This article was originally published by the American Resort Development Association (ARDA) in July 2024 as part of its Industry Insights monthly series and is republished here with permission.

Insights for July's article are provided by ARDA members Gregory Szewczyk, partner at Ballard Spahr Practice Leader of the firm’s Privacy and Data Security Group, and Aaron Tantleff, partner in Foley & Lardner’s Technology Transactions, Cybersecurity, and Privacy and the Environmental, Social, and Corporate Governance (ESG) Practice Groups.

Question: How are companies navigating the evolving data privacy & information security regulatory landscape?

Gregory Szewczyk, partner at Ballard Spahr Practice Leader of the firm’s Privacy and Data Security Group, understands that keeping up with new laws and regulations in the constantly changing privacy landscape can seem overwhelming.

Thankfully, he says there are certain flash points and straightforward steps that many companies can take to mitigate significant amounts of risk while still leveraging their data to accomplish their business goals.  Greg has highlighted a few of those points for ARDA members below: 

• Expanding Scope of State Privacy Laws: Most resort development companies (except those in California) have been able to avoid the application of comprehensive state privacy laws due to entity-level exemptions for financial institutions regulated by the federal Gramm-Leach-Bliley Act (GLBA). However, as more states adopt the approach of only exempting data regulated by the GLBA, some companies will have broader state privacy law compliance obligations.

  While there may be situations where data intake requires a different consent regime, many companies will be able to leverage existing compliance frameworks so long as they are adequately updated.

• Litigation Focus on Analytics and Marketing Technology: Over the past few years, there has been an increase in private lawsuits alleging that standard website and mobile application cookies and pixels violate various older laws that have private rights of action with statutory damages. For example, in the past eight months, we have seen hundreds of lawsuits alleging that common website cookies constitute a pen register under the California Invasion of Privacy Act (CIPA). Resort developers and their affiliates have at times been targets.

  The threat from this analytics litigation ranges from low level demands to multi-million-dollar class actions filed in federal court. However, some relatively simple steps can be taken to mitigate some of this risk, such as updating cookie banners and consent mechanisms to stay ahead of the threat trends. 

• Documenting Compliance: Regulators have made it clear that they are actively monitoring compliance with new state privacy laws. Even if the scope of exposure is relatively low due to partial exemptions, documenting compliance can be key. While companies are struggling to keep up with the expanding patchwork, regulators are also struggling to find the manpower to investigate the huge scope of companies coming under their jurisdiction.

  Resort development companies likely face some inherent level of risk of regulatory attention due to the nature of the industry. However, companies can lower that risk by ensuring that their compliance regimes are documented — a step that many other companies subject to the new laws may not have in place. A well-documented regime can indicate to regulators that their limited time and resources are better spent looking at a competitor or other industry where there is wholesale noncompliance. 

  While privacy compliance and risk landscape for each company will necessarily vary and trends change over time, focusing on some of these high risk areas allows resort development companies to mitigate some of the current risk while still focusing on achieving business goals.

Aaron Tantleff, partner in Foley & Lardner’s Technology Transactions, Cybersecurity, and Privacy and the Environmental, Social, and Corporate Governance (ESG) Practice Groups, echoes Gregory’s sentiment that the timeshare industry is subject to a mosaic of state, federal, and international data protection laws.

According to Aaron, the timeshare industry is a prime target for cyber threats due to the vast amount of personal and financial data collected from guests. With the continual rise in cyber threats and a constantly evolving regulatory landscape for data privacy and information security, staying on top of and complying with such obligations and ensuring robust measures to protect sensitive information remain critical priorities.

Companies should be aware of the various state regulations such as: 

• The California Privacy Rights Act (CPRA), which enforces and implements privacy regulations, including providing California residents the right to know what personal data is being collected, the purpose of collection, and with whom it is being shared, and more; 
• The New York SHIELD Act, which requires businesses to implement reasonable safeguards to protect the personal information of New York residents, and applies to any business – regardless of location – that is processing private information of New York Residents;
• And the Virginia Consumer Data Protection Act (VCDPA), which provides Virginia residents with the right to access, correct, delete, and opt-out of the sale of personal data. 

In addition to the above, many other states have data protection laws with unique definitions, applications, and liabilities.

The timeshare community must also consider various federal regulations, such as:

• The Children’s Online Privacy Protection Act (COPPA) for properties that cater to families; 
• The Health Insurance Portability and Accountability Act (HIPAA) for properties that offer health services or have health data on guests;
• The Gramm-Leach-Bliley Act (GLBA), which requires financial institutions, including those offering financial services at timeshares, to explain their information-sharing practices to customers and to safeguard sensitive data; The Gramm-Leach-Bliley Act (GLBA), which requires financial institutions, including those offering financial services at timeshares, to explain their information-sharing practices to customers and to safeguard sensitive data; 
• The Federal Trade Commission (FTC) Act, which empowers the Federal Trade Commission to enforce against unfair or deceptive practices, including those related to data privacy and security;
• And the American Privacy Rights Act of 2024 (APRA), which sought to establish the first comprehensive data privacy law at the federal level, but appears all but dead now.

Numerous international data protection laws also impact the timeshare industry, but these are the primary laws affecting American resorts. Additionally, the timeshare industry is subject to other sector-related regulations, such as the Payment Card Industry Data Security Standard (PCI DSS), which sets requirements for securing payment card information for any business that processes credit card transactions.

Considering the above, timeshare companies face numerous hurdles in ensuring compliance with the challenges of navigating the evolving regulatory landscape. Some of these challenges include:

Developing comprehensive privacy and information security programs: This involves policies, procedures, and technologies designed to protect guest data, as well as the systems processing such data. Examples of security programs include: 

• Data Mapping and Inventory: A thorough data mapping exercise helps identify the types of personal data collected, processed, and stored and assists in understanding data flows, identifying potential risks, and ensuring compliance with relevant regulations.
• Privacy by Design: Establishing a proactive “privacy by design” approach helps mitigate risks and ensure compliance from the outset by baking data protection principles into the design and operation of IT systems and business practices.
• Data Minimization and Retention: In addition to complying with regulations mandating data deletion, collecting only necessary data and retaining it for only as long as required reduces the risk and scope of data breaches.
• Encryption: By encrypting data both at rest and in transit, even if it is compromised, it remains unreadable.
• Anonymization: Anonymization (and pseudonymization) can further enhance privacy protections by removing or altering personal identifiers. This technique can be beneficial when processing personal information via programs or systems that are unable to process encrypted data.
• Access Controls and Authentication: Access controls and multi-factor authentication (MFA) ensure that only authorized personnel can access sensitive data. Role-based access controls (RBAC) limit data access based on job responsibilities.
• Security Audits/Penetration Testing: Security audits and penetration testing help organizations proactively identify vulnerabilities in their systems, enabling them to address them before others can exploit them.
• Incident Response and Breach Notification: Developing, maintaining, and regularly testing a comprehensive incident response plan is essential to enable an organization to respond quickly to data breaches, minimize their impact, and comply with breach notification obligations to affected individuals and regulatory authorities, as required by law.

Employee Training and Awareness: In concert with any privacy or information security program, an organization can help mitigate privacy risks through implementing employee training and awareness, including:

• Data Protection Policies and Procedures: Policies and procedures for handling personal information are critical to ensuring appropriate data protection. Employees, contractors, and others with access to personal information must be properly trained if they are expected to comply with the organization’s policies.
• Phishing and Social Engineering: Phishing and social engineering attacks remain a prominent and successful tactic used to compromise employees and gain access to systems and sensitive data. Educating employees and making them aware of such attacks will help them avoid falling victim to such schemes.
• Reporting and Incident Management: If you see something, say something. Prompt reporting can aid in detecting incidents earlier, enhancing incident response, and thus mitigating the impact of an incident

Leveraging Technology: Timeshare companies, just like any other industry, are leveraging technology to stay ahead in the evolving regulatory landscape and enhance their data privacy and security measures. Some of the more common technologies include:

• Artificial Intelligence (AI) and Machine Learning (ML): AI and ML can detect and respond to sophisticated security threats in real-time using tasks such as pattern recognition, predictive analysis, and anomaly detection, allowing for quicker and more effective responses.
• Blockchain Technology: Blockchain enhances transparency, traceability, and security, providing a decentralized and tamper-proof method for recording transactions and managing data.
• Privacy-Enhancing Technologies (PETs): PETs are a mix of hardware and software solutions that allow organizations to process personal and sensitive data while preserving privacy and ensuring data protection. The most common PETs include techniques such as homomorphic encryption (an encryption method enabling computational operations on encrypted data, allowing the sharing of encrypted results), differential privacy (adding “statistical noise” to a dataset, enabling the use of a dataset while preserving individual privacy), zero-knowledge proofs (ZKP), obfuscation, pseudonymization, and data minimization.

This diverse regulatory environment means timeshare organizations are subject to numerous, sometimes conflicting, data protection laws. Balancing these requirements and maintaining compliance across jurisdictions is complex and resource-intensive. However, by integrating data privacy and security into the broader risk management framework and developing data privacy and information security policies and procedures that focus on a proactive rather than a reactive approach, an organization can be better prepared to respond to an evolving privacy and security landscape.

[View source.]