Hotels and casinos are prime targets for cyber attacks. These establishments collect vast amounts of sensitive personal information, such as names, addresses, credit card numbers, and passport details. While guests expect their data to be protected, breaches are increasingly common. These privacy violations put travelers at risk of identity theft and financial losses.
With its high volume of visitors and lucrative casino operations, Las Vegas is particularly vulnerable. A single successful cyber attack can compromise the data of thousands of guests. At the Cottle Firm, our Abogados de lesiones en hoteles y casinos de Las Vegas help victims of cyber attacks take legal action against these properties for failing to keep their data safe. Contact us today at 702-834-8000 to learn more about your legal rights in a free consultation.
Overview of Data Security in Hotels
Hotels and casinos collect a wide range of personal and financial information from their guests. While many establishments invest heavily in technology and staff training to protect this data, breaches can still occur. Here is an overview of what types of information are collected, how it is typically safeguarded, and where security vulnerabilities may exist.
Common Types of Data Collected
Hotels and casinos gather extensive guest information. This includes personal identifiers such as names, addresses, phone numbers, and email addresses. Payment details like credit or debit card information are routinely stored for reservations and purchases. Loyalty programs track guest preferences, spending habits, and reward points. International travelers may provide sensitive documents like passports. Together, this information creates a valuable target for cybercriminals.
How Hotels and Casinos Protect Data
Hotels and casinos use multiple strategies to protect guest information. Sensitive data is often encrypted and stored on secure servers accessible only to authorized personnel. Secure Wi-Fi networks, firewalls, and restricted system access help prevent unauthorized intrusions. Staff members receive ongoing training on cybersecurity best practices, phishing awareness, and fraud prevention. Regular audits and compliance checks help ensure that security measures meet industry standards.
Common Data Security Weaknesses
While many hotels and casinos have strong security measures, some may still be vulnerable to cyber attacks. Outdated or poorly maintained software can leave systems exposed to attacks. Human error, such as falling for phishing emails or mishandling sensitive data, is a frequent cause of breaches. Third-party vendors like booking platforms and payment processors can introduce additional risks, even if the hotel’s internal systems are secure.
Real-World Examples of Data Breaches in Hotels & Casinos
Cyber attacks targeting hotels and casinos have led to significant data breaches. Here are a few recent high-profile hotel and casino data breaches that have made headlines.
MGM Resorts Data Breach (2019 & 2023)
MGM Resorts experienced two major data breaches, one in 2019 and another in 2023. In 2019, hackers accessed the personal information of approximately 10.6 million guests, including names, phone numbers, email addresses, and birth dates. This data was later found on online forums for public download.
In 2023, a ransomware attack compromised additional sensitive data, such as driver’s license numbers, passport details, and Social Security numbers. The breach disrupted operations, affecting slot machines and ATMs in Las Vegas casinos. MGM agreed to pay a $45 million settlement to resolve lawsuits related to both breaches.
Marriott International Data Breach (2018)
In 2018, Marriott International disclosed a data breach affecting its Starwood reservation system. Hackers had unauthorized access to the system since 2014, and the information of up to 500 million guests was compromised. Exposed data included names, addresses, phone numbers, email addresses, passport numbers, and payment card details. Marriott agreed to pay $52 million to settle investigations by 50 state attorneys general and the District of Columbia.
Caesars Entertainment Data Breach (2023)
Caesars Entertainment suffered a data breach in 2023 due to a social engineering attack on a third-party vendor. The breach exposed personal information of over 65 million loyalty program members. The hackers reportedly demanded a $30 million ransom, of which Caesars paid $15 million. The breach raised concerns about the security of data handled by third-party vendors.
This data breach also resulted in several class action lawsuits against Caesars Entertainment. At least four separate plaintiffs joined suits alleging that their personal data was stolen due to the company’s negligence.
Your Legal Rights if Personal Information is Compromised
When a cyberattack exposes guest data, victims have legal recourse. Both federal and Nevada state laws establish clear protections. Hotels and casinos are required to protect sensitive information, notify guests of breaches, and take responsibility when negligence leads to harm.
Legal Protections for Guests
Guests staying in Las Vegas hotels and casinos are protected by a combination of federal laws, state statutes, and industry standards designed to protect sensitive information.
At the federal level, the Gramm-Leach-Bliley Act (GLBA) requires businesses acting as financial institutions to protect customer financial information. In addition, the Federal Trade Commission (FTC) can bring enforcement actions against companies that fail to use reasonable data security practices.
Industry rules also apply. The Payment Card Industry Data Security Standard (PCI DSS) is not a federal law, but Nevada law requires businesses that accept payment cards to comply with the most current version of PCI DSS. This is especially important for hotels and casinos that process large volumes of card transactions daily.
Nevada law adds another layer of protection through Chapter 603A of the Nevada Revised Statutes. These laws govern the collection, storage, and sharing of personal information. They include privacy policy requirements, opt-out rights, and data security obligations that directly affect how hotels and casinos manage guest information.
Notification Requirements
If a data breach occurs, hotels and casinos in Nevada are legally required to notify guests. Under NRS 603A.220, businesses must send notices “in the most expedient time possible and without unreasonable delay,” unless law enforcement determines that immediate disclosure would compromise an investigation.
Notifications must be provided in writing or electronically. If contact information is missing or the cost of notification would be too high, companies may use substitute notice, such as posting on their website and notifying major media outlets. For breaches affecting more than 1,000 Nevada residents, businesses must also alert nationwide consumer reporting agencies.
These notices generally explain what happened, what types of data were exposed, and what steps affected individuals can take.
Liability of Hotels and Casinos for Data Breaches
When guest information is compromised in a cyber attack, hotels and casinos may be held responsible. These claims are often based on whether the business acted reasonably to protect sensitive data and how it responded once a breach occurred.
Negligence and Duty of Care
Hotels and casinos owe their guests a duty of care to protect sensitive personal information from foreseeable risks. This includes implementing adequate security measures, such as encrypting data, limiting access to critical systems, and addressing vulnerabilities in a timely manner.
If the property fails to implement such measures and a breach occurs as a result, the property could be deemed negligent. Victims can argue that the breach was not just a random event, but a direct result of the hotel’s failure to act reasonably.
Negligence claims in data breach cases may include financial losses, costs of credit monitoring, and even the anxiety or emotional distress caused by the breach. In large-scale breaches, negligence claims are often pursued as class actions.
Breach of Contract and Privacy Policies
In addition to negligence claims, hotels may face liability under breach of contract theories. Many businesses publish privacy policies that promise to safeguard guest information and comply with industry standards. If a hotel fails to meet these commitments, guests may argue that the company violated a contractual obligation.
For example, if a casino’s loyalty program promises data security and encryption but exposes customers’ personal details through a poorly secured vendor, that discrepancy could be the basis of a breach-of-contract claim.
The Role of Third-Party Vendors
Many hotels and casinos rely on outside vendors for services like reservation systems, payment processing, and IT support. These vendors often have direct access to sensitive guest data.
When a breach occurs through a vendor, liability can be complicated. Contracts may include indemnification clauses that shift responsibility, but hotels cannot simply point to vendors and walk away. Courts and regulators often hold that businesses are responsible for ensuring their partners meet reasonable security standards. This means both the hotel and the vendor could potentially be targets of legal action after a breach.
Steps to Take After a Data Breach
If you’ve been affected by a data breach, taking prompt and organized action can help protect your personal information and keep your legal options open.
Immediate Actions
The first step after learning your information has been compromised is to contact your bank or credit card company. Alert them to the breach so they can monitor your accounts for suspicious activity, issue new cards if necessary, and place alerts on your accounts.
Guests should also monitor all financial accounts carefully. Look for unusual changes or withdrawals, and report anything suspicious immediately. Early detection of fraudulent activity can minimize financial loss and make recovery easier.
Finally, change passwords and security questions for any accounts that may be affected, including loyalty programs, email accounts, and online payment services. Use strong, unique passwords and enable two-factor authentication to prevent further unauthorized access.
Documenting Your Case
You should carefully document your case to protect your rights. Keep records of all correspondence with the hotel or casino, including emails, letters, or breach notifications. These documents provide evidence that the business was aware of the breach and can help support claims for compensation.
Additionally, gather evidence of financial loss or identity theft. This may include fraudulent charges, bills for credit monitoring services, or communications with banks and credit card companies. Organized documentation strengthens any potential legal claims and helps your attorney or the authorities understand how the breach has affected you.
How to Seek Compensation for Privacy Violations
When a hotel or casino fails to protect guest information, affected individuals have the right to seek financial compensation through the legal system. Here are some steps to take if you are currently in this situation.
Working with Legal Counsel
Consider speaking with an attorney who has experience in data breach or privacy law. A lawyer can assess whether your case is strong enough to pursue compensation, identify the responsible parties, and guide you through settlement negotiations or litigation.
Attorneys can also help determine the most effective legal strategy, which could be joining a class action, pursuing an individual lawsuit, or negotiating directly with the hotel’s insurers.
Determining Potential Damages
Compensation in data breach cases can cover various types of losses. Guests may seek reimbursement for direct financial harm, such as fraudulent charges or fees incurred to restore accounts. Some claims also include non-monetary damages, like emotional distress, anxiety, or the loss of privacy caused by a breach. An experienced Las Vegas data breach lawyer can help you determine which damages you may qualify for.
Negotiation and Settlement
Many hotels and casinos opt to settle claims out of court to avoid lengthy litigation and reputational harm. A negotiated settlement can provide compensation more quickly and with fewer costs than a lawsuit.
Settlement negotiations typically involve presenting evidence of harm, demonstrating negligence or statutory violations, and calculating the appropriate financial recovery. Settlements may include monetary reimbursement, coverage of identity restoration services, or other remedies designed to make the guest whole.
Filing a Lawsuit
If negotiations fail to yield a fair settlement offer, litigation may be necessary. Filing a lawsuit allows guests to pursue full legal remedies and hold hotels accountable for systemic failures. Courts examine whether the hotel adhered to data security standards, acted promptly to notify affected guests, and whether the breach was foreseeable.
Litigation can be conducted individually or as part of a class action, depending on the size and impact of the breach.
Discuss Your Case With an Experienced Las Vegas Hotel & Casino Lawyer
Data breaches and privacy violations in hotels and casinos have serious consequences, but guests have rights and legal avenues to protect themselves. If your personal information has been compromised, the Las Vegas hotel and casino lawyers at the Cottle Firm are here to help. Contact us today at 702-834-8000 to discuss your case and explore your legal options.