Class-Action Lawsuit: Is There a Duty to Prevent Ransomware?
Earlier this month, hotel giant InterContinental Hotels group suffered a ransomware attack that took their reservations and other platforms offline. It’s not the first time that InterContinental Hotels suffered a data breach, nor was it the first time that a major hotel chain suffered a data breach. However, as a result of the ransomware attack, consumers were unable to reserve hotel stays, access their rewards programs or otherwise utilize the services of the hotel.
So, obviously, a class-action lawsuit was filed. But the lawsuit was not filed by consumers, vendors or third parties. The lawsuit was filed by franchisees of the hotel chain who claimed that the hotel’s failure to prevent the ransomware attack from disrupting their services prevented these franchisees from booking reservations and from servicing their own clients and customers. Because the franchisees were contractually obligated to deal only with the parent company and because the parent company had an exclusive obligation to provide technology services to the franchisees, the franchisees claimed in the lawsuit that the parent company was legally obligated to pay the damages resulting to the franchisees as a result of the ransomware attack.
The lawsuit, filed September 15, 2022, in federal court in Atlanta, Georgia, alleged that the franchisees were “at the mercy” of the parent company and depended upon the parent company to obtain secure reservations. The complaint notes:
“Plaintiffs and Class Members are truly at the mercy of IHG in that the License Agreement mandates that they have no choice but to use and to pay for IHG’s reservation system (“IHG Concerto”) and technology, but in the event of a data security incident that compromises the system and, in turn, makes it impossible for guests to book rooms on IHG Concerto (not to mention third party booking sites like Expedia and Booking.com), there is no recourse for them to obtain compensation.
As a result of IHG’s actions and inactions, Plaintiffs have incurred significant damages in the form of lost revenue from bookings, loss of consumer goodwill, additional (and unavoidable) use of employee time dealing with the fallout from the Data Breach, including working with guests on cancellations, re-bookings and related issues.”
The complaint further alleged that the parent company was obligated by contract to provide certain core services to the franchisees, including a working reservation system, a revenue management system, a content management system, guest relations services and hotel operations in sight, as well as to provide network connectivity, system integration and system interfaces between the hotel franchisees and the parent company. The franchisees not only relied on the continuing operation of these services and continuing functioning of the services but, under the franchise agreements, paid for these services from the parent company. This included entering into a master technology services agreement that set out the rules for connecting to the reservations and payment systems.
On September 6, 2022, the parent company suffered a computer security incident which meant that its booking systems and mobile applications had been compromised and were unavailable for reservations. It also meant that the franchisees were unable to post prices (including discount prices) on third-party sites such as Expedia and Booking.com.The parent company reported the incident, both to the customers and franchisees.
The class-action lawsuit alleged that the hotel chain took a, quote, “lackadaisical approach to data security” and that it had failed to adequately respond to the data breaches that occurred not only to the parent company but to other hotels and others in the hospitality and consumer-facing industries. The lawsuit noted that “hotels are an attractive target for hackers because they hold a lot of sensitive information including credit card and passport details but often don’t have security standards as tough as those of more regulated Industries like banking.” The class-action lawsuit also referenced numerous statements made by the parent company about the importance of cybersecurity, the company’s commitment to cybersecurity and statements the parent company made in public filings about how it protected data.
The complaint essentially alleged that the franchise agreement, technology agreements and other contracts between the franchisees and the parent company establish a duty on the part of the parent company not only to protect the confidentiality of data but the availability of data systems upon which the franchisees rely. Essentially, guaranteed uptime. In addition, they allege violations of the Georgia Uniform Deceptive Trade Practices Act by promising to the consuming public that they have adequate data security practices and incident response practices when, in fact, according to the complaint, the parent company’s practices were inadequate. The complaint also alleged that the parent company was negligent in responding to prior data breaches, was negligent in protecting data and was negligent in preventing the ransomware attack which occurred earlier in September.
What is interesting about the complaint is the allegation of a duty of due care on the part of the company not only to its customers, shareholders, vendors and suppliers but also to its employees and franchisees. While this theory is not unprecedented—and, indeed, the U.S. government alleged that Uber violated its duty to protect the confidentiality of its employees and drivers in failing to adequately respond to data breach—the case illustrates the fact that when a ransomware attack disrupts business and a company is unable to fulfill its contractual obligations to any third party, that third party may sue not only for for breach of the contractual obligations but also for potential breach of the duty to ensure the company is not attacked by ransomware.
The duty to prevent data breaches and the duty to prevent ransomware are somewhat different duties. A data breach duty arises from the fact that a company is a custodian of personal data about a third party and may have made promises or representations about how it intends to protect that data, or I may have a legal obligation to protect that data provided by some data privacy or data security law. The duty to prevent ransomware, on the other hand, typically arises out of some service level agreement, where a company agrees to provide some product goods or services in a timely manner. In the case of the franchisees, they allege that they were wholly dependent upon the parent company to provide a full range of technological services and, when the parent company was unable to do so, whether negligently or not, they breached the contract to provide those services.
The lesson that companies need to take to heart from this litigation is that the obligation to prevent ransomware so that a company can continue functioning appropriately implicates not only contractual obligations to provide goods and services but calls into question the general duty to prevent these disruptions through reasonable means. That duty may stand whether or not it impacts the customer’s ability to perform.
