed serving as Senior Litigation Counsel for Holiday Inns International, General Counsel of the Sheraton Franchise Division, and as a Corporate Officer and head of the Brand Transactions and Franchising Group and the Intellectual Property Group at Marriott International.
Welcome, Steve, we look forward to your future blog posts!
As featured in her previous blog posts regarding the battle over negative online reviews, Hospitality, Travel and Tourism practice team member, Judy Endejan, updates us on the results of Yelps! latest case. Thank you, Judy! – Greg
In the past twelve months we have reported on a Virginia case, Yelp!, Inc., v. Hadeed Carpet Cleaning, Inc., (“Hadeed”) that was closely watched because the case dealt with whether a business owner could unmask an anonymous blogger that posted specific critical reviews on Yelp! of his carpet cleaning company. This week the Virginia Supreme Court said, “No”. Hadeed had subpoenaed Yelp! to provide information in Virginia that would identify the authors of the reviews under a new Virginia statute, that requires only that a business prove that a negative review is, or “may be defamatory” or that it has a legitimate good-faith basis for believing that the review is defamatory in order to learn the identity of the reviewer. Hadeed presented evidence that could prove that the seven negative reviewers were not actual customers of the carpet cleaners, which a lower court found could mean that the reviews could be defamatory.
The Virginia Supreme Court in a fairly short, succinct opinion, held that the lower courts were wrong because Virginia courts do not have subpoena authority over nonresident non-parties like Yelp!. Even though it was registered to do business in Virginia, that is not enough for a court to require Yelp!, a non-resident, to respond to a Virginia subpoena. Yelp!, a Delaware corporation, has its primary headquarters in California. Thus, Hadeed might be able to subpoena Yelp! to produce documents in California but the business could not require Yelp! to respond in Virginia. The Uniform Depositions and Discovery Act allows litigants to get discovery from non-parties in the states where the non-parties reside.
Benjamin Lambiotte, technology and data privacy attorney in Garvey Schubert Barer’s D.C. office, shares key points from two significant survey reports analyzing trends in data security breaches during 2014 that were released this week; one from Verizon, and the other from IBM and the Poneman Institute. It should come as no surprise to anyone that once again, the hospitality industry is featured prominently in both reports. Thank you, Ben! – Greg
The Verizon report studies in depth the industry sectors most frequently targeted and affected, the nature of current threats, and causes and consequences of actual data breaches. The Poneman report focuses on costs associated with successful attacks. Both are worth a close read. Together, the reports starkly illustrate the increasing pervasiveness, complexity and costs associated with preventing and responding to data breaches. The good news is that they also provide guidance on effective preventive and cost control measures.
Here are some of our key takeaways and observations from these fascinating reports:
No Organization or Business is Immune from Attack, but Some are More Frequent Targets Than Others
- In terms of volume of security incidents by sector, the top ten (in order) were government entities, information, financial services, manufacturing, retail, hospitality, professional services, health care, and other services.
- Actual data breaches (attack succeeds; data lost or compromised) occurred most frequently (in order, by sector) in: government, financial services, manufacturing, hospitality, retail, professional services, health care, information, education, and other services.
- In certain industry sectors, cyber criminals more frequently breach smaller businesses. Smaller hospitality businesses, by far and away, ranked number one, with retail second. Financial services remains the number one large business target, followed by large retail, and health care.
- Certain industry sectors are more frequent targets of certain types of threats. For example, the hospitality industry is particularly susceptible to Point of Sale (POS) intrusions. Verizon reports that 91% of data breaches in that sector were POS intrusions. The POS credit card systems used in that industry have of late been plagued by a new breed of malware (including POSeidon) that burrows deep into the system and “scrapes” card data momentarily stored in RAM. “Insider” threats (errors and abuse of access privileges) are more prevalent in health care than other industries. Financial institutions are particularly vulnerable to “crimeware” and web application hacks. Businesses should calibrate their risk management approaches to the specific types of threats they face.
Dealing With a Data Breach is Expensive — the More Records Compromised, the More it Costs
- Poneman predicts that the average per record mean cost of a data breach will be $201 per record, an increase over the past two years. Such costs include lost customers, and expenses of dealing with the breach. Relative costs depend on the scale of the breach. Verizon predicts that breaches of 1,000 records will result in losses between $52,000 and $87,000, and that breaches of 10 million records will result in losses of between $2.1 to $5.2 million.
- Certain industries have higher data breach costs than others, with regulated industries having a higher per capita record costs than non-regulated businesses. The highest relative per capita data breach costs (in order) are in the health care, transportation, education, energy and financial sectors.
The Most Frequent Ways Cybercriminals Gain Access is Through Dumb Stuff We Do or Don’t Do
- In order to steal or compromise sensitive data, cybercriminals have to get at it. The most common way they breach the castle continues to be “phishing” and “spearphishing.” “Phishing” involves baiting a system user to respond to an official-looking e-mail asking for a reply “verifying” a password or account number. “Spearphishing” is a variation where the e-mail also resembles a routine communication from a trusted sender, but invites the recipient to click on a web link or open an attachment whose payload is malware The stats are sobering. Fully 23% of e-mail recipients open phishing e-mails, and 11% click on the malware payload. 50% of the time, this happens within an hour after the “seafood” e-mail arrives. A phisher who sends out this kind of chum generally only has to wait 1.22 seconds before some sucker somewhere takes the bait.
- Another prevalent way cybercriminals get at sensitive data is an organization’s failure to install “patches” for known security vulnerabilities. The stats here are also depressing. In 2014, half of exploited vulnerabilities were defeated within less than a month after becoming known. But in 99% of the cases where a known vulnerability was exploited, a patch had been available for a year or more! Due to failure to implement available fixes, hackers continue to be able to exploit well-known “oldie but goodie” vulnerabilities.
- Plain old human error is another major inroad for hackers. 60% of incidents were caused by internal staff sending sensitive information to the wrong person, putting sensitive data on publicly accessible servers, or disposing of sensitive medical or personal data in insecure ways. Also, people forget or lose mobile devices containing sensitive data in an insecure environment all too frequently.
- While technological countermeasures are necessary, a focus on human factors – the loose nut behind the keyboard – is at least as important. Training and awareness, and practices designed to mitigate our natural tendencies to make the type of mistakes that frequently give hackers keys to the castle, are a key part of any data breach risk management strategy.
Certain Specific Measures Can Reduce the Cost of a Data Breach When it Occurs
- The Poneman report documents that certain types of expenditures can reduce the overall cost of data breach. Having in place before the breach a strong security posture, a Chief Information Security Officer with responsibility for data protection, and a defined incident response plan all reduce the per capita record cost of a breach. It makes sense that planning and investing resources before an incident occurs can save money when it happens.