Is It Time for National Privacy Legislation?
Recently I learned about the Starwood Hotels (Marriott International Hotel Chain) data breach and the approximately 500 million guests that may have been affected, dating back to 2014.
Let’s put this into perspective, Marriott Hotel group runs more than 6,700 hotels globally, so there is a strong likelihood that if you stayed in one of these properties your data was affected. Which means that in this regard, it was a big ball drop. .
I don’t mean to pick on Marriott (full disclosure I am an elite customer of their guest loyalty program). However, what is amazing to me is that this breach went unnoticed since 2014. This means no one was watching the compliance store for four years.
Data breaches are complicated and can be very hard to discover the larger the organization the more complex they are. My expectation is that when I check in to a hotel, I expect a lock on the door in my room, so why not one on the network?
While restaurant chains, to date, have not experienced the scale of breach that Marriott or Target have experienced, restaurants are not immune – data transactions occur with almost all transactions. And when you add in e-clubs membership, the transactional data is linked with personal data.
Lately, however, privacy breaches seem to be a daily occurrence and my concern is that we are becoming desensitized to these very important, and with some focus, manageable events.
Is it time for national privacy legislation?
Senator Ron Wyden thinks so, and I would have to agree. He has introduced a bill “The Consumer Data Protection Act of 2018” that would create national legislation and empower the Federal Trade Commission (FTC) to manage the compliance requirements.
Highlights include:
- Establish minimum privacy and cybersecurity standards.
- Issue steep fines (up to 4% of annual revenue), on the first offense for companies and 10-20 year criminal penalties for senior executives.
- Create a national Do Not Track system that lets consumers stop third-party companies from tracking them on the web by sharing data, selling data, or targeting advertisements based on their personal information. It permits companies to charge consumers who want to use their products and services, but don’t want their information monetized.
- Give consumers a way to review what personal information a company has about them, learn with whom it has been shared or sold, and to challenge inaccuracies in it.
- Hire 175 more staff to police the largely unregulated market for private data.
- Require companies to assess the algorithms that process consumer data to examine their impact on accuracy, fairness, bias, discrimination, privacy, and security.
With Senator Wyden’s efforts we are finally getting some overdue focus on a national privacy effort. We will wait and see how it prevails through congress.
Any company can be affected by a breach, it’s not a case of “if”; it’s a case of “when” it will happen to any company, including restaurants. Companies that have large amounts of data, hospitality as in in the case of Marriott, are prime targets for the criminals.
As a restaurant service provider, we take our data security and compliance obligations very seriously, counseling our clients on GDPR and other regulations that can impact those dealing with customer data. Make privacy and compliance an integral part of your marketing efforts and you will secure client satisfaction without having to provide credit freezing and reporting services as a follow up to a data loss.