In the March 7 ruling, a Tennessee court found the creator of the video, Michael David Barrett, was only 51 percent responsible for the video, and called on West End Hotel Partners, the owners of the Nashville hotel where Andrews had stayed that night, to pay 49 percent of the award.
Claudia Callaway, an attorney, based in Washington, D.C., with the firm of Katten Muchin Rosenman, which represents clients in similar privacy claims, said the ruling shows the importance of hotel employee training. She said that it’s not enough to simply have the program, but to also have a mechanism for tracking that every employee has been trained.
“The best thing the hotel companies can do is ensure that employees understand the policies, have been trained on the policies, so that [the policies] become company procedure,” she said.
During the case, Andrews' lawyers alleged that hotel staff had erred in letting Barrett discover which room Andrews was staying in, and took no safeguards against allowing him to get a room next to hers. According to his testimony, he placed a call to the front desk from within the hotel, asking to be connected to Andrews’ room, which caused her room number to be displayed on the phone he was calling from.
Though the focus was on a hotel, Callaway warned that policies need to address not just the hotel, but any business within the building.
“The case spotlights the risk, not just to the hotel component, but also to the restaurants, hotel spas, hotel gift shops, any place where data can be obtained,” she said. “Whether from a credit card skimmer or from a menacing person who’s looking to get specific information.”
Andrews had attempted to also sue Marriott International, the flag with which the hotel was affiliated, but the judge dismissed Marriott as a defendant, saying that company could not be held responsible for security at the individual hotel which bore its brand.
In addition to policies, Callaway said it’s a good idea for companies to work with their insurance companies. Doing so, she said, can not only help provide trackable training, but additional safeguards at all “data entry points.”
To help identify potential pitfalls in a hotel, Callaway said she recommends to her clients that a “table top” exercise be conducted, training employees how to respond to possible real-life scenarios in an exercise.
“Like a mock trial, you come in with all hands and you go through a data breach exercise … to get an understanding of the real-time legal requirements that go into a data breach,” Calloway said.