The Definition of Insanity: Marriott Edition

Here we go again. Yet another massive data breach, yet another case of years-long access to half a billion peoples’ personal identifiable information, and yet another case of large, powerful, faceless corporations being hacked while we’re all left holding the bag.  

Let me tell you what happens next:

  1. A corporate spokesman from Marriott blames their acquired entity, Starwood, and reiterates that they, Marriott, did not suffer from any such data breach.

  2. Their stock drops.  

  3. Politicians and media-types will tweet about the need to “do something.”  Much gnashing of teeth and lamenting about the lack of solutions.  Blame apportioned to “big, bad, company” executives.

  4. 500M people will get their 2nd, 3rd, or even 4th identity “monitoring” solution.  They’ll have to go through a painful registration process which half to two-thirds won’t even bother to do.  It will happen again, so why bother?

  5. Their stock will go back up (mostly because the robot algorithms will deduce it is under-valued).  Marriott will pay a big fine and many, many, many millions of Starwood loyalists will have to deal with the subsequent years of identity theft in all its various forms.  

What’s that old adage?  The definition of insanity is doing the same thing over, again and again, expecting a different outcome?  

No doubt many of you have read the same drivel about “What To Do If You’re a Starwood Member.”  Sign-up for the monitoring service, change your passwords, check your credit cards, etc, etc, blah, blah, blah.  USELESS.  

Identity theft is like a diet: you can ask the government to enforce accurate disclosures (e.g., food labeling) and you can ask companies to insure the safety of their food supplies (e.g., organic), but there will always be changes to the food pyramid, bad lettuce, and massive beef recalls.  It’s just a fact, just like there will always be data breaches.  

Maybe Marriott/Starwood will be found negligent in the some aspect of their security measures.  But let’s be realistic:  If they were A+, it would not matter.  Our own government agencies, with the best and brightest minds (no sarcasm here), with unlimited budgets and resources, have failed/will fail to stop data breaches.  It’s a “law of physics” problem.  To say you can stop them is akin to saying you can suspend gravity.  Will.  Not.  Stop.  

Instead of blaming others or asking for impotent government agencies to protect us, incumbent on each of us is to take proactive, vigilant, consistent action with respect to our personal information…just like we do the same with respect to the food we eat.  

Like what you say?  Here’s a starter list:

1.  Realize there are brands you can trust absolutely, brands that you should expect to to trust, and brands that simply aren't ever trustworthy. 

For example, any company whose business model is predicated on their products and services promising to protect you—whether that is your safety, the safety of your food, or your computer, you should absolutely trust.  Seat-belt manufacturers, organic, non-GMO grocers, and anti-virus companies all have significant “skin in the game” with respect to their offerings.  Getting it wrong is not only bad for you, it’s devastating to their businesses.  Rely on their self-interests to protect yours. 

Brands that you should be able to trust include credit reporting agencies, your favorite hotel/airline/etc, and any e-commerce site.  They should be taking care of your information as if it’s in their best interest, but it’s really not their self-interest to do so.  Nor does it serve their business model.  It is, however, in their self-interest to trade your personal information for profit (e.g., Equifax), retain and increase your loyalty (e.g. SPG reward points), or sign your up/check you out as fast as possible (e.g. Amazon Prime).

Fast food should be healthy and safe, but it’s called “fast” not “healthy and safe” food. 

Finally, there are brands you should simply never, ever, trust.  Period.  Do I need to mention why?  Because they use your personal information, harvest your habits, emotions, friendships, and fears, all for their gain.  Not yours.  Simple to understand.

2. Use tip #1 as a guidepost for how much or how little you share with those brands.

With brands you do trust, share the personal information required to get the best service.   Feel comfortable giving them most of the most sensitive information.  Trust they’ll be good caretakers, but continually verify this.  How?  Two-factor authentication, good password hygiene, and paying attention to 3rd party reviews is a good start.  

With brands you should trust, be cautious.  Share the absolute minimum required for service.  Think about alternative email addresses, phone numbers, addresses to build barriers and moats around your most valuable/sensitive personal information.  Be cautious with what you provide here because chances are high they’ll abuse that information.      

With brands you know going in, that they’re untrustworthy, it’s simple.  Treat them they way they treat you.  Don’t give them valuable information.  Don’t ever let them suck off contacts, phone numbers, and emails from your phone.  Load them up with garbage data—burner numbers, junk emails, even alternative personal details.  Why?  Because they’re harvesting anything and everything you put into their system.  Unless you want to get 400 robocalls a week, be influenced by fake, depressing, or otherwise slanted news, or have your content, pictures, and personal habits passed over to other parties without your consent, you should take active measures to protect yourself.  

3.  Leverage free and premium services to protect the most desirable pieces of your personal identity; protect your email, phone, and credit cards with these tools.  They’re easy to find in the App Stores for Apple and Google. 

4.  For God’s sake, stop giving out your mobile number to every stranger, app, and site. Treat it like your social security number.  Do you give that to the cashier for your discount on Doritos?  Instead, get a second number for this.  Mobile carriers like T-Mobile and Verizon offer multiple numbers for a given device right now.  Apple is preparing to launch 2-sim card devices for this type of use.  And of course, there’s always MySudo.  

5.  Finally, always turn 2FA where offered.  Yes, it’s a pain.  Yes, it adds friction to your log-in.  Know what else adds friction?  Reading food labels, counting calories, and watching your portions.  But you do it.  Or you will in January.  

Bottom-line is this:  There will always be hacks and data breaches.  They will always be troubling, and there is very little regulation can do to solve this—unless you want to abdicate lots and lots of your personal freedoms.  Treat your digital diet like your food diet, take responsibility for what you put in your digital world, how you handle your digital details, and leverage all the tools available to you, to protect yourself and your family.

There is no silver bullet.  Just like there’s no magic pill for weight loss.  Constant vigilance, discipline where needed, and being ok with failure are the long-term strategies that win.  

Then again, maybe there will be a pill for weight-loss that actually works without side-effects or troubling “leakage.”  

Maybe quantum computing will be that pill for cybersecurity…ah, another post!!!