A California federal district court recently denied a hotel’s motion to dismiss a claim that it violated the California Customer Records Act (“CRA”), which requires businesses to “implement and maintain reasonable security measures.” Dugas v. Starwood Hotels & Resorts Worldwide, Inc., 2016 WL 6523428 (S.D. Cal. Nov. 3, 2016). Following a breach of Starwood’s computer system, Paul Dugas, a customer of Starwood’s Sheraton San Diego Hotel, claimed that the hotel and its franchisor violated the CRA by failing to follow industry-standard encryption procedures to safeguard its customers’ data, and failing to notify the affected customers for seven months following the data breach.
The court ruled that while the complaint was “short on specifics,” because Dugas alleged that he provided his personally identifiable information to Starwood as part of a commercial transaction, and that Starwood failed to employ reasonable security measures to protect his information (such as the use of industry-standard encryption), Dugas had sufficiently alleged a cause of action under the CRA. The court did, however, dismiss Dugas’ claim that Starwood violated the breach notification provision of the CRA by waiting seven months after the discovery of the breach to notify customers.