Let’s Go to School on the Company’s Initial Statement
12/3/18 – – On September 8, Marriott’s internal security systems detected problems with the company’s Starwood guest reservation database (Marriott acquired Starwood’s hotel properties in 2016). By mid-November, experts had determined that there had been “unauthorized access” to the database since 2014 and that “an unauthorized party had copied and was able to decrypt” personal information — name, mailing address, phone number, email address, passport number, date of birth, gender, travel preferences, and possibly credit card account numbers and expiration dates — on “approximately 500 million guests” who had made Starwood reservations in the last five years.
Almost three months later, on November 30 (a Friday), Marriott informed the public of its data breach nightmare, releasing a statement (linked below) headlined: “Marriott Announces Starwood Guest Reservation Database Security Incident.” While we can debate the timeliness of the response, I believe the statement deserves high marks for tone and content. Given the increasing frequency of data breaches and the magnitude of the Marriott “incident,” it’s well worth our time to analyze this example of effective crisis communication.
As you read the release (which was posted on Marriott’s website and shared on the company’s social media platforms) you’ll find most of the elements discussed in Chapter 12 (“The Five Rs of Crisis Response”) of The Crisis Preparedness Quotient — Measuring Your Readiness to Weather a Reputational Storm: Regret, Reform, Restitution, Reaffirmation and Recovery.
In his quote, Marriott President/CEO Arne Sorenson leads with an un-sugarcoated expression of regret: “We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves.”
As for reform, Sorenson promises: “We are devoting the resources necessary to phase out the Starwood systems and accelerate the ongoing security enhancement to our network.”
A breach of this size is sure to spawn customer and investor lawsuits, as well as regulatory penalties (this could trigger significant fines, for example, under the EU’s recently adopted General Data Protection Regulation rules). But voluntary restitution is addressed in the statement: “Marriott is providing guests the opportunity to enroll in WebWatcher free of charge for one year. WebWatcher monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found.” (Full disclosure: I have worked many times with Kroll, the providers of WedWatcher, and have found them to be outstanding logistical partners for any company preventing or responding to data breaches.)
Sorenson reaffirms what Marriott stands for: “Today, Marriott reaffirms our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their information, with a dedicated website and call center.”
Recovery is always the hardest element to get into an embattled company’s initial statement. There’s a long way to go for Marriott before it can check out from this crisis. So, the company makes no effort to minimize the continuing uncertainties, challenges and obligations: “There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken . . . Marriott has reported this incident to law enforcement and continues to support their investigation. The company has already begun notifying regulatory authorities.”
My praise for Marriott’s statement is also based on what’s not included: The company offers no lame excuses (they could have blamed the pre-acquisition management of Starwood) and no waffling regarding exposure (they basically say that if you made a reservation with any Starwood property prior to November 2018 you’re at risk).
Going to school on other people’s crises is an important part of crisis prevention and preparedness. Focus first on the steps your company or organization should be taking to protect its data. Ask, “could this happen to us?” Then discuss the lessons we can learn from Marriott’s excellent initial response. They’re not out of the woods, so keep watching to see how they execute their plan through to recovery.