8219689880?profile=originalLast Friday, Marriott disclosed that the data of about 500 million guests had been exposed as a result of a hack that dates all the way back to 2014.

In 2014, hackers exploited the reservation system of Starwood Hotels and Resorts, which was acquired by Marriott in 2016. The breach exposed user data that not only included names, phone numbers, email addresses, passport numbers, and dates of birth, but even access to some encrypted credit card data.

As a result of this breach, Marriott may be one of the first organizations to feel the full force of the EU’s General Data Protection Regulation penalties. Implications of GDPR can lead to new unprecedented levels of financial penalties and liability for Marriott executives. Marriott acquired Starwood back in 2016, but did not find out about the 2014 breach until several months following the 2016 merger. Companies are required by GDPR to alert government authorities within 72 hours of a known breach. Given that Marriott did not disclose this breach until last week, Marriott  could face fines of up to 4 percent of their global revenue. Given the shift of Starwood ownership, the investigation into the violation will take time, and may not be finalized until later in 2019.

Separately, the first of what is expected to be many class-action lawsuits against Marriott have already been filed on behalf of customers affected by the breach. On top of that, Marriott’s security is also facing probes from the New York Attorney General’s office.

A Risk-Based Approach to GDPR

The GDPR is risk-based, which means that failing to take sufficient measures to mitigate a risk can result in greater penalties for companies. To avoid penalties, companies can use enterprise risk management software to document what the company did, when it did it, and which employees were responsible for the planning and execution. The hotel industry is an interconnected web of business entities. From shops and restaurants to business centers and dry-cleaning services, each business has their own risks that need to be properly assessed and monitored. Proper operationalization of GDPR policies and controls with enterprise risk management would have likely enabled Marriott to avoid most, if not all, GDPR penalties.

Reputation risk is also a major factor for both customers and investors. For Marriott, the length of time it took to discover a series of breaches that date back to nearly 4 years ago, coupled with its post-breach reaction, is a considerable impediment to its efforts to regain user and investor trust after a series of privacy and security scandals.

Investors and Consumers have a Greater Voice in the See-Through Economy

Marriott is the latest failure in risk management that has been exposed by the See-Through Economy. Over the past several years, poor security and data breaches have become a recurring pattern affecting other huge companies. To put it into perspective, hackers stole nearly 143 million users’ data during the Equifax data breach in 2017, and Marriott suffered a breach nearly triple the size of that. Some believe that companies are opting for inadequate security because it is cheaper than the consequences of a data breach. However, as the See-Through Economy intensifies, it brings the much-needed transparency and accountability to all roles and industries.

When evaluating the cost of a data breach, calculating penalties that result from regulatory actions has become an outdated method. Now, the consequences of the See-Through Economy are being measured in a loss of revenue resulting from customer brand-switching, which result in investor investment sell-offs. In fact, studies have shown that 81% of consumers will switch brands based on a perceived lack of accountability and effectiveness in risk management.

In an incredibly fast-paced age of transparency, consumers and investors are empowered through interconnectivity and technology to impact a company’s reputation. The See-Through Economy dictates that customers will choose alternative hotels with safer data security and investors thus will withdraw, likely making even these increased penalties seem small in comparison.

How To Manage Risk In The See-Through Economy

Companies need to start to treat personal information with the same sensitivity they do with credit card numbers. This requires an ERM solution to identify what kind of data is stored by your company and identify where that data is stored and the security measures in place.

Companies face Payment Card Industry Data Security Standard (PCI DSS) for card numbers and SOC II-related compliance risks for their vendors. Other states have passed and are continuing to pass regulations for customer data similar to the European GDPR regulation such as California’s AB-375 Consumer Privacy Act of 2018 (CCPA) and New York’s DFS Cybersecurity Regulation (23 NYCRR 500) as well. The most important takeaway is the need to take a risk-based approach to data security and privacy. An ERM solution provides a comprehensive framework approach that addresses all data security and privacy regulations. Not only will it protect a company from regulatory penalties, but also from the scandal of public scrutiny as a result of the See-Through Economy.

The Future of Risk Management

As stakes climb higher and the public becomes more aware of companies’ responses to failures in risk management, the need for effective risk management is even more apparent. This falls into the recurring pattern of scandals that huge companies have been facing. All of which are preventable through risk management.  Over the course of 14 years of research I have found in the majority of cases that many employees on the front lines of their companies not only knew about key risks but had escalated these risks to higher management.

While the breach stemmed from the acquisition of Starwood hotels, that was not the major issue at play, as thousands of acquisitions occur every year. When managed effectively through an ERM program, acquisitions can bring about positive change. It is important for companies to consider that changes such as these are a key source of risk and require due diligence. When Marriott acquired Starwood, they were not only acquiring assets, employees and customers, but new risks as well. It is critical that risk assessments be conducted around areas of change. Having a vendor managementsystem in place helps manage changes in the supply chain and third party vendors during an acquisition to prevent this mistake as well.

An ERM system can not only identify and fill gaps in Marriott’s cybersecurity policies and procedures across the enterprise, but maintain and prove compliance with GDPR, among other regulations. Enterprise risk management could eliminate the silos that make up all Marriott’s interconnected business entities and seamlessly mitigate their risks.

Download our free eBook!

Download  “7 ways to Build a Business Case for ERM Software” to get the tools you need to articulate what’s holding your organization back, and the actionable benefits that a risk-based ERM software solution can bring to your organization.

About the Author: Steven Minsky

Steven is a recognized thought leader in ERM, CEO of LogicManager, and co-author of the RIMS Risk Maturity Model. Follow him on Twitter at @SteveMinsky

This article was originally published on LogicManager.com

Votes: 0
E-mail me when people leave their comments –

Steven Minsky, CEO and Founder of LogicManager, is a recognized thought leader in risk management. Steven is well known for his precinct abilities to guide organizations through future risk events. Steven is a frequent speaker in the Energy, Financial Services and Cyber industries. While the first wave of COVID-19 caught many organizations by surprise, Steven predicted the pandemic impacts in January of 2020 and swiftly published action plans to help organizations prepare.

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!