page contents

Travel law: 2015 data breach at Starwood Hotels and Resorts

Travel law: 2015 data breach at Starwood Hotels and Resorts

In this week’s article we discuss the case of Dugas v. Starwood Hotels and Resorts Worldwide, Inc., 2016 WL 6523428 (S.D. Cal. 2016).”This case arises from a series of attacks by criminal hackers upon the United States hospitality industry… Plaintiff Paul Dugas alleges that customer systems of Starwood Hotels and Resorts Worldwide, Inc. (Starwood) had malicious software installed on them and they have been compromised since ‘at least November 2014′.Plaintiff alleges that this data breach ‘adversely affected hundreds of thousands of customers of the Starwood Hotel system’. According to Plaintiff, although Starwood ‘discovered the first date breach on or around Aril 13, 2015′, they failed to notify customers or regulators of the data breach ‘until November 20, 2015 via [] internet press release. Within said press release, Starwood revealed ‘that hackers had breached its database containing sensitive records including names, credit card numbers, security codes and expiration dates’”.

Terror Targets Update

Paris, France

In Breeden, Paris to Increase Security Around Eiffel Tower, (2/9/2017) it was noted that “The iron lady, as the French affectionately call the Eiffel Tower, is getting a security upgrade. Paris officials said…that the city planned to make the landmark safer by extending the security perimeter at its base to include two small public gardens on its eastern and western sides and by building walls on the northern and southern edges. As a major tourist destination that has endured several deadly terrorist attacks in recent years, Paris wants to ensure that the millions of visitors who come here every year feel not only welcome but also safe”.

USA: The Muslim Brotherhood

In Baker, White House Weighs Terrorist Designation for Muslim Brotherhood, (2/7/2017) it was noted that “President Trump’s advisers are debating an order intended to designate the Muslim Brotherhood as a foreign terrorist organization targeting the oldest and perhaps most influential Islamist group in the Middle East. A political and social organization with millions of followers, the Brotherhood officially renounced violence decades ago”.

Istanbul, Turkey

In Kingsley, Turkey Arrests Hundreds in Sweeping Raids Against ISIS, (2/5/2017) it was noted that “several hundred people suspected of being Islamic State operatives were arrested in a series of coordinated raids by the Turkish police on Sunday, in what constitutes one of Turkey’s largest operations against the jihadist group on the country’s soil. Nearly 450 suspects were rounded up in the early hours of Sunday”.

ISIS Strategy

In Callimachi, Not ‘Lone Wolves’ After All: How ISIS Guides World’s Terror Plots From Afar, (2/4/2017) it was noted that “remotely guided plots in Europe, Asia and the United States in recent years, including the attack on a community center in Garland, Tex., were initially labeled the work of ‘lone wolves’ with no operational ties to the Islamic State, and only later was direct communication with the group discovered. While the trail of many of these plots led back to planners living in Syria, the very nature of the group’s method of remote plotting means there is little dependence on its maintaining a safe haven there or in Iraq. And visa restrictions and airport security mean little to attackers who strike where they live and no longer have to travel abroad for training”.

Terror News Reports

In Shane, Is News of Terror Attacks Underplayed? Experts Say No, (2/7/2017) it was noted that “Margaret Thatcher famously declared that ‘we must try to find ways to starve the terrorist and the hijacker of the oxygen of publicity on which they depend’…Years of books and articles critiquing the ‘symbiosis’ of terrorism and news media coverage have pointed out that terrorists usually seek to promote a political or ideological cause and spectacular violence with the specific goal of attracting attention. News executives, while sometimes expressing mixed feelings about giving terrorists what they seek, have generally felt obliged to give such attacks ample coverage…In the United States since the Sept. 11, 2001 attacks, even failed terrorist plots often have drawn saturation coverage-think of the fizzled so-called underwear bomb on a Detroit-bound airliner in Christmas Day 2009 or the SUV jury-rigged to blow up that produced only smoke in Times Square on a May night in 2010″.

Travel Ban Blocked

In Liptak, Court Refuses to Reinstate Travel Ban, Dealing Trump Another Legal Loss, (2/9/2017) it was noted that “A federal appeals panel on Thursday unanimously rejected President Trump’s bid to reinstate his ban on travel into the United States from seven largely Muslim nations, a sweeping rebuke to the administration’s claim that the courts have no role as a check on the president. The three-judge panel, suggesting that the ban did not advance national security, said the administration had shown ‘no evidence’ that anyone from the seven nations-Iran, Iraq, Libya, Somalia, Sudan, Syria and Yemen-had committed terrorist acts in the United States…The appeals court acknowledged that Mr. Trump was owed deference on his immigration and national security policies. But it said he was claiming something more-that ‘national security concerns are unreviewable, even if those actions potentially contravene constitutional rights and protections”.

No Fly List: Add Nut Allergies

In Rabin, Travelers With Nut Allergies Clash With Airlines, (1/26/2017) it was noted that “Roseanne Bloom and her family had just settled into their seats on a flight from Philadelphia to Turks and Caicos Islands on Christmas morning when two airline employees ordered Dr. Bloom, her husband and two boys off the plane. Their luggage had already been removed. The problem? Dr. Bloom had informed the crew that her teenage son had severe nut allergies…Airline carriers have a long tradition of serving peanuts on flights, and often serve little else. But the practice also presents a challenge to travelers with severe nut allergies, who can suffer a reaction simply by touching a surface that has been exposed to nuts. But tensions between passengers with food allergies and airline staff members have risen in recent years, as airlines have begun to enforce stricter rules related to preboarding passengers. In the past, parents of young children could board the plane early, giving them a chance to wipe down seats, trays and armrests to reduce exposure to allergens. But today many airlines stopped letting families with children board before other passengers”.

Uber & Lyft In New York

In Stashenko, NY Senate Gives Overwhelming Approval to Statewide Expansion of Ride-Sharing, (2/6/2017) it was noted that “The state Senate on Monday approved expanding ride-sharing services such as Uber and Lyft outside New York City-where they have operated since 2013-to the rest of the state. The Senate passed the bill…by a vote of 53-5, though several members said in debate that the legislation was almost certainly not the chamber’s final word on the issue this year….Gov. Andrew Cuomo called on lawmakers to extend ride-sharing throughout New York during his State of the State message last month, and the Assembly generally has favored bills as well”.

Airbnb & Uber Lobbying

In Stashenko, Lobbying Group for Airbnb, Uber Opens Office in Albany, (2/7/2017) it was noted that “In a reflection of the growing importance of state governments to the internet economy, the Internet Association said it is opening an office in Albany to ‘engage’ New York state public policy makers on digital-age issues…The group represents such companies as Airbnb, Amazon, Facebook, Google, Microsoft, Netflix, Twitter, Uber and Yahoo as well as much smaller startups. The association said the internet-enabled sector of the economy now accounts for 6 percent of the United States’ gross domestic product and employs nearly 3 million Americans including 200,000 New Yorkers”.

India: Beware The Lychee Fruit

In Barry, Dangerous Fruit: Mystery of Deadly Outbreaks in India Is Solved, (1/31/2017) it was noted that “Every year in mid-May, as temperatures reached scorching heights, parents took children who had been healthy the night before to the hospital. The children awakened with a high-pitch cry in the early morning, many parents said. Then the youths began having seizures and slipping into comas. In about 40 percent of the cases, they died. Every year in July, with the arrival of monsoon rains, the outbreak ended as suddenly as it began…A joint investigation by India’s National Center for Disease Control and the India office of the Centers for Disease Control and Prevention in Atlanta…has identified a surprising culprit: the lychee fruit itself, when eaten on an empty stomach by malnourished children”.

It’s Complicated: Japanese Toilets

In Unexpected results when using a Japanese Toilet: Confusing task, (2/5/2017) it was noted that “Using a toilet in Japan can turn into a complicated activity, and may have embarrassing unexpected results. This is because there are toilets, and then there are Japanese toilets. More sophisticated even public toilets come with various features such as heated seats, in-built bidets and some even play you music. Tourists are often unable to understand the many controls, finding going to the toilet more complicated than they thought…Under the new icons, future Japanese toilets will use eight icons representing eight different options: Toilet lid opening/closing, toilet seat opening/closing, large flush, small flush, backside wash, bidet wash, dryer and stop”.

Riding Chinese Rails In Djibouti

In Jacobs, Joyous Africans Take to the Rails, With China’s Help, (2/7/2017) it was noted that “The 10:24 a.m. train out of Djibouti’s capital drew some of the biggest names in the Horn of Africa last month. Serenaded by a chorus of tribal singers…the pristine, air conditioned carriages (made) their inaugural run…But perhaps the biggest star of the day was China, which designed the system, supplied the trains and imported hundreds of engineers for the six years it took to plan and build the 466-mile line. And the $4 billion costs? Chinese banks provided nearly all the financing…Chinese-built subway cars will soon appear in Chicago and Boston. Beijing is building a $5 billion high-speed rail line in Indonesia and the Chinese government recently christened new rail freight service between London and Beijing”.

Bomb Found In Greece

In 72,000 people evacuated after WWII bomb found in Greece’s second largest city, (2/11/2017) it was noted that “Greek authorities have forced the evacuation of tens of thousands of people to safe places in the country’s second largest city of Thessalonike after a bomb, dating from World War II, was discovered in the area. The unwelcome guest, a 250-kilogram bomb, which was sound some five meters below the ground during excavation works to expand a gas station’s underground tanks last week, made local authorities…to evacuate some 72,000 people living within a 1.9-kilometer radius of the bomb site to other places”.

Travel Law Article: The Dugas Case

In the Dugas case the Court noted that “Plaintiff alleges that as a ‘member in the hotel chain’s rewards program’, he has frequented the spa at the Sheraton San Diego Hotel & Marina on a ‘continuous and ongoing basis’. Plaintiff further alleges that during visits to the spa, ‘he provided personal identifying information and consumer information’ to the hotel operating under the ‘reasonable belief that [the information] would be held private’”.

The Delay In Disclosing

“Because of the approximately seven-month delay between discovering the data breach and notifying affected customers, Plaintiff alleges that hackers were given ‘months to use the information without the customers being able to take any steps to protect themselves’…Plaintiff alleges that during the time period between Starwood’s initial discovery of the data breach and their disclosure …’[Plaintiff’s] credit card…used for purchases at the Sheraton San Diego…was compromised by an unknown third party and used for unauthorized purchases, exposing him to losses, frustration and on-going requirements to protect himself from identity theft’”.

The Complaint

The First Amended Class Action Complaint (FACC) alleges “(1) violation of California Customer Records Act (CRA)… (2) violation of California’s Unfair Competition Law (UCL)… (3) invasion of privacy; (4) negligence and (5) negligence per se… Defendants moved to dismiss Plaintiffs (the complaint)”.

Standing To Sue

“In order to invoke the subject matter jurisdiction of this Court, Plaintiff is required to establish standing to sue…With regard to injury in fact, a plaintiff must shoe that he suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical’…A ‘concrete’ injury must be ‘defacto’, meaning it must actually exist (citing Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016))…To prove ‘causation’ a plaintiff must show that the injury is fairly traceable to the challenged action of the defendant and that the injury is not the result of the independent action of a third party not before the court…The third…element of standing, redressability (wherein) a plaintiff must show that the injury ‘is likely to be redressed by a favorable decision’”.

Injury In Fact

“To determine whether or not a plaintiff was, in fact, injured by a defendant’s data breach, various courts have found one or more of (the) following factors persuasive: (1) the type and volume of stolen information (citing Krottner v. Starbucks Corp., 628 F. 3d 1139 (9th Cir. 2010)); (2) the likelihood that the information was stolen for misuse (citing In Re Adobe Sys., Inc. Privacy Litigation, 66 F. Supp. 3d 1197 (N.D. Cal. 2014)), (3) the degree of attenuation between the theft and the harm (citing Reilly v. Ceridian Corp., 664 F. 3d 38 (3d Cir. 2011)), (4) whether the stolen information has been misused (citing Key v. DSW, Inc., 454 F. Supp. 2d 684 (S.D. Ohio 2006)), and (5) whether unauthorized purchases were reimbursed (citing Whalen v. Michael Stores, Inc., 153 F. Supp. 2d 577 (E.D.N.Y. 2015))”.

Claimed Injuries

Plaintiff’s “claimed injuries can be summarized as (1) past financial costs associated with detecting and preventing identity theft or unauthorized use of credit cards; (2) future costs in terms of time, effort and money to prevent or repair identity theft or future unauthorized use of credit cards, (3) theft of personal identifying information and, (4) past loss of productivity from efforts to mitigate consequences of data theft”. Of these the Court rejected the first three claimed injuries as insufficient but found that “to the extent Plaintiff seeks relief for the loss of time and money spent to avoid loses caused by the data breach, his allegations are sufficient to state an injury in fact”.


“With regards to Plaintiff’s claim arising under (CRA)… Defendants argue that the FACC asserts no factual basis for the conclusion that Defendant’s alleged [delay] in notifying Starwood customers of the data breach caused any harm. The Court agrees… (However, Plaintiffs has) “sufficiently alleged (causation) as to his…UCL, right of privacy and negligence claims”.


“Here, the Court has concluded that Plaintiff’s allegations that he lost time and money in the process of mitigating financial losses caused by the Starwood breach are sufficient to state an injury in fact. Because Plaintiff has not been reimbursed in any way for that expenditure of time and money, the Court concludes that the injury is redressable by judicial decision…(However) Plaintiff fails to establish ‘redressability’ as to the request for injunctive relief because Plaintiff does not sufficiently allege that he is ‘realistically threat(en)ed by a repetition of his experience’ that is ‘likely to be redressed by a favorable decision’ by this Court”.

Failure To State A Claim

“The Court finds that Plaintiff has sufficiently alleged, at the pleading stage, a legal duty and a corresponding breach as to inadequate security measures (under the CRA citing In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942 (S.D. Cal. 2014)) … (and the Court grants Defendant’s motion to dismiss (the UCL claim), invasion of privacy claim and negligence claim without prejudice and the negligence per se claim with prejudice)”.

Thomas A. Dickerson is a retired Associate Justice of the Appellate Division, Second Department of the New York State Supreme Court and has been writing about Travel Law for 41 years including his annually updated law books, Travel Law, Law Journal Press (2016), Litigating International Torts in U.S. Courts, Thomson Reuters WestLaw (2016), Class Actions: The Law of 50 States, Law Journal Press (2016) and over 400 legal articles many of which are available at For additional travel law news and developments, especially, in the member states of the EU see

This article may not be reproduced without the permission of Thomas A. Dickerson.

Read many of Justice Dickerson’s articles here.

Tagged with