Marriott will be fined $123 million dollars by the UK data protection agency, for alleged knowledge of a data breach that existed when Marriott purchased Starwood Resorts last year. The breach is staggering: up to 383 million customers were exposed (for context, the population of the United States is 327 million.) Slightly less than ten percent of those users are based in the EU, making Marriott subject to the GDPR regulations.
Marriott’s reply implied frustration and fury, and they vowed to defend themselves and fight the fine, but, interestingly, they did not deny their role in the data breach. The first few blows traded indicate this will likely be a protracted legal battle with “he said, she said” allegations and mountains of evidence on both sides. As the consequences of negligence of personal data are levied, the largest corporate responses will determine the data privacy policies to come in the ensuing years and decades.
The allegation is particularly sticky, not just because the data breach in and of itself which is bad enough, but the accusation that Marriott deliberately overlooked the data breach or did not appropriately address it during its acquisition of Starwood. Such an allegation raises the question of “who knew what when,” which can raise all sorts of internal chaos. Blame, pointing fingers, denials, leaks to the media, department reorganizations.
We may never know if Marriott knew about the Starwood data breach, but we do know that hundreds of millions of personally identifiable information in the public domain, such as passport numbers and credit card numbers, can severely damage a brand’s reputation. No matter how many smoothly worded PR statements a brand releases with beautiful apologies, or free nights you can get at a hotel, if consumers don’t trust you to coordinate their reservation from a call center to a hotel, much less store it securely, they’re going to the Hilton, or their best friend’s couch, who is generally pretty good at keeping your privacy safe. Most of the time.
Unsecured data is like exposed wiring in a house: dangerous, and a disaster waiting to happen. Data is absolutely essential to an optimal customer experience, and hotels in particular could use a hand in creating better experiences for consumers, as evidenced by the nightmare scenario my manager endured trying to cancel a night from his hotel stay. And it’s true that marketers need to know how to better leverage data, and that practice will improve over time. But before that threshold can even be reached, brands (and the marketers behind them) need to guarantee the safety and security of their consumer’s privacy.
All relationships begin with at least a basic degree of trust. And security is a critical component of trust. When you meet someone for the first time, how they present themselves indicates to you whether or not they will run off with your wallet, or sky-write your deepest fears on a clear day over Manhattan.
DMN talks a lot of about customer experience, and that’s a significant component of growing a customer base. But if you have a seamless and your personal information is part of a neatly wrapped Christmas package for identity thieves, then that completely overshadows your experience and perception of that brand. Marketers need to understand that their first priority needs to be security, always, before they can address the technical and logistical aspects of creating an ideal customer experience.