If you’ve been hibernating, or if you just ignore headlines that include social media networks, you may need a little context for the rest of this post. If not, feel free to skip ahead to the first lesson in the next section.
Here’s the short version of the Facebook security debacle. A psychologist named Aleksandr Kogan created an app for the platform that presented itself as a personality quiz. Two-hundred seventy thousand Facebook users took the quiz. In order to install the app, they had to consent to letting the app access their Facebook profile as well as the profiles of their friends. This resulted in Kogan collecting the profile information of up to 87 million Facebook users, only 270,000 of whom gave consent. Kogan sold the data to Cambridge Analytica who used it to influence voters in the 2016 United States presidential election.
When word got out, Facebook users were not happy with how their personal information had been handled. Many calling it a security breach, although Facebook has not used that terminology.
Here’s what your company needs to learn and apply from the fiasco.
Take responsibility for both ends of the data flow.
Facebook maintained a laissez faire approach to what was done with the data Kogan collected. After all, the app users had consented. Psychologist Aleksandr Kogan was not held accountable for how he used data gathered from the “personality quiz” he created for the social network. (He sold it to Cambridge Analytica, in case you missed it.)
Make no mistake, Kogan gathered the data. Kogan sold the data. Then Mark Zuckerberg (chairman and CEO of Facebook) had to testify before Congress about the data Kogan got from him.
The lesson to take from this is that people hold the owners of the data responsible for keeping it safe. Learn from this maelstrom. Take responsibility for how your hotel collects data and how it’s used after it’s been collected.
Have a clear understanding of third-party intent.
Facebook knows now how important it is to understand how a third-party app will be using the data it collects and exactly what data will be collected. In Kogan’s case, he said he was using the consenting participants’ data for research. However, he also scraped the consenters’ friends’ data… and sold it all to another entity.
In the eyes of the public, Facebook was guilty by association. As discussed in the previous section, consumers hold the owner of the data responsible, even when it’s not the owner of the data who leaked it.
Two takeaways here:
- Be careful which third-party app integrations you associate with. Hold those third-parties to the same standard for privacy that you hold for your company. To do so will mean overseeing exactly how they’re interacting with your customers’ data.
- Don’t just take a third-party’s word for it or assume they will secure data the way you do. Validate their security before signing an agreement with them.
What does it mean to give consent?
Facebook users who took the personality test Kogan created gave consent for Kogan to access their Facebook information and that of their friends. Like most of us, they probably didn’t read the fine print very closely and assumed it was a typical consent form about their own data for the purposes of the app only.
Be clear about what is being consented to and know who exactly is giving consent to what on your property. One consent does not automatically grant multiple consents. In other words, make sure you and your guests know exactly what’s being agreed upon and what that agreement means for the long term.
Third-party access credentials
Other lessons don’t apply as directly to the Facebook security issue but address practices for keeping customer information secure. How you provide access credentials is one such practice. There are plenty of honest, non-deceptive third-parties you can and should do business with. Some of those organizations will need access to your PMS, wireless network, or other systems where customer data is stored in order to provide their services.
When providing access credentials to third-parties, use unique credentials for each third party so you know exactly who is accessing your system, when, and for what purpose. It’s also vital that you change the access credentials routinely and only provide them on a need-to-know basis.
One thing that upset Facebook users and caused many to delete their accounts is the fact that Facebook knew trust had been broken, but they chose to remain silent until the security issue became a public matter. The EU’s new GDPR requirements address such situations directly, requiring businesses to disclose any breach to all stakeholders immediately. Not doing so leaves personal data vulnerable or exposed without individuals’ knowledge. That’s not something people tolerate well. In Facebook’s case, it negatively impacted stock value.
Personal Area Networks (PAN)
The way your hotel wireless network is configured affects the security of that network. Instead of using static VLANs and an SSID for each user type, use a dynamic VLAN to segment the network into a unique personal area network (PAN) for each guest. Doing so makes guests’ personal information less accessible to other network users and their online activities. It also removes personal information after a guest checks out of the hotel.
To learn more about secure hotel wireless networks, talk to a Samsung Networks hospitality expert.Schedule a free consultation