Another Day, Another Privacy Breach

On Friday, we learned about the Starwood Hotels (Marriott International Hotel Chain) data breach and the approximately 500 million guests that may have been affected, dating back to 2014. Let’s put this into perspective, Marriott Hotel group runs more than 6,700 hotels globally, so there is a strong likelihood that if you stayed in one of these properties your data was affected. Which means that in this regard, it was a big ball drop. .
I don’t mean to pick on Marriott (full disclosure I am an elite customer of their guest loyalty program). However, what is amazing to me is that this data breach went unnoticed since 2014. This means no one was watching the compliance store for four years.
Data breaches are complicated and can be very hard to discover the larger the organization the more complex they are. My expectation is that when I check in to a hotel, I expect a lock on the door in my room, so why not one on the network?
While restaurant chains, to date, have not experienced the scale of breach that Marriott or Target have experienced, restaurants are not immune – data transactions occur with almost all transactions.   And when you add in e-clubs membership, the transactional data is linked with personal data.
Lately, however, privacy breaches seem to be a daily occurrence and my concern is that we are becoming desensitized to these very important, and with some focus, manageable events.

Is it time for national privacy legislation?

Senator Ron Wyden thinks so, and I would have to agree. He has introduced a bill “The Consumer Data Protection Act of 2018” that would create national legislation and empower the Federal Trade Commission (FTC) to manage the compliance requirements. Highlights include:

1. Establish minimum privacy and cyber security standards.
2. Issue steep fines (up to 4% of annual revenue), on the first offense for companies and 10-20 year criminal penalties for senior executives.
3. Create a national Do Not Track system that lets consumers stop third-party companies from tracking them on the web by sharing data, selling data, or targeting advertisements based on their personal information. It permits companies to charge consumers who want to use their products and services, but don’t want their information monetized.
4. Give consumers a way to review what personal information a company has about them, learn with whom it has been shared or sold, and to challenge inaccuracies in it.
5. Hire 175 more staff to police the largely unregulated market for private data.

This blog was written by Dave Fowler, Fishbowl’s VP of Strategic Services & Data Protection Officer