Will Marriott be the First Major Brand to Get Fined for GDPR?
Steven Minsky | Dec. 17, 2018
Last Friday, Marriott disclosed that the data of about 500 million guests had been exposed as a result of a hack that dates all the way back to 2014.
In 2014, hackers exploited the reservation system of Starwood Hotels and Resorts, which was acquired by Marriott in 2016. The breach exposed user data that not only included names, phone numbers, email addresses, passport numbers, and dates of birth, but even access to some encrypted credit card data.
As a result of this breach, Marriott may be one of the first organizations to feel the full force of the EU’s General Data Protection Regulation penalties. Implications of GDPR can lead to new unprecedented levels of financial penalties and liability for Marriott executives. Marriott acquired Starwood back in 2016, but did not find out about the 2014 breach until several months following the 2016 merger. Companies are required by GDPR to alert government authorities within 72 hours of a known breach. Given that Marriott did not disclose this breach until last week, Marriott could face fines of up to 4 percent of their global revenue. Given the shift of Starwood ownership, the investigation into the violation will take time, and may not be finalized until later in 2019.
Separately, the first of what is expected to be many class-action lawsuits against Marriott have already been filed on behalf of customers affected by the breach. On top of that, Marriott’s security is also facing probes from the New York Attorney General’s office.
A Risk-Based Approach to GDPR
The GDPR is risk-based, which means that failing to take sufficient measures to mitigate a risk can result in greater penalties for companies. To avoid penalties, companies can use enterprise risk management software to document what the company did, when it did it, and which employees were responsible for the planning and execution. The hotel industry is an interconnected web of business entities. From shops and restaurants to business centers and dry-cleaning services, each business has their own risks that need to be properly assessed and monitored. Proper operationalization of GDPR policies and controls with enterprise risk management would have likely enabled Marriott to avoid most, if not all, GDPR penalties.
Reputation risk is also a major factor for both customers and investors. For Marriott, the length of time it took to discover a series of breaches that date back to nearly 4 years ago, coupled with its post-breach reaction, is a considerable impediment to its efforts to regain user and investor trust after a series of privacy and security scandals.
Investors and Consumers have a Greater Voice in the See-Through Economy
Marriott is the latest failure in risk management that has been exposed by the See-Through Economy. Over the past several years, poor security and data breaches have become a recurring pattern affecting other huge companies. To put it into perspective, hackers stole nearly 143 million users’ data during the Equifax data breach in 2017, and Marriott suffered a breach nearly triple the size of that. Some believe that companies are opting for inadequate security because it is cheaper than the consequences of a data breach. However, as the See-Through Economy intensifies, it brings the much-needed transparency and accountability to all roles and industries.
When evaluating the cost of a data breach, calculating penalties that result from regulatory actions has become an outdated method. Now, the consequences of the See-Through Economy are being measured in a loss of revenue resulting from customer brand-switching, which result in investor investment sell-offs. In fact, studies have shown that 81% of consumers will switch brands based on a perceived lack of accountability and effectiveness in risk management.
In an incredibly fast-paced age of transparency, consumers and investors are empowered through interconnectivity and technology to impact a company’s reputation. The See-Through Economy dictates that customers will choose alternative hotels with safer data security and investors thus will withdraw, likely making even these increased penalties seem small in comparison.
GDPR Readiness: How Do You Stack Up?
Download our infographic on GDPR Readiness to learn how companies are handling the regulation, along with some quick facts about what it means for companies like yours.
How To Manage Risk In The See-Through Economy
Companies need to start to treat personal information with the same sensitivity they do with credit card numbers. This requires an ERM solution to identify what kind of data is stored by your company and identify where that data is stored and the security measures in place.
Companies face Payment Card Industry Data Security Standard (PCI DSS) for card numbers and SOC II-related compliance risks for their vendors. Other states have passed and are continuing to pass regulations for customer data similar to the European GDPR regulation such as California’s AB-375 Consumer Privacy Act of 2018 (CCPA) and New York’s DFS Cybersecurity Regulation (23 NYCRR 500) as well. The most important takeaway is the need to take a risk-based approach to data security and privacy. An ERM solution provides a comprehensive framework approach that addresses all data security and privacy regulations. Not only will it protect a company from regulatory penalties, but also from the scandal of public scrutiny as a result of the See-Through Economy.
The Future of Risk Management
As stakes climb higher and the public becomes more aware of companies’ responses to failures in risk management, the need for effective risk management is even more apparent. This falls into the recurring pattern of scandals that huge companies have been facing. All of which are preventable through risk management. Over the course of 14 years of research I have found in the majority of cases that many employees on the front lines of their companies not only knew about key risks but had escalated these risks to higher management.
While the breach stemmed from the acquisition of Starwood hotels, that was not the major issue at play, as thousands of acquisitions occur every year. When managed effectively through an ERM program, acquisitions can bring about positive change. It is important for companies to consider that changes such as these are a key source of risk and require due diligence. When Marriott acquired Starwood, they were not only acquiring assets, employees and customers, but new risks as well. It is critical that risk assessments be conducted around areas of change. Having a vendor management system in place helps manage changes in the supply chain and third party vendors during an acquisition to prevent this mistake as well.
An ERM system can not only identify and fill gaps in Marriott’s cybersecurity policies and procedures across the enterprise, but maintain and prove compliance with GDPR, among other regulations. Enterprise risk management could eliminate the silos that make up all Marriott’s interconnected business entities and seamlessly mitigate their risks.
Download our free eBook!
Download “7 ways to Build a Business Case for ERM Software” to get the tools you need to articulate what’s holding your organization back, and the actionable benefits that a risk-based ERM software solution can bring to your organization.