What Are My Rights After A Hotel Data Breach?

I Suffered A Psychological Injury After A Hotel Data Breach. What Are My Rights?

hotel data breach

When we stay at a hotel, the establishment may ask you for your personal data. Hotels that operate in the United Kingdom should comply with the General Data Protection Regulation (GDPR). This means that hotels have a duty to safeguard the data they collect from their guests, employees and other individuals. Therefore if a hotel data breach occurs, and victims suffer as a result, the hotel could be held liable for damages.

Have data breaches in the hotel industry caused you to suffer emotionally or financially? Then you may be eligible to make a data breach claim for compensation. Contact Accident Claims UK today for your free legal consultation. A claims advisor will speak to you in depth. And we could put you in touch with a data breach lawyer to start working on your claim.

Contact us so we can start working on your claim:

Or, continue reading to learn more about claiming compensation for a data breach at a hotel.

Select A Section

A Guide On Claiming For A Hotel Data Breach

In this guide, we will explain how to claim compensation if you have suffered because a hotel caused a data breach. We will look at what is considered a data breach at a hotel. We will also look at how data protection laws apply to hotels in the United Kingdom.

Under the General Data Protection Regulation, hotels have a duty of care to protect any personal data they collect, process and store. They should also be open with you about why they’re using your data and only use it for its intended purposes.

To safeguard your data, hotels may designate a staff member or data protection officer to help prevent data breaches and train others in data safety. What’s more, hotels should have adequate security measures in place to protect the data.

Data breach victims may be eligible to claim compensation if they suffer due to the breach. Accident Claims UK could help you understand whether you have a claim for a data breach at a hotel. Contact us now, and if we can see that you are owed compensation, we could connect you with a skilled data breach solicitor to handle your case.

Time Limits For Making A Data Breach Claim

These are the time limits for beginning a data breach claim in the UK:

  • You have six years in which to make a data breach claim; but
  • If the data breach affected your human rights, you have one year to claim.

What Personal Data Could A Hotel Chain Hold About Me?

Personal data is information that can identify or be used alongside other information to identify a specific individual. Hotels will collect personal data about their guests, employees and stakeholders for operational purposes.

A hotel chain can hold the following personal data about their guests:

  • Name(s)
  • Home address
  • Date of birth
  • Email address
  • Telephone numbers
  • Credit card details
  • Bank details
  • Password(s) for websites or services

In addition, hotels collect work-specific data about their employees—for example, their job title, job location, payroll information and details of previous performance reviews.

What Is A Data Breach Claim Against A Hotel?

A hotel data breach is a security problem that results in a breach of data protection. Your data could be accidentally or deliberately accessed, destroyed, lost, altered or disclosed without your permission or a lawful reason. Data breaches in the hotel industry that have made the news recently include the Marriott hotel data breach and the Hilton hotel data breach.

Data breaches in hotels can result in the following unwanted events:

  • A data leak
  • Incidents of data exposure
  • The encryption, alteration or destruction of personal data
  • The loss or theft of personal data
  • An unauthorised person gaining access to the data
  • A hotel sharing personal data without your consent or a lawful reason

Why Do Data Breaches Happen?

Human error is often the cause of a data breach at a hotel. For example, a hotel employee may leave a document that contains customer’s data on a public-facing desk. Although the employee may not have intended to cause any harm, unauthorised persons could gain access to the data. This is a breach of personal data.

However, sometimes people with ill intent cause data breaches. One example is ‘insider threat’, where a person inside an organisation intentionally passes data onto a third party or leaks data online. Employees may commit insider threat for personal reasons or monetary gain.

Similarly, a cyber attack can cause a hotel chain data breach. This is when criminals use hacking or malware to gain unlawful access to a hotel database. Criminals may use the stolen personal information to carry out malicious acts of identity theft or fraud on the people who own the data.

They may access the bank details of employees through payroll systems. In these cases, they could steal and the victim may suffer financial loss. They may also suffer emotional distress.

If you suffer psychologically or financially because of a data breach, you could claim compensation.

Steps A Hotel Should Take If They Have Had A Data Breach

If a data breach occurs and it is notifiable, hotels should report it to the Information Commissioner’s Office (ICO). They have 72 hours to do so. The Information Commissioner’s Office is a public body in the UK responsible for enforcing data protection rights. Following a hotel data breach, the ICO could investigate the incident. Subsequently, they may issue the business with an ICO fine.

Hotels are also responsible for contacting individuals who have been affected by a data breach. You should receive notification of a data breach shortly after the incident took place if it poses a risk to your rights and freedoms.

The General Data Protection Regulation (GDPR) protects the data privacy and security of the public. It is EU legislation. The Data Protection Act 2018 enacts it into the United Kingdom’s laws.

How Do You Safeguard Against Data Breaches In Hotels?

Under the GDPR, hotels should do the following when handling personal data.

  1. The hotel should only collect personal data if the data subject has permitted them to do so.
  2. Moreover, the hotel should explain how and why the data subject’s personal information will be used when it is collected. The hotel can’t use it for another purpose.
  3. What’s more, the hotel should keep the personal data up to date.
  4. And finally, the hotel cannot share personal data without permission from the data subject, unless in exceptional circumstances.

Data subjects are individuals whose personal data is collected by an organisation.

You might have eligibility to make a data breach claim against a hotel if the company breached your personal data and you suffered. Whether you were a customer, employee or a stakeholder, you could claim. Please contact Accident Claims UK today for more information about making a compensation claim.

Examples Of Action Take By The ICO Against Hotel Chains

We will now look at a case study of a significant data breach in the hotel industry.

The Marriott Hotel Data Breach

The Marriott hotel data breach occurred following a cyberattack on Resorts Worldwide Inc. and Starwood Hotels in 2014. Marriott acquired the company but did not discover the data breach until 2018.

The criminals were able to access the following types of data:

  • Phone numbers
  • Names
  • Email addresses
  • Unencrypted passport numbers
  • Arrival and departure information
  • Loyalty programme membership numbers
  • Guests’ VIP status

Worldwide, the data breach affected an estimated 339 million people. The hotel breach affected an estimated 7 million UK travellers. In response to the incident, the ICO issued Marriott International Inc. a data breach fine of £18.4 million.

How Does A Cyber Attack Take Place?

Criminals can carry out cyberattacks on hotel companies to gain unlawful access to their databases. Hacking is a type of cyber attack which takes place when criminals break into online systems by exploiting existing weaknesses. Criminals may also use malware, which means malicious software, to steal hotel employee or customer data.

Types of malware include:

  • A DDoS attack stands for disturbed denial of service attack. It is when criminals bring down a website or computer network, often holding it for ransom.
  • Ransomware can block or encrypt data. The cybercriminal would only release or destroy the data once a ransom has been paid.
  • Spyware covertly monitors a computer without the owner’s knowledge. It can be used to steal passwords.
  • Rootkits allow criminals to covertly control a computer, without the user’s knowledge.
  • Bots (internet robots) can be used to take over a computer.

When Could You Have A Right Claim For A Breach Of The GDPR?

To make a claim for a breach of the GDPR by a hotel, you will have to meet the following criteria:

  1. A hotel must have breached your personal data.
  2. You must have experienced financial loss or a psychological injury as a result of the data breach.

Call Accident Claims UK if you meet these criteria, to see if you could make a hotel data breach claim.

Under the General Data Protection Regulation, members of the public have data protection rights. They include the right to:

  • Be informed
  • Access their data
  • Rectification
  • Erasure
  • Restrict processing
  • Data portability
  • Objection

You also have rights in relation to automated decision making and profiling.

Contact Accident Claims UK today about claiming compensation if a hotel business has breached any of these rights.

What Evidence Do You Need To Claim For A Data Breach?

To make a successful data breach claim, you will need to provide evidence. You could use any information from the ICO about their investigation of the data breach. Similarly, hotels are supposed to notify victims of a data breach if they’re at risk. You should be able to use your data breach notification as evidence to support your claim.

Moreover, if you suffered psychological injuries such as depression or anxiety, your medical records will be taken into account.

In addition, you could also present financial documents such as bank statements as evidence of any money lost because of the data breach.

Hotel Data Breach Compensation Calculator

You may be wondering how much compensation you could claim if a hotel has breached your personal data. The table below has compensation amounts that could be claimed for emotional distress and psychological injuries caused by a hotel data breach. They are based on guidelines from the Judicial College. (The Judicial College Guidelines is a publication that solicitors may use to value injuries.)

However, the table does not include material damages. Material damages will compensate you for any financial losses incurred and we look at them in the next section.

Level of InjuryPsychological InjuryAbout This InjurySettlement Estimate
Less severePTSDThe victim should make a full recovery in around 1 to 2 years.Up to £7,680
ModeratePTSDA victim could already have made a good recovery by the time of the compensation claim. Claimants may still experience some minor effects of their PTSD though.£7,680 - £21,730
Moderately severePTSDEffects are likely to be continuing, though some recovery may have been made. £21,730 - £56,180
SeverePTSDA victim could have experienced a lasting or permanent form of injury from PTSD.£56,180 - £94,470
Less severePsychiatric DamageCompensation would take into account the period of disability and the extent to which everyday activities and sleep were impacted.Up to £5,500
ModeratePsychiatric DamageThe affected victim may have suffered in areas of their life such as work, education and training or in general relationships, but with marked improvement now. £5,500 - £17,900
Moderately severePsychiatric DamageA victim could have problems with the factors highlighted above. This victim should have a better outlook than those in the most severe category.£17,900 - £51,460
SeverePsychiatric DamageA victim will have sustained a very severe form of psychiatric injury.£51,460 - £108,620

Please do be aware that how much compensation you receive may vary, depending on your circumstances. A data breach solicitor should be able to assess your claim to see how much it is worth. Then, if they accept your case, they’d work hard to ensure you receive the right amount of compensation. To see if you have a claim for a data breach at a hotel, call Accident Claims UK today.

Could You Claim Material And Non-Material Damages?

You could receive two heads of claim if your hotel data breach claim is successful. The first head of claim is material damages. This is compensation for any money lost because of the data breach. Unfortunately, criminals may use stolen data to target the owner for theft, or fraud. This means that victims of a data breach can also lose money over time.

What’s more, you could also receive non-material damages. This is compensation to pay for any emotional distress caused by the data breach. Data security breaches can be very traumatic, especially if sensitive data was breached.

In some cases, the victim’s personal security may be jeopardised. This may happen, for instance, if their address was published on the dark web. Therefore some people may develop psychological injuries such as depression or anxiety. You can also claim compensation for these injuries.

No Win No Fee Personal Data Breach Claims Against A Hotel

Many people who make a data breach claim, may feel reluctant to pay for their solicitor’s fee upfront. Accident Claims UK can give you the option to make a No Win No Fee agreement with your solicitor. This means that your solicitor will not charge you a solicitors’ fee if they do not win your claim.

With a No Win No Fee agreement, you would pay your solicitor a success fee on the condition that they win your compensation claim. You would not pay the success fee in the instance that you lose your claim.

Other benefits include:

  • No ongoing solicitor fees
  • You only pay the solicitor’s fee when the compensation comes through

To find out more about a No Win No Fee agreement, get in touch today.

Talk To An Advisor

To begin your hotel data breach claim, call Accident Claims UK to speak to an advisor. We will consult with you and, if you have a valid claim, we can assign a data breach lawyer to work on your claim.

Start your claim today by contacting us using the details below:

FAQs On GDPR Data Breaches

We will now answer some frequently asked questions about data breaches.

Who is liable for a data breach?

A hotel, as a data controller, could be liable for a data breach. However, a third party may also be responsible for a data breach. For example, a database software provider could have poor security which leads to a breach. Liability is determined by which party is at fault for causing the data breach or enabling the data breach to happen.

What are the consequences of a data breach?

A data breach can be distressing for those involved. Some victims of a data breach may develop psychological injuries such as depression. They can also be targeted for identity theft or fraud, leading to financial losses.

For a hotel, a data breach can hurt the integrity of its brand.

What can be done to prevent data breaches?

Organisations can prevent data breaches by investing in staff training and having strong internal data management processes. Having an up-to-date cybersecurity system could also be essential.

Related Guides

You may wish to read more about claiming compensation for a data breach. Please feel free to check out these guides.

What Are My Rights After A Dentist Data Breach?

What Are My Rights After A Nursery Data Breach?

My Rights After An Employer Data Breach

Your Rights After A Pharmacy Data Breach

Comparison Site Data Breach: Your Rights

Your Rights Following A Private Healthcare Provider Data Breach

External Guides

A guide to dealing with phone, email and text message scams, from the National Cyber Security Centre.

An ICO guide to raising concerns about a data breach with an organisation.

An ICO guide to data controllers and data processors.

Thank you for reading our guide to hotel data breach claims. 

Guide by HC

Edited by RV