Posted on March 17, 2011 by Ruth Walters

Premises Liability Part 2: Denny's Shooting and a Record-Setting Jury Verdict

Back in December, my colleague Greg posted “Premises Security 101,” noting the increased attention our clients were paying to premises security issues. As it turns out, they were right to do so. Less than two months later, on February 7, 2011, a King County jury decided that Denny’s owed three plaintiffs $46.4 million in total for injuries sustained when a patron shot into a Denny’s Restaurant in Kent with a semiautomatic gun. According to plaintiffs’ attorney Ron Perey, this was the largest personal injury verdict ever rendered in the State of Washington; however, Denny’s insurance company settled the case for $13 million before the jury delivered its damage award.

Just to be clear, the man who shot plaintiffs Steve Tolenoa, Lisa Beltran-Walker and Carl Walker was not employed by or otherwise related to Denny’s or its management or the owner of that particular Denny’s. Frank Evans was a violent drunk guy who showed up after the bars closed, picked a fight with another patron, lost it, got mad, left and came back with a Glock .40, which he used to shoot up the restaurant (11 bullets). Mr. Evans was convicted on multiple counts of first-degree assault and is currently serving a 62 year sentence in state prison.

The gist of plaintiffs’ argument against Denny’s was that it behaved negligently in (a) not having a security plan to protect patrons and (b) failing to take other reasonable measures to protect its patrons, particularly during the so-called “bar rush” (1-5 a.m.). Plaintiffs noted, for example, that the presence of an off-duty police officer or security guard might have prevented the shooting.

In essence, plaintiffs asserted that the harm done them was foreseeable. They provided evidence that, for example, between the years of 2005 and 2008, police came to the property 30 times for crimes including assaults, drug offenses, car prowls and rape. Plaintiffs’ attorney stated that many Denny’s employees did not want to work the bar rush because of the risk of danger. Evidence was provided about the commonness of violence at and near the location of that Denny’s in Kent (right next door to a bar). And so on.

What this means for other restaurateurs is not clear. There was no written opinion issued by the court of any precedential value, and, as part of the settlement, Denny’s has agreed not to challenge the verdict. Should every restaurant open all night employ armed security guards? What is the risk if a restaurateur temporarily or permanently excludes a patron it believes poses a security threat to others? What if he or she does not? Is the risk different if the person is white or if the person is Black or Latino? There are no easy answers to these questions; however, the general guidelines regarding foreseeable injury Greg describes are a good place to begin:

  1. If a harm is foreseeable, you have a duty to warn or protect your customers. Therefore, know your surroundings. Consciously avoiding having information—the “hear no evil, see no evil” approach—will not work; if you reasonably should have known about a particular harm, you will still be accountable for it.
     
  2. On the other hand, if you do know or should have known that a harm is foreseeable (such as car theft, if there have been many such thefts in the area), you will likely be held responsible for that knowledge, particularly if you, your business or the business just next door have been victims of such crimes. This is why, for example, the number of times the police visited the Kent Denny’s is relevant. Take action on the knowledge you have
    .
  3. Your duty is to warn your guests so that they may avoid the harm, or protect them or protect them from it. You might consider doing some of both—e.g. posting signs reminding customers to lock their cars and employing a security guard.

  4. Finally, your duty with regard to the safety of your premises is just one of the many legal duties incumbent upon you and must be weighed against, as in the above example, your legal obligation not to discriminate against customers based on their races or other protected classes.
Tags: , , , , , , , , ,
Posted on December 10, 2010 by Greg Duff

Premises Security 101 for Northwest Hoteliers and Restaurateurs

Given the recent attention paid by clients to local security issues (including the recent and well received Hotel Industry Security Forum sponsored with the Washington Lodging Association – see Ruth Walter’s recent post on this event), I thought it a good time to review the obligations imposed by law on hoteliers and restaurateurs in Washington and Oregon to protect their guests and customers from crimes committed by third parties.  In other words, what responsibility does a hotel or restaurant owner have for guests or customers who are injured (or whose property is damaged or stolen) by criminals.  As I explain below, the more a hotel or restaurant owners knows about potential criminal conduct at her establishment, the more likely it is that she may be held responsible for not warning and/or protecting her guests or clients against it.

To fully appreciate and understand this issue, it is important to have a little background . . .  First, state law in both Washington and Oregon (and nearly every other state) imposes on business owners of all types the obligation to protect customers from dangerous conditions that a business owner knows or has reason to know to exist on the business premises.  Second, these same state laws rarely impose on people the obligation to protect others from the criminal acts of third parties.  Finally, exceptions to the second principle have been found to exist where business owners enjoy special relationships with their customers so as to put the business owners in a unique (and possibly better) position to be able to protect their customers or clients.  Examples of these "special relationships" included transportation providers and their passengers, employers and their employees and, you guessed it, hotel owners and their guests.  In 1997, Washington (like a growing number of states who have addressed this issue, including Oregon) concluded that all business owners (regardless of the type of business) have customer relationships sufficient to impose an obligation to both discover and warn or protect their customers against criminal acts where such acts are reasonable foreseeable.

So what does this mean practically for hoteliers and restaurateurs?  There are a couple of important key points to remember:

  • Hoteliers and restaurateurs only have a duty to discover / warn / protect when the harm to the guest or customer by a third person is foreseeable.  Not until the hotelier or restaurateur knows or has reason to know of the harm does the duty arise.
  • Foreseeability is likely found to exist where the hotelier or restaurateur knows or has reason to know of the specific harm or general category of harmful activity.  In other words, while the hotelier may not have had reason to know that his guest would be physically assaulted in the hotel’s garage, the hotelier could be held responsible if he knew of general ongoing criminal conduct (e.g. car prowling, theft, etc.) in the hotel’s garage.
  • Knowledge on the part of a hotelier or restaurateur includes both actual knowledge and constructive knowledge (i.e. knowledge imposed under the circumstances).  Constructive knowledge can be based on the general location or nature of the hotelier’s or restaurateur’s business or the hotelier’s or restaurateur’s personal experience.  Courts that have looked at this specific issue tend to focus on the history of violence known to the business owner.  In other words, the more you know about crime being committed in or around your business, the more likely it is that you will be found to have knowledge of future crimes being committed against your guests or customers.
  • Finally, and perhaps most importantly, the duty owed to a hotelier’s or restaurateur’s guests or customers includes both (a) the duty to discover that criminal acts are being committed or are likely to be committed and (b) the duty to warn guests or customers so that they may avoid harm or to protect them against harm. 

As I said at the outset, the more a hotelier or restaurateur knows about crime at or around his location (which is the likely outcome of the hotelier or restaurateur fulfilling his obligation to discover criminal activity), the more likely it is that the hotelier or restaurateur must discover even more about the crime and warn of, or protect his guests or customers against, the crime.  The standard creates somewhat of a vicious circle for any business owner facing crime at or around his or her business. 

 

While I never advise clients to bury their heads in the sand and ignore the events and activities going on around them, I do routinely advise clients that taking a responsible and proactive approach to area crime requires that they must act appropriately in response to the information that they receive.  Knowledge plus inactivity is a recipe for disaster. 

Tags: , , , , , , , , , , , , ,
Posted on December 3, 2010 by Ruth Walters

November 30, 2010: Hotel Industry Security Forum--Protect Yourself, Your People, Your Properties

This week, the Washington Lodging Association (WLA) brought together law enforcement officers, intelligence analysts and advisors from the Washington State Fusion Center and the Department of Homeland Security (DHS) to discuss hotel security, particularly in the context of terrorist attacks and large-scale natural disasters.

The 2008 Mumbai attacks, involving two world class hotels, made those in the hospitality industry exquisitely aware of the vulnerability inherent in the hotel business, where the general public comes and goes 24 hours a day, seven days a week, everyone is carrying a bag or bags and cars, planes, helicopters or even boats are arriving and departing frequently. DHS, as part of its sector-specific infrastructure protection plan, has a number of free resources available to hotels, including a 10 minute video and a poster with general information about how to be alert and protect yourself, your people and your property. Attendees also received additional materials at the forum, including the Protective Measures Guide for the Lodging Industry, produced with input from the American Hotel & Lodging Association (AH&LA) and Potential Indicators of Terrorist Activity, Common Vulnerabilities and Protective Measures, targeted to the hotel industry. The latter publications are not available to the public, but interested hoteliers should contact their local Protective Security Advisor (PSA) at PSADutyDesk@hq.dhs.gov.

In general, DHS has a number of counterterrorist programs and activities, including training and downloadable materials, links to which can be found here.

According to the threat briefing provided by DHS’ regional intelligence officer at the forum, matters are pretty much status quo, although there appears to have been a slight shift from overseas actors to so-called “home grown” terrorists. In addition, and on a related point, every speaker emphasized the importance of looking for suspicious behaviors (i.e. leaving a van parked in front of a hotel and running off, paying cash for a two week stay and not providing a credit card number), not suspicious people (i.e. olive skinned men with black hair and beards, veiled women). The speakers also repeated more than once that you, hotelier, and your housekeeping staff, your valet parkers, your security officers and your front desk employees, are the ones in the best position to determine what is suspicious. This is the idea behind DHS’ pairing with private sector interests—DHS makes suggestions but also takes them.

And, on that note, if you feel it appropriate, the Washington State Fusion Center has an online tip reporting tool, as well as a phone line. The Fusion Center is exactly what it says—a fusion of law enforcement officers, analysts, and experts from local, state and federal agencies and the private sector—created to improve information sharing and helping protect the people and infrastructure of Washington state.

So, while terrorism and disaster are not the happiest things to contemplate, it's good to be prepared, and to know where you can go for resources and assistance in case you feel you are not.
 
Tags: , , , , , , , , , ,
Posted on May 28, 2010 by Ruth Walters

Recent Developments in Data Privacy and Security Laws

A pair of recently effected state laws makes clear that information security remains a significant issue that receives and will continue to receive considerable legislative and commercial attention. Hoteliers, restaurateurs and others in the hospitality industry use personally identifiable information (PII) of their guests and customers to improve services and create a personalized experience.

Greg and I attended the annual Hospitality Law Conference in Houston this February, which devoted an entire track to data privacy issues. It’s the definition of a hot topic, and important, so please take note!

After the Breach: Now Banks Get Paid Too

Until now, state statutes treating the issue of data security have dealt exclusively with post-breach requirements—i.e. a business’s duty to notify individuals whose personally identifiable information (PII) might be compromised—and creating a claim for individuals who want to sue for damages. The Washington law (H.B. 1149) continues in this vein; and under the revised law, financial institutions may now recover their costs from certain businesses for reissuing debit and credit cards after a data breach, if the businesses were negligent in protecting data. Now a hotelier not only has to worry about paying damages to guests whose data might have been breached, but she also needs to worry about paying the banks who have to reissue the cards.

Before the Breach: Required Security Measures

The administrative regulations arising from Massachusetts amended “Security Breaches” act are the first such regulations to directly impose an obligation on businesses to protect PII. Any business that owns or licenses PII about Massachusetts residents must take steps to prevent a breach, as set forth in the administrative code. For example, businesses must:

  • Encrypt all data, including on mobile devices (laptops, PDAs, etc,)
  • Restrict physical access to records containing PII
  • Develop written information security policies and adhere to them '
  • Regularly monitor networks for unauthorized activity

Compliance with PCI-DSS Standards

The Massachusetts attorney general has, to date, been ominously silent about how to interpret the new regulations. In the mean time, businesses would do well to become PCI-DSS compliant, whether or not credit card information is actually stored. These standards, promulgated by the PCI Council, set forth some “best practices” that will help data owners and licensors comply with various state legal obligations. In fact, PCI-DSS compliance provides a “safe harbor” from the recoveries made available under the amended Washington law.

What Does it all Mean?

Part of the total guest service experience often requires the creation of a guest folio or profile that allows the hotel or restaurant (or other hotels or restaurants under the same owner or manager) to “remember” that a guest likes the New York Times in the morning and eggs over-easy with a side of wheat toast. The folios may also “remember” credit card numbers, passports, addresses and phone numbers. This information is critical to the operation of the hotel or restaurant, but absolutely must be protected.

Aside from the legal penalties, a big data breach is embarrassing and can create a PR and guest services nightmare.  Take a lesson from Wyndam, Radisson, and Starwood, and be sure to protect your data.
Tags: , , , , , ,