InterContinental Hotels Seeks to Dismiss Franchisee Lawsuit Over Cyberattack

IHG said on Sept. 6 that it detected unauthorized activity on its technology systems and sent an email to franchisees informing them the company’s online reservation technology would be down. Hotel owners said the system was down for a few weeks after the attack, disrupting bookings and forcing staff to use workarounds to find reservations and charge guests for rooms.

“We had major issues where people were not able to book, bookings were really bad, revenue had dropped, customer scores were really bad because everyone was complaining,” said Rich Gandhi, who owns a Holiday Inn Express in Pennsylvania and other IHG properties. 

Hotel owners sued IHG in September in U.S. District Court in Atlanta, accusing the company of failing to “adequately invest in data security, despite the growing number of well-publicized data breaches affecting the hospitality and similar industries.” The owners say they haven’t received sufficient information from IHG about the cyberattack, such as how it happened and whether they will be reimbursed for lost business. 

A spokeswoman for IHG declined to comment on the lawsuit and said the company is “continuing to support our hotels and owners.”

Consumers often sue a company after a cyberattack, especially if their personal or financial information was exposed, said Sharon Cruz, a senior associate at law firm DiCello Levitt. Franchisee suits are less common, sometimes because their contracts make legal action more difficult, Ms. Cruz said. 

At Mr. Gandhi’s Holiday Inn Express in Exton, Penn., a major corporate account, concerned about data security, switched to a competing hotel, the hotel owner said. Two employees quit after they were told to use a manual process to confirm customers’ credit-card payments over the phone after the cyberattack, said Mr. Gandhi, a plaintiff. “The workload just doubled or tripled,” he said. 

The lawsuit highlights the potential ripple effects of a hack, including technology outages and lost business for franchisees and other business partners. In 2020, franchise fast-food chain Arby’s, now part of Inspire Brands Inc., agreed to pay around $3 million to customers to settle a class action following a 2017 data breach. IHG said in court filings the Arby’s case isn’t comparable, in part because it was consumers, not franchise owners, who sued after the breach. Arby’s didn’t respond to a request for comment.

Companies are preparing for a higher level of scrutiny as lawmakers, federal agencies and states step up supervision of corporate cybersecurity and privacy measures. 

The Securities and Exchange Commission has more than doubled the number of staff in its Crypto Assets and Cyber Unit, planning to have 50 people dedicated to enforcement. State privacy laws take effect this year in Colorado, Virginia, Connecticut and Utah, plus a stricter version of California’s law.

The Federal Trade Commission has recently scrutinized companies’ practices against what they say in their privacy policies, and issued penalties over infractions, said Jason Johnson, a partner at law firm Moses & Singer LLP. Twitter Inc. agreed to pay $150 million to settle a case with the FTC last year after the agency said it collected user data for security but then used it for commercial purposes, contrary to terms in the company’s privacy policy. 

“You’re going to see a lot more accountability” including involving business contracts, Mr. Johnson said. 

The number of civil lawsuits related to cyberattacks likely will grow, he said, potentially involving franchisees and other companies.

Hotel owners’ contracts with IHG specify a cyberattack could disrupt their centralized online reservation system and that they can’t seek damages over such a temporary technology disruption, the company said in a court filing. 

Vimal Patel, a plaintiff and president and chief executive of QHotels Management, a Louisiana hotel group that includes IHG-franchised properties, said it is unfair that IHG requires fees to use its technology and to pay for cyber insurance but doesn’t provide relief for lost revenue. 

“They can pass on their costs to us and we just have to lay down and take the kick in the gut,” he said. 

Write to Catherine Stupp at [email protected]