Holding execs accountable can prevent future hacks like Marriott's

If you have stayed at any of Marriott’s 30 hotel brands in the past four years, from the Westin to Le Meridien, your personal information is likely to have been stolen.

Marriott customers have just suffered one of the largest data breaches of all time. Nearly 500 million people have had their personal information, including passport numbers, dates of birth and home addresses stolen. And all of this has been happening since 2014.

ADVERTISEMENT

Marriott’s response has been underwhelming. Marriott’s emails to customers are difficult to authenticate, and Marriott has failed to secure easily confused domain names, such as “marriot-email,” which could lure unsuspecting victims into compounding their problem by sharing password information as they react to the news.

Meanwhile, Marriott has offered a single year of a monitoring service by WebWatcher, a service that ironically requires customers to provide even more private information, such as their social security, credit card and bank information, so WebWatcher can scan the dark web for the sale of their personal information.

Sadly, Marriott’s data breach follows a familiar pattern: Delayed recognition of a breach followed by poor communication that ultimately places the onus of solving the problem back on consumers. This data breach dance is unacceptable.

To effect a change, we need to take three key actions.

First, we need to hold executives accountable when data breaches occur. This involves going back in time to investigate what senior leadership knew and what they were doing during the breach. Data security is no longer a new threat, and we should expect executives to follow a set of best practices for safeguarding data.

Those executives who fail to follow these practices should be held responsible. This is especially true for sensitive information such as passport numbers.

Second, related to the notion of holding executives responsible, we need to devote far greater resources to data security and monitoring. For some companies, this will require the creation of a new, senior executive position.

Marriott Executive Chairman J.W. Marriott, Jr. famously stated, “How we do business is as important as the business we do.” Enacting that motto, Marriott earned the plaudit of the World’s Most Ethical Company by Ethisphere Institute in 2017.

We know in hindsight, however, that “how” they do business failed to ensure that their customers enjoyed a reasonable standard of security. In 2017, Marriott customers’ data was vulnerable to cyber-criminals for the past three years.

Third, executives should anticipate data breaches. Just as every large building holds fire drills to prepare for the worst, executives should have a plan in place to deal with a data breach.

This should include plans to monitor existing systems to recognize breaches quickly. Security experts, such as Andrei Barysevich from Recorded Future, argue that Marriott should have been able to detect this hack in 2015, soon after it occurred — not years later.

In addition, anticipating a data breach should include a response plan with the following elements: effective communication, an apology and a plan to remedy the situation for those affected.

As Marriott’s response demonstrates, it is very difficult to develop an effective reaction in the midst of a crisis. This is why Marriott, and every other large company, should develop a plan today.

We experience hundreds of data breaches every year across every major industry. It is impossible to prevent every attack, but we can develop a plan, and we should expect more from the leaders we entrust with our data.

Maurice Schweitzer is a professor of operations, information and decisions at the Wharton School of the University of Pennsylvania. He is the co-author of "Friend & Foe: When to Cooperate, When to Compete, and How to Succeed at Both."