opinion

Preventing Data Breaches Staves Off Big Legal Claims

Preventing Data Breaches Staves Off Big Legal Claims

Did you hear about the Kimpton Hotel hacking last year? If you are like most of us, probably not. Kimpton was one of thousands of data breach victims in 2016 and their story was lost in the flood of attacks.

In New York state alone, another record breaking year of data breaches saw a total of 1282 breaches reported to the state attorney general comprising 1,596,207 records exposed in 2016.

The costs of keeping data secure pales in comparison to the costs of cleaning up after a hit.

Data security breaches are becoming so commonplace they don’t make news unless millions of records are exposed all at once.

Just last month, a federal judge approved an $11.2 settlement in a class-action lawsuit against Ashley Madison related to a data breach that exposed information stolen from the adult dating website for those seeking extra-marital affairs.

The small breaches just aren’t newsworthy, but Kimpton’s experience should be an important lesson to any business that uses computers.

In a fairly routine data breach, hackers were able to insert malware into Kimpton computer systems that found credit card numbers, expiration dates, verification codes and cardholder names.

Anyone that used a credit card at the front desk of a Kimpton Hotel between Feb. 16, 2016 and July 7 of that year was at risk of compromised credit card information, and the first report of unauthorized charges on a customer’s credit card was made July 15.

Kimpton publicly acknowledged the breach Aug. 31 with few details and without an explanation for why it took so long to disclose the intrusion.

It is likely the delay in notification and other alleged mishandling of the incident only increased customers’ anger, leading Lee Walters, a Kimpton Hotel customer who checked in once during the vulnerable time period, to file a class-action suit against the boutique hotel chain.

It is significant that Mr. Walters does not make a claim that his credit card was used to make unauthorized charges as a result of the breach. Walters claims that his card information is likely among the information copied and now in the hands of ill-intentioned criminals, and that he has had to expend time and effort to monitor his credit card activity for unauthorized use or identity theft. Surviving a motion to dismiss earlier this year, this case moves on to the next stage.

“The theft of Walters’s payment card data and the time and effort he has expended to monitor his credit are sufficient to demonstrate injury for standing purposes,” according to a ruling in Walters v. Kimpton Hotel & Restaurant Group.

This case is important to every business that accepts credit cards for two reasons. First, it shows that a customer who may have had his data copied but hasn’t had any fraudulent charges has the right to sue for damages. Second, it is important because it is another example of a data breach that could have been avoided.

Normally a person needs to incur some sort of damage before he can bring a lawsuit, commonly referred to as “standing.” If you don’t have any damages, you don’t have standing to bring a lawsuit.

Here, the credit card Lee Walters used to check in to the Kimpton Hotel had not been used for any fraudulent charges, but having to monitor his credit report is enough to give “standing” to file a lawsuit for damages.

This is important because every customer can make this claim after a data breach, so the business that gets hacked can be sued by any customer whose data was stolen.

This dramatically increases the potential cost of a data breach and increases the value of maintaining data securely. Remember the old saying, “An ounce of prevention is worth a pound of cure”?

According to the Poneman Institute Cost of a Data Breach Study, sponsored by IBM, in 2016 the average total cost of a data breach exceeded $4 million. This is an average, so half of breaches cost more and half cost less, but data breaches can be extraordinarily costly events, threatening the ability of some business to continue as a going concern.

The costs of keeping data secure pales in comparison to the costs of cleaning up after a hit. A good business will take the necessary steps, and apportion the necessary budget, to keep all assets safe, including electronic data assets.

The second reason why this case is important is that the breach could have been avoided if Kimpton had taken some reasonable steps to protect customer data against known threats.

The malware allegedly used in the breach was a variant of “BlackPOS,” a malware strain that had been used to breach security at several of Kimpton’s competitors, including Hilton, Starwood, Mandarin Oriental, White Lodging, and the Trump Collection.

If Kimpton had simply acted quickly to protect itself from the very same attacks that had been carried out against other hotels, it could have avoided the data breach altogether.

A simple hack that could have been avoided by upgrading systems to fend off known threats became a federal class-action suit, with damage to reputation tagging along for the ride.

Conclusion

Maintaining security is a cost of doing business in any field. We know the importance of things like locks, cameras, and security guards to protect the physical assets of a business but when it comes to protecting electronic data, many businesses still do not realize the risks of underestimating the need for ongoing cybersecurity efforts and take chances.

Kimpton was not the first, and certainly not the last, company to roll the dice and lose big. What does your company do to protect valuable data, and is that enough?

Chad Anderson is an Arizona attorney working in the area of cybersecurity and data privacy. He can be reached at chad@chadknowslaw.com.

Related:  

Copyright © 2025 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More Articles

opinion

WIA Profile: Lainie Speiser

With her fiery red hair, thick-framed glasses and a laugh that practically hugs you, Lainie Speiser is impossible to miss. Having repped some of adult’s biggest stars during her 30-plus years in the business, the veteran publicist is also a treasure trove of tales dating back to the days when print was king and social media not even a glimmer in the industry’s eye.

Women in Adult ·
opinion

Fighting Back Against AI-Fueled Fake Takedown Notices

The digital landscape is increasingly being shaped by artificial intelligence, and while AI offers immense potential, it’s also being weaponized. One disturbing trend that directly impacts adult businesses is AI-powered “DMCA takedown services” generating a flood of fraudulent Digital Millennium Copyright Act (DMCA) notices.

Corey D. Silverstein ·
opinion

Building Seamless Checkout Flows for High-Risk Merchants

For high-risk merchants such as adult businesses, crypto payments are no longer just a backup plan — they’re fast becoming a first choice. More and more businesses are embracing Bitcoin and other digital currencies for consumer transactions.

Jonathan Corona ·
opinion

What the New SCOTUS Ruling Means for AV Laws and Free Speech

On June 27, 2025, the United States Supreme Court handed down its landmark decision in Free Speech Coalition v. Paxton, upholding Texas’ age verification law in the face of a constitutional challenge and setting a new precedent that bolsters similar laws around the country.

Lawrence G. Walters ·
opinion

What You Need to Know Before Relocating Your Adult Business Abroad

Over the last several months, a noticeable trend has emerged: several of our U.S.-based merchants have decided to “pick up shop” and relocate to European countries. On the surface, this sounds idyllic. I imagine some of my favorite clients sipping coffee or wine at sidewalk cafés, embracing a slower pace of life.

Cathy Beardsley ·
profile

WIA Profile: Salima

When Salima first entered the adult space in her mid-20s, becoming a power player wasn’t even on her radar. She was simply looking to learn. Over the years, however, her instinct for strategy, trust in her teams and commitment to creator-first innovation led her from the trade show floor to the executive suite.

Women in Adult ·
opinion

How the Interstate Obscenity Definition Act Could Impact Adult Businesses

Congress is considering a bill that would change the well-settled definition of obscenity and create extensive new risks for the adult industry. The Interstate Obscenity Definition Act, introduced by Sen. Mike Lee, makes a mockery of the First Amendment and should be roundly rejected.

Lawrence G. Walters ·
opinion

What US Sites Need to Know About UK's Online Safety Act

In a high-risk space like the adult industry, overlooking or ignoring ever-changing rules and regulations can cost you dearly. In the United Kingdom, significant change has now arrived in the form of the Online Safety Act — and failure to comply with its requirements could cost merchants millions of dollars in fines.

Cathy Beardsley ·
opinion

Understanding the MATCH List and How to Avoid Getting Blacklisted

Business is booming, sales are steady and your customer base is growing. Everything seems to be running smoothly — until suddenly, Stripe pulls the plug. With one cold, automated email, your payment processing is shut down. No warning, no explanation.

Jonathan Corona ·
profile

WIA Profile: Leah Koons

If you’ve been to an industry event lately, odds are you’ve heard Leah Koons even before you’ve seen her. As Fansly’s director of marketing, Koons helps steer one of the fastest-growing creator platforms on the web.

Women in Adult ·
Show More