The future has arrived, and it has a strange sense of humor. Pokémon Go — an “augmented reality” game that requires players to travel to real world locations to capture imaginary monsters through apps on their mobile devices — is changing how millennials choose their travel destinations and hotels. These games have inspired a new generation of travelers, and present novel opportunities to businesses in the hospitality sector.
Most credit and debit cards in the U.S., and the point of sale terminals and ATMs that read them, still use “magnetic stripe” technology. Magnetic stripes are obsolete and relatively insecure, allowing fraudulent practices such as “skimming” (acquiring cardholder and account data by “reading” the strip, and then making fraudulent transactions or counterfeit cards). Magnetic stripe-based technology also does not support secure data transmission through contact or near-field contactless interfaces, which is seen as impeding the emergence of fully mobile cardless payment modes in the U.S.
For those of you who attended, or did not attend the 14th Annual CIO Summit held in San Diego, California, below is my presentation, “The Blame Game”, which examines common technology procurement challenges associated with identifying the myriad of parties responsible for providing the desired systems or services, and provides recommendations for ensuring that when things go wrong, someone is ultimately responsible.
Feel free to contact me if you have any questions.
The Competition & Markets Authority (CMA), which investigates business practices and enforces anti-competition and consumer protection legislation in the UK, just released a report and call for information that signals more scrutiny for online reviews and endorsements. Though the report does not identify companies or sites that will be the subject of investigation, it expresses a general concern that a number of businesses are breaking the law. The report does not point fingers, but it’s worth noting that the hospitality industry is mentioned several times as an area of particular interest, based in part on a survey conducted by the British Hospitality Association in March of this year. Consumer reliance on reviews for vacation travel, the relatively higher cost for hospitality related services, and the sensitivity of the hospitality related services to negative reviews were cited by the CMA as reasons why the industry is an area of particular concern.
UK regulations are, of course, aimed at protecting UK consumers, but U.S. companies are well advised to take heed of the report’s warnings and recommendations because, as the report notes, the CMA plans to assume the Presidency of the International Consumer Protection and Enforcement Network (ICPEN), of which the U.S. is an active member. And, the practices flagged by the CMA, as well as the steps businesses can take to address the CMA’s concerns, closely parallel those identified by the Federal Trade Commission (FTC).
So, whether your customers are here in the States or abroad, the following practices may result in an investigation by the CMA (or FTC):
- Writing or commissioning fake negative or positive reviews.(Your marketing firm could also be on the hook for setting up fake Twitter or Facebook accounts to submit reviews).
- Cherry-picking positive reviews or suppressing negative reviews. (Your website user agreement or comments policy may well allow you to edit or delete user content containing expletives or other inappropriate material, but if those expletives all happen to be in negative reviews of your product or service, you need to consider what disclosures may be necessary to ensure the reviews as a whole are a fair and accurate representation of the actual comments received).
- Failing to disclose paid reviews or endorsements. (Whether its cash, a free dessert, or award points, you need to disclose compensation or incentives given to individuals submitting reviews or endorsements).
The best practices recommended by the CMA similarly echo the FTC’s guidelines:
- Be clear with your marketing department or outside marketing firm that they may not write or solicit reviews. Documenting that parameter in a letter or agreement will provide a paper trail that could prove handy down the road.
- If you do provide compensation or incentives for reviews or endorsements, be sure that that fact is clearly disclosed, e.g., by using a hash tag like “#paid ad.”
- Promptly publish all reviews, even negative ones. If reviews have been edited or deleted (e.g., to remove expletives), clearly disclose your policy or basis for doing so.
- Establish a procedure (whether in house or with your marketing firm) for detecting and removing fake reviews.
In conjunction with the report, the CMA published summaries on how to comply with UK consumer protection law on online reviews and endorsements.
Ultimately, the CMA and FTC share a common purpose: to protect consumers from unfair or deceptive business practices by protecting the consumer’s ability to make meaningful choices. Disclosure of the connection between a review or endorsement and its source (i.e., an independent individual or a sponsoring company) is essential to meaningful consumer choice. So, in devising your marketing strategy, especially if it includes a forum for consumer reviews, ask whether you’ve given your customer the information necessary to make a meaningful decision about your product or service. Doing so not only helps build brand loyalty, it could help avoid an investigation by the CMA (or FTC).
In today’s post, Malcolm Seymour, a member of our New York office who specializes in commercial litigation and regulatory enforcement actions, discusses the benefits and legal considerations for those who provide free WiFi to their hospitality customers.
Whether booking a hotel, reserving a flight or choosing a café, hospitality customers are increasingly influenced by the quality and availability of high-speed wireless internet networks (“WiFi”) at their chosen destination. One third of all hotel guests, and two thirds of all business travelers, say that they would refuse to return to a hotel with substandard WiFi. And with the advent of free web services that monitor hotel WiFi performance, it is easier than ever for customers to vote with their feet.
But the road to free WiFi is not without peril. Hosts of open WiFi networks risk loss of service, or potential liability under United States and international copyright laws, for infringing acts committed by their users.
The good news is that hotspot operators in the United States can, through the adoption of best practices, shield themselves from most legal liability under the Digital Millennium Copyright Act (“DMCA”). Under the DMCA, Internet service providers -- including WiFi hosts -- are not supposed to be liable for copyright infringements committed by users if they act as “mere conduits” for user traffic. The DMCA creates a safe harbor for such conduits, provided they meet several criteria:
- The WiFi host must not initiate the transmission (upload or download) of information over their network;
- The host must not mediate this transmission in any way, i.e. by specifying a recipient for the transmission, specifying the material to be transmitted, or modifying the content transmitted;
- The host must not store copies of the content transmitted for longer than necessary to complete the transmission;
- The host must adopt and reasonably implement a “take-down” plan for responding to notices of infringement and for banning repeat infringers; and
- The host must not interfere with standard technical measures used for copyright protection, such as watermarks on images, password protection, or other digital rights management devices.
Hotels should ensure that their wireless networks are enabled to comply with these requirements, especially when it comes to suspending service to repeat infringers. Hotels that have implemented reasonably thorough policies to guard against copyright infringement should be safe if litigation erupts over piracy committed by a hotel guest or visitor.
The bad news -- we are lawyers after all -- is that copyright violations can still cause law-abiding hotspot operators big headaches with their service providers, even placing them at risk of service suspension. What’s more, copyright law varies between countries, and not all travel destinations have kept pace with the United States in modernizing their laws to accommodate open sharing of WiFi connections.
Germany is perhaps the most notorious outlier, thanks to a 2012 decision and subsequent enactment that hold operators of unsecured WiFi networks liable for the copyright infringement of their users. Backlash against these laws has prompted Germany’s current parliament to propose a repeal of this law. New Zealand is another destination known for its harsh “three strikes” rule, which may necessitate implementation of special software protocols to prevent peer-to-peer sharing over WiFi networks.
With the rise of smartphones and handheld devices, hospitality customers increasingly view open WiFi as a necessity rather than a luxury. Customers, while rarely grateful for strong service or fast connection speeds, will notice and complain if service is lacking. But as these examples show, operating a WiFi hotspot introduces serious risks that can only be mitigated by someone with knowledge of local law.
As featured in her previous blog posts regarding the battle over negative online reviews, Hospitality, Travel and Tourism practice team member, Judy Endejan, updates us on the results of Yelps! latest case. Thank you, Judy! – Greg
In the past twelve months we have reported on a Virginia case, Yelp!, Inc., v. Hadeed Carpet Cleaning, Inc., (“Hadeed”) that was closely watched because the case dealt with whether a business owner could unmask an anonymous blogger that posted specific critical reviews on Yelp! of his carpet cleaning company. This week the Virginia Supreme Court said, “No”. Hadeed had subpoenaed Yelp! to provide information in Virginia that would identify the authors of the reviews under a new Virginia statute, that requires only that a business prove that a negative review is, or “may be defamatory” or that it has a legitimate good-faith basis for believing that the review is defamatory in order to learn the identity of the reviewer. Hadeed presented evidence that could prove that the seven negative reviewers were not actual customers of the carpet cleaners, which a lower court found could mean that the reviews could be defamatory.
The Virginia Supreme Court in a fairly short, succinct opinion, held that the lower courts were wrong because Virginia courts do not have subpoena authority over nonresident non-parties like Yelp!. Even though it was registered to do business in Virginia, that is not enough for a court to require Yelp!, a non-resident, to respond to a Virginia subpoena. Yelp!, a Delaware corporation, has its primary headquarters in California. Thus, Hadeed might be able to subpoena Yelp! to produce documents in California but the business could not require Yelp! to respond in Virginia. The Uniform Depositions and Discovery Act allows litigants to get discovery from non-parties in the states where the non-parties reside.
How secure is the data on your office copier? Today's post from Benjamin Lambiotte, technology and data privacy attorney in Garvey Schubert Barer's D.C. office, outlines the data security risks associated with office machines, as well as the warning signs and steps that you can take to reduce those risks. Thank you, Ben! - Greg
Current generation multifunction printer/scanner/copier devices are convenient, inexpensive, and very popular. Often overlooked is the fact that most modern printers, copiers, and scanners have many of the same attributes of computers, and are just as vulnerable to the same kind of cyber exploits and attacks as computers. A truly comprehensive data security and privacy risk management approach requires that these commonplace devices be viewed as an integral part of an enterprise’s IT systems, and that device-specific measures be taken to secure them. The National Institute of Standards and Technology (“NIST”) last month published a report on risk management practices for “replication devices,” The NIST report identifies risks associated with such devices, and provides guidance on protecting the confidentiality and integrity of information processed, stored, or transmitted on them.
- Default administration/configuration passwords: Many devices have default passwords which can be easily obtained and used to access stored data, or to control the device.
- Data capture: Unless encrypted, data transmitted or stored, including passwords, configuration settings, and data from stored jobs, is vulnerable to interception or modification.
- Spam: Unless properly configured and without proper access control, many devices will process any job submitted, which could waste paper, toner, and ink, and tie up the device.
- Alteration/corruption of data: If passwords or configurations are changed, denials of service for authorized purposes or potential damage to the device could result.
- Outdated and/or unpatched operating systems and firmware: Many devices run an embedded operating system, making them subject to the same threats as any other computer running those operating systems. Also, older devices may have embedded versions of operating systems no longer supported by the manufacturer, which may leave “unpatched” security issues.
- Open ports/protocols: For devices that can connect to local networks or the Internet via wireless or ports, open ports and protocols allow data to flow to and from a device. Through open ports, attackers may gain undetected access, and data tampering, unauthorized access, and denial of service can result.
The Report identified several signs indicating that the security of such a device may be compromised:
- Display malfunctions or shows incorrect information;
- Materials (ink, paper, or other supplies) run out faster than usual;
- Increased number of failed or timed-out jobs;
- Unexplained/unauthorized changes in configuration settings;
- Device completes processes slower than expected;
- Device uses more network time/bandwidth than usual;
- Time stamps do not align or make logical sense;
- Communications with unknown IP or email addresses increase; and
- Markings indicating tampering around key areas of the device (e.g., hard drive or SSD compartment, display area).
An Appendix to the Report provides a very useful device risk assessment template and checklist. It gives practical guidance on best security practices, across the entire lifecycle of the device. Examples of some countermeasures include:
- At acquisition, or in third party supply and support contracts, ensure that the device meets common data security standards, is capable of operating in a secure mode, and that the OS is actively supported by the OEM;
- At deployment, change vendor default passwords, and configure the device to operate in a secure mode;
- During operation, control device access through PINS and passwords, control physical access to the device itself and its components, such as the SSD or hard drive, and track usage, ensure that stored and transmitted data are encrypted, and timely implement OEM security “patches” and fixes;
- During operation, control network access using standard organization practices, close unused open ports and protocols, disable wireless identifier broadcasting, and configure the device to prevent communications to and from unknown and unwanted addresses (blacklist/whitelist); and
- When taking the device out of service, change all passwords and PINS to vendor defaults, and remove or sanitize all hard drives and SSDs on which data may be stored.
The NIST report is available here.
Don’t miss out on the Third Annual Travel & Technology Conference/TNT: Connecting Concepts with Cash, scheduled for March 17, 2015, Hilton Union Square, in San Francisco, CA. This year’s event is being produced by our friends at Hospitality Upgrade, and looks to be another great conference, including a $10,000 prize package for the winning pitch company! In addition to pitches by some of the industry’s most exciting start-ups, this year’s event will feature presentations and discussions on big data, distribution and restaurants, among other things. For more detailed information, please see link to Agenda. If you are interested in attending, please see registration link here -- I look forward to seeing you at the conference! – Greg
Are your employees using company email during nonworking hours? Victoria Slade, member of our Labor and Employment Group, brings us the latest developments in NLRB’s ruling and important policy changes that employers can implement to comply with the ruling. Thank you, Vicky! – Greg
As you may have heard, the NLRB recently ruled that employees who are given access to their employer’s email system for their jobs must be permitted to use that email system during nonworking time to engage in protected activity, such as forming a union or discussing terms and conditions of employment. This ruling applies to both unionized and non-unionized workforces. The ruling has caused some controversy because it overturned long-established precedent. It is not, however, a reason to panic. Employers who are already complying with the NLRB’s guidance on social media need only make a few changes to their policies.
The case is called Purple Communications, Inc., and all 70-plus pages of the order are available here (under “Board Decision” dated 12/11/2014). The rule before this case was that an employer had the right to restrict non-business use of its email system, so long as it did so in a non-discriminatory fashion. In Purple, the Board held that employees must be granted access to use their employer’s email system during nonworking time to engage in protected activity, such as discussing terms and conditions of employment. Employers with a strict rule that work email is for business use only will therefore need to revise their policy to allow employees to use company email during nonworking time to engage in protected activity. There are some limited exceptions to this rule, for circumstances where permitting use of company email for protected activity will seriously disrupt productivity or business operations. If you think this is the case for your business, please contact us, and we can help you craft a policy that should satisfy the NLRB.
If, like many employers, you already allow non-business use of work email during nonworking time, this decision still impacts you. Most employers have some kind of policy that regulates what employees can do on the company’s email and other communication systems. Because the Purple ruling requires employers to allow employees to use company email to engage in protected activity, restrictions that infringe on this right are no longer OK. This, too, is no reason to panic, however, because it simply means your use of technology policy has to look a bit more like your social media policy (you have one of those, right?). As discussed in the blog posts available here, the Board has already issued a series of rulings and memoranda explaining how it will evaluate social media policies. Generally speaking, the Board has stated that a policy will be struck down if it could be read by a reasonable employee to prohibit protected activity, such as engaging in collective action or discussing conditions of employment.
Although Purple Communications was a dramatic opinion, in that it overturned decades of previous Board law, it should not be difficult for businesses to adapt.
Following up on her previous blog posts, Hospitality, Travel and Tourism practice team member, Judy Endejan, shares the latest legal developments in the battle over negative on-line reviews. Thank you, Judy! – Greg
The latest skirmish between businesses and negative on-line reviewers resulted in a win for TripAdvisor. On December 30, 2014 an Oregon trial court ruled that Oregon’s Shield Law protects TripAdvisor from having to disclose the true identity of a poster on its on-line reviewing service. The Ashley Inn, from Lincoln City, sued TripAdvisor reviewer, “12Kelly,” who posted several scathing reviews about the Inn. The Ashley Inn sought to compel the identity of “12Kelly.” A Multnomah County circuit judge refused to do so by applying Oregon’s Media Shield Law, ORS 44.520. That statute protects a reporter from having to disclose the source for information used to prepare a news report. The court found that the Shield Law protected TripAdvisor because it is a “medium of communication.” Hence, TripAdvisor did not have to disclose the identity of its “source” - “12Kelly.”
This case is significant because this is one of the first rulings to apply a state media shield law to preclude the identification of an anonymous on-line reviewer. Traditionally, a shield law protects reporters from compelled disclosure of confidential information or sources in state court. (There is no federal shield law yet.) The policy behind a shield law is to further First Amendment goals by protecting the news gathering process, thereby enhancing the free flow of information. This process can depend upon information from anonymous sources. Without protection against disclosure, such sources may not come forward with information of great public concern.
As a result of the trial court’s ruling, the Ashley Inn cannot proceed with its defamation case because it cannot discover the party responsible for the alleged defamation in the bad review. The Inn’s owners contend that 12Kelly’s negative statements were false, because 12Kelly never registered as a hotel guest, based upon what could be learned about him from the on-line reviews.
The Oregon ruling contrasts with one from Virginia currently pending at the Virginia Supreme Court. That case Yelp!, Inc., v. Hadeed Carpet Cleaning, Inc., is being closely watched because the issue in that case is whether a business owner can unmask an anonymous blogger that posted specific critical reviews of his carpet cleaning company. However, the Virginia ruling appears based on a Virginia statute, and not upon a shield law. That Virginia statute requires only that a business prove that a negative review is, or “may be defamatory,” or that it has a legitimate good-faith basis for believing that the review is defamatory in order to learn the identity of the reviewer. Hadeed Carpet Cleaning presented evidence that could prove that the seven negative reviewers were not actual customers of the carpet cleaners, which the court found could mean that the reviews could be defamatory.
We will report the Virginia Supreme Court ruling once it is handed down, but the Virginia case may be an anomaly because courts seem more inclined to do what it takes to preserve the freedom of on-line reviewers to post comments, as in the recent Oregon decision.
Greg Duff, Editor
Greg Duff founded and chairs GSB’s national Hospitality, Travel & Tourism group. His practice largely focuses on operations-oriented matters faced by hospitality industry members, including sales and marketing, distribution and e-commerce, procurement and technology. Greg also serves as counsel and legal advisor to many of the hospitality industry’s associations and trade groups, including AH&LA, HFTP and HSMAI.