I Suffered A Psychological Injury After A Hotel Data Breach. What Are My Rights?
When we stay at a hotel, the establishment may ask you for your personal data. Hotels that operate in the United Kingdom should comply with the General Data Protection Regulation (GDPR). This means that hotels have a duty to safeguard the data they collect from their guests, employees and other individuals. Therefore if a hotel data breach occurs, and victims suffer as a result, the hotel could be held liable for damages.
Have data breaches in the hotel industry caused you to suffer emotionally or financially? Then you may be eligible to make a data breach claim for compensation. Contact Accident Claims UK today for your free legal consultation. A claims advisor will speak to you in depth. And we could put you in touch with a data breach lawyer to start working on your claim.
Contact us so we can start working on your claim:
Or, continue reading to learn more about claiming compensation for a data breach at a hotel.
Select A Section
- A Guide On Claiming For A Hotel Data Breach
- What Personal Data Could A Hotel Chain Hold About Me?
- What Is A Data Breach Claim Against A Hotel?
- Steps A Hotel Should Take If They Have Had A Data Breach
- Examples Of Action Taken By The ICO Against Hotel Chains
- When Could You Have The Right To Claim For A Breach Of The GDPR?
- What Evidence Do You Need To Claim For A Data Breach?
- Hotel Data Breach Compensation Claims Calculator
- Could You Claim Material And Non-Material Damages?
- No Win No Fee Personal Data Breach Claims Against A Hotel
- Talk To An Advisor
- FAQs On GDPR Data Breaches
- Related Guides
In this guide, we will explain how to claim compensation if you have suffered because a hotel caused a data breach. We will look at what is considered a data breach at a hotel. We will also look at how data protection laws apply to hotels in the United Kingdom.
Under the General Data Protection Regulation, hotels have a duty of care to protect any personal data they collect, process and store. They should also be open with you about why they’re using your data and only use it for its intended purposes.
To safeguard your data, hotels may designate a staff member or data protection officer to help prevent data breaches and train others in data safety. What’s more, hotels should have adequate security measures in place to protect the data.
Data breach victims may be eligible to claim compensation if they suffer due to the breach. Accident Claims UK could help you understand whether you have a claim for a data breach at a hotel. Contact us now, and if we can see that you are owed compensation, we could connect you with a skilled data breach solicitor to handle your case.
Time Limits For Making A Data Breach Claim
These are the time limits for beginning a data breach claim in the UK:
- You have six years in which to make a data breach claim; but
- If the data breach affected your human rights, you have one year to claim.
Personal data is information that can identify or be used alongside other information to identify a specific individual. Hotels will collect personal data about their guests, employees and stakeholders for operational purposes.
A hotel chain can hold the following personal data about their guests:
- Home address
- Date of birth
- Email address
- Telephone numbers
- Credit card details
- Bank details
- Password(s) for websites or services
In addition, hotels collect work-specific data about their employees—for example, their job title, job location, payroll information and details of previous performance reviews.
A hotel data breach is a security problem that results in a breach of data protection. Your data could be accidentally or deliberately accessed, destroyed, lost, altered or disclosed without your permission or a lawful reason. Data breaches in the hotel industry that have made the news recently include the Marriott hotel data breach and the Hilton hotel data breach.
Data breaches in hotels can result in the following unwanted events:
- A data leak
- Incidents of data exposure
- The encryption, alteration or destruction of personal data
- The loss or theft of personal data
- An unauthorised person gaining access to the data
- A hotel sharing personal data without your consent or a lawful reason
Why Do Data Breaches Happen?
Human error is often the cause of a data breach at a hotel. For example, a hotel employee may leave a document that contains customer’s data on a public-facing desk. Although the employee may not have intended to cause any harm, unauthorised persons could gain access to the data. This is a breach of personal data.
However, sometimes people with ill intent cause data breaches. One example is ‘insider threat’, where a person inside an organisation intentionally passes data onto a third party or leaks data online. Employees may commit insider threat for personal reasons or monetary gain.
Similarly, a cyber attack can cause a hotel chain data breach. This is when criminals use hacking or malware to gain unlawful access to a hotel database. Criminals may use the stolen personal information to carry out malicious acts of identity theft or fraud on the people who own the data.
They may access the bank details of employees through payroll systems. In these cases, they could steal and the victim may suffer financial loss. They may also suffer emotional distress.
If you suffer psychologically or financially because of a data breach, you could claim compensation.
If a data breach occurs and it is notifiable, hotels should report it to the Information Commissioner’s Office (ICO). They have 72 hours to do so. The Information Commissioner’s Office is a public body in the UK responsible for enforcing data protection rights. Following a hotel data breach, the ICO could investigate the incident. Subsequently, they may issue the business with an ICO fine.
Hotels are also responsible for contacting individuals who have been affected by a data breach. You should receive notification of a data breach shortly after the incident took place if it poses a risk to your rights and freedoms.
How Do You Safeguard Against Data Breaches In Hotels?
Under the GDPR, hotels should do the following when handling personal data.
- The hotel should only collect personal data if the data subject has permitted them to do so.
- Moreover, the hotel should explain how and why the data subject’s personal information will be used when it is collected. The hotel can’t use it for another purpose.
- What’s more, the hotel should keep the personal data up to date.
- And finally, the hotel cannot share personal data without permission from the data subject, unless in exceptional circumstances.
Data subjects are individuals whose personal data is collected by an organisation.
You might have eligibility to make a data breach claim against a hotel if the company breached your personal data and you suffered. Whether you were a customer, employee or a stakeholder, you could claim. Please contact Accident Claims UK today for more information about making a compensation claim.
We will now look at a case study of a significant data breach in the hotel industry.
The Marriott Hotel Data Breach
The Marriott hotel data breach occurred following a cyberattack on Resorts Worldwide Inc. and Starwood Hotels in 2014. Marriott acquired the company but did not discover the data breach until 2018.
The criminals were able to access the following types of data:
- Phone numbers
- Email addresses
- Unencrypted passport numbers
- Arrival and departure information
- Loyalty programme membership numbers
- Guests’ VIP status
Worldwide, the data breach affected an estimated 339 million people. The hotel breach affected an estimated 7 million UK travellers. In response to the incident, the ICO issued Marriott International Inc. a data breach fine of £18.4 million.
How Does A Cyber Attack Take Place?
Criminals can carry out cyberattacks on hotel companies to gain unlawful access to their databases. Hacking is a type of cyber attack which takes place when criminals break into online systems by exploiting existing weaknesses. Criminals may also use malware, which means malicious software, to steal hotel employee or customer data.
Types of malware include:
- A DDoS attack stands for disturbed denial of service attack. It is when criminals bring down a website or computer network, often holding it for ransom.
- Ransomware can block or encrypt data. The cybercriminal would only release or destroy the data once a ransom has been paid.
- Spyware covertly monitors a computer without the owner’s knowledge. It can be used to steal passwords.
- Rootkits allow criminals to covertly control a computer, without the user’s knowledge.
- Bots (internet robots) can be used to take over a computer.
To make a claim for a breach of the GDPR by a hotel, you will have to meet the following criteria:
- A hotel must have breached your personal data.
- You must have experienced financial loss or a psychological injury as a result of the data breach.
Call Accident Claims UK if you meet these criteria, to see if you could make a hotel data breach claim.
Under the General Data Protection Regulation, members of the public have data protection rights. They include the right to:
- Be informed
- Access their data
- Restrict processing
- Data portability
You also have rights in relation to automated decision making and profiling.
Contact Accident Claims UK today about claiming compensation if a hotel business has breached any of these rights.
To make a successful data breach claim, you will need to provide evidence. You could use any information from the ICO about their investigation of the data breach. Similarly, hotels are supposed to notify victims of a data breach if they’re at risk. You should be able to use your data breach notification as evidence to support your claim.
Moreover, if you suffered psychological injuries such as depression or anxiety, your medical records will be taken into account.
In addition, you could also present financial documents such as bank statements as evidence of any money lost because of the data breach.
You may be wondering how much compensation you could claim if a hotel has breached your personal data. The table below has compensation amounts that could be claimed for emotional distress and psychological injuries caused by a hotel data breach. They are based on guidelines from the Judicial College. (The Judicial College Guidelines is a publication that solicitors may use to value injuries.)
However, the table does not include material damages. Material damages will compensate you for any financial losses incurred and we look at them in the next section.
|Level of Injury||Psychological Injury||About This Injury||Settlement Estimate|
|Less severe||PTSD||The victim should make a full recovery in around 1 to 2 years.||Up to £7,680|
|Moderate||PTSD||A victim could already have made a good recovery by the time of the compensation claim. Claimants may still experience some minor effects of their PTSD though.||£7,680 - £21,730|
|Moderately severe||PTSD||Effects are likely to be continuing, though some recovery may have been made.||£21,730 - £56,180|
|Severe||PTSD||A victim could have experienced a lasting or permanent form of injury from PTSD.||£56,180 - £94,470|
|Less severe||Psychiatric Damage||Compensation would take into account the period of disability and the extent to which everyday activities and sleep were impacted.||Up to £5,500|
|Moderate||Psychiatric Damage||The affected victim may have suffered in areas of their life such as work, education and training or in general relationships, but with marked improvement now.||£5,500 - £17,900|
|Moderately severe||Psychiatric Damage||A victim could have problems with the factors highlighted above. This victim should have a better outlook than those in the most severe category.||£17,900 - £51,460|
|Severe||Psychiatric Damage||A victim will have sustained a very severe form of psychiatric injury.||£51,460 - £108,620|
Please do be aware that how much compensation you receive may vary, depending on your circumstances. A data breach solicitor should be able to assess your claim to see how much it is worth. Then, if they accept your case, they’d work hard to ensure you receive the right amount of compensation. To see if you have a claim for a data breach at a hotel, call Accident Claims UK today.
You could receive two heads of claim if your hotel data breach claim is successful. The first head of claim is material damages. This is compensation for any money lost because of the data breach. Unfortunately, criminals may use stolen data to target the owner for theft, or fraud. This means that victims of a data breach can also lose money over time.
What’s more, you could also receive non-material damages. This is compensation to pay for any emotional distress caused by the data breach. Data security breaches can be very traumatic, especially if sensitive data was breached.
In some cases, the victim’s personal security may be jeopardised. This may happen, for instance, if their address was published on the dark web. Therefore some people may develop psychological injuries such as depression or anxiety. You can also claim compensation for these injuries.
Many people who make a data breach claim, may feel reluctant to pay for their solicitor’s fee upfront. Accident Claims UK can give you the option to make a No Win No Fee agreement with your solicitor. This means that your solicitor will not charge you a solicitors’ fee if they do not win your claim.
With a No Win No Fee agreement, you would pay your solicitor a success fee on the condition that they win your compensation claim. You would not pay the success fee in the instance that you lose your claim.
Other benefits include:
- No ongoing solicitor fees
- You only pay the solicitor’s fee when the compensation comes through
To find out more about a No Win No Fee agreement, get in touch today.
To begin your hotel data breach claim, call Accident Claims UK to speak to an advisor. We will consult with you and, if you have a valid claim, we can assign a data breach lawyer to work on your claim.
Start your claim today by contacting us using the details below:
- Call our helpline on 0800 073 8801
- Fill out our callback form
- Ask our advisors a question using our live chat
We will now answer some frequently asked questions about data breaches.
Who is liable for a data breach?
A hotel, as a data controller, could be liable for a data breach. However, a third party may also be responsible for a data breach. For example, a database software provider could have poor security which leads to a breach. Liability is determined by which party is at fault for causing the data breach or enabling the data breach to happen.
What are the consequences of a data breach?
A data breach can be distressing for those involved. Some victims of a data breach may develop psychological injuries such as depression. They can also be targeted for identity theft or fraud, leading to financial losses.
For a hotel, a data breach can hurt the integrity of its brand.
What can be done to prevent data breaches?
Organisations can prevent data breaches by investing in staff training and having strong internal data management processes. Having an up-to-date cybersecurity system could also be essential.
You may wish to read more about claiming compensation for a data breach. Please feel free to check out these guides.
A guide to dealing with phone, email and text message scams, from the National Cyber Security Centre.
An ICO guide to raising concerns about a data breach with an organisation.
Thank you for reading our guide to hotel data breach claims.
Guide by HC
Edited by RV