Hotel Data Breach Compensation Claims
This guide looks at what a hotel data breach is. It may affect staff or guests. The guide considers how you may be able to make a claim for data breach compensation if you have been affected financially or psychologically by such a breach.
The law in the UK on data protection has developed considerably in recent years with the introduction of the UK General Data Protection Regulation (UK GDPR). It applies to every organisation that collects, processes and stores personal data on individuals. Hotel groups can be especially vulnerable because they process a substantial amount of personal information about guests and employees.
Hotel data breaches may involve financial information such as credit card or bank details and other personal information such as contact information.
If you have been affected by a hotel data breach, our panel of personal injury solicitors could assist you in obtaining the compensation you may be entitled to. Find out more about hotel data breaches and how you can be compensated for them below.
Select A Section
- What Is A Hotel Data Breach?
- What Personal Data Could A Hotel Hold?
- How Can Hotels Prevent Data Breaches?
- How To Claim For A Data Breach At A Hotel
- Hotel Data Breach Compensation Amounts
- Begin A No Win No Fee Hotel Data Breach Claim Now
A personal data breach relates to a security incident that leads to the accidental or unlawful loss, alteration, destruction, unauthorised disclosure of, or access to, personal data.
A personal data breach can involve:
- accidental causes, such as someone sending an email to the wrong person; or
- deliberate causes, such as hacking a database containing personal information.
In the context of a hotel data breach, this could mean the personal information of hotel employees or guest information held on, for example, the reservation system.
Not every hotel data breach can result in a claim. It must be seen that the hotel was supposed to protect your personal data and failed to do so because of positive wrongful conduct. This could mean that they did not update their cyber security, for example.
You’d also need to show that you suffered financial loss or mental damage, or both, as a result of the personal data breach.
A hotel could hold a number of types of personal or sensitive data. This may include but is not limited to:
- Name and that of any companion
- Contact details: address, telephone numbers, email address
- Date of birth
- Bank account details
- Debit and credit card numbers
- Loyalty card information including membership number and VIP status
- Personal health information
- Security codes for payment cards
- Passport numbers
Failure to protect guest information data can result in regulatory intervention and fines. In 2014, the Starwood hotel chain had 339 million guest records worldwide affected by a cyber-attack on its reservation system. The group were acquired by the Marriott International hotel group in 2016. Until 2018, when the problem was first noticed, the unidentified attacker continued to have access to all affected systems.
7 million guest records related to persons in the UK. The ICO found that there were inadequate measures taken to protect the personal data being processed on its systems as required by the UK GDPR and the company were fined £18.4m.
How Could a Hotel Data Breach Occur?
Significant hotel data breaches can be the result of some form of cybercrime. How can these data breaches happen? Data breaches relating to cyber security lapses include the below:
- Malware is perhaps the most dangerous because of the many forms it can take. These can include viruses, Trojans, spyware, worms, and ransomware where hackers can add a layer of encryption to prevent access and data retrieved. Spam messages can carry malware with them.
- Spyware is designed to remain undetected in the background and take note of what is done online. It will look for passwords, payment card data including names and addresses and other private details.
- Phishing involves posing as a legitimate organisation to get people to reveal private and sensitive information such as a username or password. Hackers can use them to gain ‘legitimate’ access to servers.
Non-Cyber Security Data Breaches
These can involve incidents of human error such as emailing the wrong person, failing to securely dispose of paperwork that contains personal data or colleagues discussing personal information within the earshot of others.
If you have any questions about claiming, why not get in touch? Our advisors are available 24/7 and give free legal advice.
In order to help prevent a hotel data breach, there are a number of steps an organisation can take.
These steps could include:
- Reducing opportunities by privilege control and improved password management. Preventing hacks can be as simple as ensuring all the hotel’s devices are only used for their intended purposes and not personal use. Similarly, remote access needs to be carefully limited with suitable login credentials.
- Addressing any lack of knowledge with appropriate training. Education is probably a hotel’s best defence. If employees can recognise ‘phishing’ attempts they can help protect the business and its customers. With proper training, the hotel’s team can detect and mitigate problems quickly, minimising damage to both the hotel’s data and its reputation.
- Changing the organisation’s culture by encouraging discussion and making it easy to ask questions.
If you become aware of a hotel data breach, you can request them to tell you what data has been breached and what the possible consequences are. Should you suspect there has been wrong-doing and you aren’t getting a satisfactory response from the organisation responsible, you can make a complaint to the regulator the Information Commissioner’s Office (ICO).
The ICO cannot award compensation but its opinion that the UK GDPR has been breached and your data has been compromised can be important evidence for a compensation claim.
If the matter cannot be settled with the organisation, the matter may go to court where your solicitor will represent you, if you choose to use the services of one. The court will decide whether they are liable and how much compensation is to be awarded. However, it’s important to note that the vast majority of claims are settled out of court.
You can start this process by contacting our advisors for more information.
There are two forms of damage that you can claim under data breach law. These are material damages and non-material damages.
This is the amount that is estimated to reimburse you for your financial loss. For example, if your bank or credit card details were subject to a data leak, you may have been charged for items you did not purchase. If your mental health was affected, it could result in missed time at work and a consequent loss of earnings.
Non-material damage relates to what you suffered psychologically and emotionally after the data breach.
Prior to Vidal-Hall and Others v Google , it was necessary to have suffered financially in order to claim compensation for the effect a data breach had on mental health. However, following the Court of Appeal’s decision, it is now possible to seek compensation for psychological damage, such as stress, without having suffered financial loss as a result. You can claim for both or either.
To assist solicitors in determining the quantum of such claims they can use as a reference the Judicial College Guidelines (revised April 2022).
These guidelines are more commonly associated with personal injury law but following Gulati & Others v MGN Ltd  they can be used for what psychological injuries could be worth too. Some examples of the compensation that can be awarded are outlined below.
|Psychiatric Damage Generally||Severe||£54,830 to £115,730||The prognosis is very poor.|
|Psychiatric Damage Generally||Moderately Severe||£19,070 to £54,830||A more positive prognosis than above.|
|Psychiatric Damage Generally||Moderate||£5,860 to £19,070||A good improvement by the time of the trial.|
|Psychiatric Damage Generally||Less Severe||£1,540 to £5,860||Factors that can be taken into account when valuing include: how much sleep was affected, how much everyday activities were impacted and how long the period of disability was.|
|Post-Traumatic Stress Disorder||Severe||£59,860 to £100,670||As a result, the person may not be able to work.|
|Post-Traumatic Stress Disorder||Moderately Severe||£23,150 to £59,860||A better prognosis than the above.|
|Post-Traumatic Stress Disorder||Moderate||£8,180 to £23,150||The person has largely recovered.|
|Post-Traumatic Stress Disorder||Less Severe||£3,950 to £8,180||A practically full recovery within 2 to 2 years.|
If you can’t see your injuries in the compensation table above, get in touch. Our advisors give free legal advice and you won’t be under any obligation to proceed with the services of our panel of solicitors. They can value your claim for free.
Contact us today and we could help you to obtain your hotel data breach compensation. Our panel of solicitors offer all their claimants the opportunity to pursue their claim on a No Win No Fee basis. This means you would pay your solicitor a small percentage of your compensation on the condition that they achieve a successful outcome of your claim. This covers their costs and is capped by law.
You wouldn’t have to pay the solicitor’s fee at all if the claim isn’t successful.
To find out more about No Win No Fee claims please get in touch:
Learn More About Customer Service Data Breaches
The Government has detailed information on the General Data Protection Regulation.
The ICO has information on claiming compensation.
We also have a guide on what you could do if your rights are affected following a data breach.
This guide explores what you could do if you suffer stress due to a data breach.
We also have a guide on data breach compensation.
If you have any questions about hotel data breach claims, why not get in touch?
Checked by HT