Yet another company reveals its lost tape tale, but this time it's personal.
"I am writing you on behalf of Marriott Vacation Club International about an unfortunate incident ... We believe that the lost backup tapes contained your name and American Express credit card with the number ending in 2008."
After years of waxing prophetically about the risks corporations run by not encrypting data, it's happened to me. How irritating. I'm no Ted Kennedy, and my bar bill has far fewer implications to CNN and the other national media, but reading "Please be aware that depending upon what other personal data may have been kept on these backup tapes, you may receive additional mailings from us" doesn't make me feel any better.
Additional mailings? Oh, that makes me feel comfy. I shouldn't fret about the fact that how much I spend on my timeshare, what I buy when I'm there or how much I like to blow in the casino is now public record because
there will be another mailing
Reality says there's nothing I can do. I could sell the timeshare, but I like the place, so that's not reasonable. If I could, I'd dump Marriott as fast as possible, but I'm not sure there are any other people in the business who are any better at protecting my data. The fact is, everyone sucks at it.
If any business people out there happen to be reading this, here's a novel idea: Remove your heads from your collective backsides and market the fact that you actually protect--securely--your clients' data. That means doing something about your backup and security processes that have more problems than France's immigration policies. I'd buy from you just because I wouldn't end up in a Bulgarian identity-theft scam.
The thing that ticks me off the most is not that these problems happen (it was just a matter of time) and continue to happen (now companies just have to tell us about it), but that they don't need to happen. The technology to prevent this from being a problem has been around for years. It's the buffoons who like to stick their heads in the sand and think "our backup, disaster recovery and security are rock solid" who are the problem. These problems are solvable with only the slightest bit of thought and a little money.
How much will this mishap cost the Marriott? I don't know, but it cost them my goodwill, for what that's worth. I know I'll never give them a credit card, passport number or social security number again. In fact, I don't even want them to have my address. I'll also be more likely to stay at a Sheraton property--not that I know it'll protect my personal info any better, mind you.
The point is, you'll never stop bad things from happening. You can only attempt to minimize the damage that can be done. Backup and recovery stinks. Security stinks. I have spam filters out the wazoo, but I still get 87 messages a day telling me that ladies in my neighborhood will find me incredibly attractive as long as I get my "no prescription required" male enhancement drugs over the Internet.
If you deal with the public, your company will eventually be exposed to consumer data theft or loss and you'll have to face the music. You need to do something about it now before your company is the next one to have to publicly flog itself. It's not like you don't spend money on this stuff every year anyway; you just need to spend the money the right way.
This column by
first appeared in
magazine's February 2006 issue.
About the author:
Steve Duplessie is the founder and senior analyst for the
Enterprise Strategy Group
in Milford, Mass.