With each passing day, the public is inundated with more reportsof data breaches affecting companies of allshapes, sizes and types.

The hospitality industry has not been spared from exposure tosuch breaches, and in fact several of the most widely publicizedincidents involve some of the largest hotel brands in theworld.

Just weeks ago, InterContinental Hotels Group (IHG)announced it had suffered a data breach at multipleIHG-branded franchise hotel locations in the United Statesand Puerto Rico in late 2016.

Related: 4 pitfalls to avoid in a cyberinsurancepolicy

This comes on the heels of IHG's disclosure in February of aseparate malware attack exposing customer data at 12 U.S.IHG-managed hotels. IHG is not alone, as WyndhamWorldwide, Hard Rock Hotels, Omni Hotels & Resorts and HiltonHotels, among others, have all been publicly cited as victims ofcyber-attacks and resulting data breaches.

Who's ultimately liable?

While much has been reported on these incidents, less isunderstood about what liability may flow from a hotel data breach.Among the questions are which party or parties may bring actionsafter a data breach, against whom, and for what damages.Separately, as among the impacted hotel's operator and owner, andits general liability insurer, which party or parties areultimately liable for any losses caused by a data breach.

Consumers. When a hotel guest'sfinancial or personal information is compromised as a result of adata breach at a hotel, it stands to reason that the guest couldbring suit against the hotel operator and/or owner. The answer isnot as clear as one would think, and ultimately may depend upon thetype of information that is compromised. In a recent decision bythe Southern District of California in Dugas v.Starwood Hotels & Resorts Worldwide, No. 16-cv-00014, 2016WL 6523428 (S.D. Cal. Nov. 3, 2016), a key issue was whether aconsumer can sufficiently allege that she suffered an "injury infact" such that she has standing to sue under Article III of theU.S. Constitution.

Related: Cyber (in)security: Can insurance solutions keeppace with threats?

The court distinguished between the theft of social securityinformation or usernames and passwords, on the one hand, and theftof names, addresses, or credit card numbers, on the other hand. Itnoted that the former may constitute "real and immediate harm" toconsumers so as to confer Article III standing becausecyber-criminals can use such information to commit identitytheft.

By contrast, the court found that billing information and creditcard numbers — for since-canceled credit cards — are insufficient"for a third party to open up a new account in plaintiff's name orto gain access to personal accounts likely to have the informationneeded to open such an account (e.g., a social securitynumber)."

Allegations of harm

In another class action, however, this time against KimptonHotel & Restaurant Group, a federal court held just weeks agothat "[t]he theft of [a consumer's] payment card data and the timeand effort he has expended to monitor his credit are sufficient todemonstrate injury for standing purposes." Walters v.Kimpton Hotel & Restaurant Group, No. 16-cv-05387, 2017 WL1398660, (N.D. Cal. April 13, 2017). This same rationale led thecourt to find that the plaintiff had sufficiently alleged "actualdamages" for purposes of his claims for breach of implied contract,negligence, and certain violations of California's UnfairCompetition Law.

Related: 10 emerging developments in liabilityinsurance

Similar causes of action had been alleged in yet another databreach litigation against Trump International Hotels Management,although that action ultimately was voluntarilydismissed. Driscoll v. Trump Int'l Hotels Mgmt.,No. 15-cv-01089 (S.D. Ill. Oct. 2, 2015). The plaintiff in thatcase sued for, among other things, violations of state consumerprotection laws.

While the case law in this area is still developing, it appearsthat courts will rigorously scrutinize consumer suits with aparticular focus on whether and how a consumer alleges to have beenharmed by a data breach.

Hotel management agreement

It's generally the case that hotel operators, rather than hotelowners, are the entities that collect and store guests' financialand personal information. But that does not mean that hotel ownerswill escape liability in the event of a data breach, as most hotelmanagement agreements contain language obligating the owner toindemnify the operator, depending upon the vintage of thecontract.

While this language generally was envisioned to coverslip-and-fall/third-party type liability, and not liability arisingout of a data breach, hotel operators are likely to take aggressivepositions that such language places all risk on the hotel owner.Thus, owners would benefit from considering the implications of apotential data breach before it strikes.

GL insurer unlikely to cover damages

Importantly, as the Rosen case demonstrates, relying on ageneral liability insurance policy is risky. A hotel's generalliability insurer is unlikely to cover damages arising from a databreach, and rather will take the position that such policies coveronly bodily injury and property damage. "[C]ourts have consistentlystated that data is not property and is considered intangible."Dena L. Magyar, "Understanding the Impact of a Data Breach on yourHotel or Resort," Wells Fargo Insurance (January2014). As a result, purchasing cyber liability insurance may be themost effective way for hotel owners to protect themselves in theevent of an unexpected data breach.

The hotel industry and the consuming public alike would preferto avoid data breaches entirely. But in an age of rapid technological advancement — including forcyber-criminals — hotel owners should not underestimate thevalue of being prepared. This means both knowing to whom a hotelmight be liable in the event of a breach and understanding whichentity or entities will ultimately be responsible for footing thebill.

If your general liability insurance policy will not cover suchcosts, you should be aware of that and consider investing in apolicy that will. Hotel owners negotiating a hotel managementagreement also would be wise to pay careful attention to anyindemnification language, and make every effort to protectthemselves in situations where a data breach occurs through nofault of their own.

Todd Soloway ([email protected])and Bryan Mohler ([email protected]) arepartners at Pryor Cashman.Danielle Tepper ([email protected]),an associate at the firm, assisted in the preparation of thisarticle.