The Subtle Art of Not Giving a F* (About Cybersecurity)
The takeaways of Marriott's damning FTC consent order
The Federal Trade Commission just announced the final order requiring Marriott International and subsidiary Starwood Hotels to improve their digital security after a series of massive data breaches stretching back years. What is truly shocking about the order is how it illustrates just how poorly these companies have been managing the security and privacy of their customer’s information, that they have to be ordered to, in effect, “give a shit” about their data.
The order starts with:
“must not misrepresent in any manner, expressly or by implication: A. Respondents’ collection, maintenance, use, deletion, or disclosure of Personal Information; and B. The extent to which Respondents protect the privacy, security, availability, confidentiality, or integrity of Personal Information.”
Say what? In other words, stop saying you care about and protect customer data, when you obviously don’t, and actually give a damn.
Next comes some additional requirements, that just boggles my mind that they need to be spelled out.
Have a mandated information security program that covers the GLBA basics of a security program - what have they had in place to date?
Have Information Security Assessments performed by a Third Party - they haven’t been?
Cooperate with the Third Party assessor - you have to be ordered to cooperate? WTF!
Manage customer data deletion requests and then actually delete it when requested - what? you don’t? (of course they haven’t been)
What is mind-blowing to me is that we are talking about the largest hotel company in the world that has been in operation for over a century. And this is the state of their information security program? That they have to be ordered to give a F* about security and implement the most basic protections?
When we look at the constant breaches in the news, I have to wonder about all of the other businesses who are also just paying lip service to the concept of customer data privacy and cyber security. While their disdain for protecting their customers may not be as egregious, you have only to look at the statistics on data breaches to see that the sentiment is widespread.
This attitude, which I believe is ultimately tied back to profit incentives within the board and management, is never going to change until we change those incentives. When profits are the only measure of success, we should not be surprised by the continual failures to protect consumer information.
Having worked with Marriott prior to the Starwood acquisition, Marriott had all of the requisite policies and procedures the FTC is asking for and I know they were working because that is what we were asked to assess.
When the Starwood breach occurred, Marriott had just acquired them and was in the middle of bringing them into their environment but was not even close to integrating them. It was an open secret in the industry that Starwood's IT environment was garbage from a security and technology standpoint so no one was terribly surprised when they were breached.
However, it was made very, very clear from the start that it was Starwood's environment that had suffered the breach, not Marriott. In fact Marriott made sure to communicate with its Loyalty members (of which I am one) that their information in Marriott's possession was secure. However, those of us with Starwood accounts (I was also one) were forced to get new credentials until Marriott integrated them a few months later.