Last week, a deal was reached in Andrew Parsons v. Kimpton Hotel & Restaurant Group LLC, in the U.S. District Court for the Northern District of California. The suit was filed by former guests whose credit card information was stolen when Kimpton was the victim of a point-of-sale malware attack at more than 60 hotels and restaurants. The malware was on Kimpton’s servers from February 2016 until it was discovered in July of the same year when Kimpton immediately notified all guests who had used credit cards at the front desk at one of its properties. However, despite Kimpton’s attempts to protect its customers, a court found in favor of plaintiffs in the class-action suit seeking compensation for “time and effort” to replace hacked credit cards and monitor their credit, even though the card issuers had covered any losses due to the data breach. A Kimpton spokesperson gave this statement to MeetingsNet:
“In an effort to expedite resolution, we have reached an initial proposed agreement on terms and look forward to the court’s approval on the matter.”
The agreement proposes a $250 reimbursement to former guests for out-of-pocket expenses, such as bank and overdraft fees, long-distance calls, and cell phone charges, and up to $10,000 for “extraordinary losses,” such as a canceled or over-the-limit card that affects a vacation or business transaction. The settlement is capped at $600,000 for the total amount of claims.
While there are arguments against giving standing to consumers who haven’t personally suffered a loss (here is a legal commentary on the lawsuit from 2017) the case highlights how vulnerable businesses are now that the impact of a data breach on consumers is measured not just financially, but in personal inconvenience.
Many hotels before Kimpton have publicly admitted this type of malware attack in the past, including Trump Hotels (several times), Starwood Hotels, and Mandarin Oriental, which suggests that perhaps planners booking hotels should ask about insurance coverage for similar suits and have contract clauses that protect them if a client’s data is breached. For consumers, it may be worth taking advantage of the free data privacy tools that many credit card companies offer, such as social security number and credit application monitoring. While financial compensation for simply calling the bank and getting a new card might seem a little over the top, most consumers would prefer to find a way to avoid having to change account numbers on multiple standing orders or transferring money while on a business trip, in the first place.