Are hotels liable for the data on lost and found electronic devices?
In 2010, Ponemon Institute released a study titled “The Billion Dollar Lost Laptop Problem”. The institute surveyed 329 private and public sector organizations in the U.S., ranging from 1,000 to 75,000 employees. During a 12-month period, those organizations lost more than 86,000 laptop computers, an average of 263 per company. One third of those 86,000 missing laptops were lost during travel.
That number is shocking until you consider the lifestyle of the average business traveler. They bounce from city to city, running through airports, trudging through security lines, waiting out delays at hotel bars before finally sitting for hours on airplanes. At each destination they ride in cabs, sleep in hotels, commute to conferences or sales appointments, and dine in restaurants, almost always in a hurry. All the while they typically carry one or more electronic devices, such as a smartphone, tablet or laptop.
So it’s little wonder that so many electronic devices end up left behind.
Those lost devices, whether company-issued or personally owned, likely contain sensitive data. And the companies and agencies that find those abandoned electronics usually aren’t concerned with protecting that data. Lost devices are usually stored for 30 to 60 days, then, if not claimed by the owner, are thrown away, donated to charity or acquired by those who work for the entity that found the device.
There is abundant risk of data breaches from lost devices. If that discarded device finds its way into the wrong hands, it can be easily booted to reveal passwords, files, VPN connections and wireless encryption keys. The financial loss of data breaches is extensive and well documented. This has raised the question: Should lost devices be guarded more carefully and should those who find them do more to erase data before disposing them?
There has been some discussion of this issue within the hotel industry. State “Innkeeper Laws” will, for the most part, shield inns from being liable for any damage caused by a lost electronic device. Laws protect hoteliers from liability in the event of loss due to the fault of the guest; ergo, if the guest leaves his or her laptop in the room, the hotel isn’t responsible. Furthermore, statutes have been enacted to limit all liability for loss as long as the hotel complies with the law, and damages in these situations are typically capped between $250 and $2,000 per incident, depending on the state.
The caveat is that in nearly every state, limitations on liabilities go out the window if a hotel’s staff was negligent or didn’t follow state laws. So in the case of a lost electronic device, a savvy hotel worker who sold left-behind devices to the highest bidding hacker could count as negligence on the part of the hotel. Or in a less nefarious situation, if the same worker handed over a device to a person who claimed the phone was his when it wasn’t, this could also theoretically count as negligence
National Specialty Underwriters offered tips in its “Innkeeper’s Liability Guide to Compliance” on how hotels can limit their liability for lost merchandise, including electronics:
- Require all employees and management staff to turn in to the property manager, or to his or her designee, all personal property found in public places and in rented areas.
- Keep a lost-and-found logbook. In the log, record the name of the finder, the individual who received the found goods, the location where the property was found, and the date found.
- Make a good-faith effort to locate the rightful owner. If the value of the found item is significant, make all reasonable efforts to locate the rightful owner, and document these efforts.
- Establish appropriate time frames. Hold found property for a period of time recommended by your company or a local attorney familiar with the laws in your state regarding found property. Sixty days should be a minimum length for most found property.
- Limit personnel allowed to handle property. Permit only the property manager or his or her designee to return found property to purported owners.
- Dispose of property in a fair, consistent manner and in accordance with written procedures if the original owner does not come forward. Note that some states have very specific requirements in this regard.
For their part, companies that employ frequent travelers should enact policies to protect data in the event of device loss. Employees should be required to report a lost or stolen device as soon as possible. Passwords and encryption should be required, especially if your company allows Bring Your Own Device (BYOD) with network access. And a company’s IT department should have the ability to remote swipe a device’s data once it’s been reported missing.
Learn about CIS’s first five controls and examine what each control addresses.
Learn about how privacy programs and the importance of being prepared for a breach.
Learn about the constant vigilance of continuous security monitoring.