Subscribe
Share
Share
Embed
See more at Switchfly.com
Welcome to Travel Buddy,
presented by Switchfly.
In this podcast, we talk about all
things travel, rewards, and loyalty.
Let's get to it.
Brandon Giella: Welcome back to
another episode of Travel Buddy.
I have with me on the show today
for the first time, Scott Napolski.
And that is a Polish
Scott Napieralski: indeed.
Brandon Giella: told me.
Right?
Okay.
So, but it depends on how
people pronounce that, right?
Scott Napieralski: We're going
with the Americanized pronunciation
here, but Napolski very good.
Brandon Giella: Napolski.
Perfect.
Okay.
Well, so great to meet
you for the first time.
Today we're gonna be talking about
security, and so we're gonna be talking
about data compliance requirements
and why brands need to go beyond just
traditional compliance requirements
and really build in a robust security
practice in order that they build in trust
and transparency with their audience.
So this is especially important for
folks in the loyalty program industry
because they have lots of data on lots
of people, and so they are a prime target
for cyber criminals to access that data.
So we'll be talking about some things,
uh, in that vein just here in a minute.
But Scott, give us a little bit of
background on what you do for Switch fly.
What is your role?
What is your team?
What do you guys do?
And then we'll dive into
some of the specifics.
Scott Napieralski: Yeah, absolutely.
So, uh, I am, a senior Director of
engineering here with Switch Fly.
I've been with the company
for about five years now.
doing a variety of different roles,
but, most recently working with a
couple of our, agile development teams
here to build out, a lot of different
exciting features for our customers.
Things like, amazing homepage, features,
trying to recommend Different trips
for customers so that they can take, so
really the value that we're trying to
deliver is to match the right person up
with the right trip at the right time.
if we understand some data about you
that, you have a family, you might want
to go to Disney World, a lot of people do.
you might, You, you know, or
potentially, you know, you're, you're
starting to, to get married and you
want to go on a honeymoon and you
might want to go to, the great beach
destination or something like that.
and we can match up some of that
information that we have about our
customers, with, great deals that we
also have in our platform so that, we can
deliver that right trip at the right time.
So, as you can imagine, we use a.
Lot of information, that is, personal
data about people, what we can find
out about them and, and make sure
that, you know, we wanna use that
information to deliver great experience.
For customers, but also make sure
it's protected at the same time.
Brandon Giella: if I'm
understanding you right.
you had information on me that I
have a two and a half year old and a
five week old, you will not serve me
Disney excursions because, you know,
I don't wanna lug around a toddler
for 10 miles while I'm walking through
Scott Napieralski: Yeah.
Brandon Giella: parks
and the heat of Florida.
Scott Napieralski: Oh, well, we try to
get as close to that as we possibly can.
the individual preferences of a
user always play, into, what we
try to present to them as well.
it really kind of depends on, how
much you use the platform and,
how good we can get that data.
But, Yeah, absolutely.
if we figure out that you're not
searching for any of those Florida
destinations, we're gonna give you
something completely different.
maybe a Calgary trip instead.
Brandon Giella: That sounds great.
I've never been to Canada,
so that would be great.
I know I take it back.
I've been to Quebec.
it's my, we have a young children
and so my wife talks about Disney
and I'm like, I don't know.
Give us a, give me a few more
years, you know, before we get
Scott Napieralski: Yeah,
Brandon Giella: Awesome.
Okay, so let's start with this,
first section talking about, loyalty
program data and why it's often
a target because in order to have
personalized, travel deals in this
case, but other loyalty perks and
things like that, with other programs,
you do have to have a lot of data
to really understand the person
that you're trying to reach with
this, you know, whatever this offer
or whatever the rewards might be.
and so there's obviously like.
Privacy and personalization
issues within there,
but as
a result, loyalty programs themselves,
loyalty providers, they become a target.
From, cyber criminals because of this
massive trove of data that they do
have on people because they're trying
to, obviously the point is if you
could be as personalized and targeted
with your loyalty program, that is
huge value to the members of these
programs, but it also creates this
kind of liability on the security side.
So can you talk a little bit about what
is the kind of data that, a typical
loyalty program will collect, including?
Switch flies programs.
and then why that, might be a
target and then what happens
if that data does get breached.
I mean, obviously there have been
a lot of high profile breaches
over the last couple of years and
you know, people talk about with
modern AI tools able to build programs
and things faster that may likely
continue unless you have really
robust practices built in place.
Is that the
Scott Napieralski: Yeah.
Yeah, absolutely.
So, you know, first of all, like why are
loyalty companies, particular targets?
You know, I think, it's a central.
Point where so many of these
different user, data come together.
you know, it can be, if you're
going to Home Depot or to, the
restaurant down the street, they're
gonna gather some very, specific.
Pieces of information about
you as you're a customer there.
You know, they might track your name,
they might track your address, but
they won't really delve as deeply into
your life as maybe a loyalty provider
would especially in the travel space
where, people are potentially sharing.
Things like their, known traveler
numbers with us, or passport numbers,
you know, information that can be
really sensitive, for customers.
so it becomes incredibly a large
target for malicious actors, for
hackers to come in and try to grab.
All of that information from a
central location rather than going
out, having to pull it from multiple
different locations, it can be a
really attractive target for them.
and at the same time, it means that, we
need to pay a lot of attention to putting
multiple different, protections in place
for the consumer so that they are, Making
life as difficult as possible for those
people who want to grab that data from us.
Brandon Giella: Yeah, we will
talk about some of those in
future parts of the this show.
Um, very high value targets for criminals.
Lots of data involved in
these loyalty programs.
as a result there are, regulations for
a lot of different loyalty leaders,
but data providers in general around,
compliance and, regulatory approval So
you have, for example, G-D-P-R-C-C-P-A
SOC two certified and all these acronyms
that are kind of like base level, like
Scott Napieralski: letters and numbers.
Brandon Giella: Yeah.
And it gets a little confusing as
an outsider, you know, I don't know
all this stuff.
but so walk us through some of
those, like what are the key
characteristics, or maybe the major,
legislative or compliance requirements
that a, loyalty provider should.
Obviously have in place.
And then the point really is that
it's not enough just to do that.
They do some basic things that are
very, very helpful, and that it would
be wise to follow those, requirements,
but it's not enough, which
we'll get to in a second.
but walk us through kind of like
the base level, like table stakes.
Scott Napieralski: Yeah, absolutely.
so, you know, one of the first
large pieces of legislation to
come on the scene, was GDPR.
this was a piece of, legislation
that came in the European Union.
about 10 or 15 years ago at this
point.
Brandon Giella: right.
Yeah.
Scott Napieralski: uh.
Although my all my years are
starting to blur together
now, but, uh, in any case, um,
Brandon Giella: it was adopted.
There you go.
Came into effect
Scott Napieralski: was right on.
Brandon Giella: Yeah.
Yeah.
Scott Napieralski: I was right on.
So, okay.
you know, the interesting thing
about that piece of legislation is
that it applied not just to European
companies, but to anybody who does
business with a European person.
And so, you know, at that point in
time, a lot of, US companies, didn't
get caught unaware, I wouldn't say.
But maybe it wasn't top of mind for them.
They weren't thinking about, exactly.
How do we become compliant with this
law that is in a completely other
continent that we haven't thought about.
So it became a huge focus for
a lot of US companies is that
became clear, as it started to be
implemented, between 2016 and 2018.
and a lot of the, the major protections
that are included, there are things
that, you know, you see every
day as you're browsing the web.
if you, you know.
Enjoy clicking.
Yes, I accept cookies Every
time you go to a webpage,
Brandon Giella: don't, Scott.
I don't.
Scott Napieralski: I don't know if
anybody really does, but if you do
enjoy it, you can thank GDPR for that.
that's a provision of GDPR, just to
let folks know as your, collecting
their data in one way or another to
let them know that you're doing that.
So you have to make sure that customers
are aware that there is documentation
about what data is being collected.
What that data is being used for.
and then give them the right to either
pull that data outta your system and
see what you're tracking or to have
that data deleted from your systems.
it's really a very privacy focused,
law, trying to protect the consumer's
rights, individual rights to what data
a company might be collecting on them.
CCPA is a very similar
piece of legislation that
came through in California.
I'll say that one probably didn't have
as much of an impact in the industry
as GDPR did because folks had already
started to get used to GDPR by that point.
a lot of the provisions are very
similar, except that one applies
specifically to California
residents rather than EU residents.
So maybe if you had a business at that
point that, you were only in the United
States, you were guaranteeing that nobody
outside the US could access it, maybe
that impacted you a little bit more.
most folks have been allowing,
Europeans to access their sites forever.
And so there were some slightly
different kinds of provisions
and, you know, different, ways of
segmenting that data up for CCPA.
But in general, it's a very similar thing.
It's just letting consumers know what
you're tracking, and making sure that
they have the right to understand
what you're using that data for.
Brandon Giella: That's right.
And now even there's further laws
like the right to be forgotten, things
like that where you can like submit
a request to be like, Hey, delete
me forever from your servers and
Scott Napieralski: Absolutely.
So those are, specific
provisions of those two laws.
Is
that right.
To be forgotten part of those two laws?
For sure.
Yeah.
Brandon Giella: Okay.
Yeah, I've heard a lot of
talk about that one lately.
Um, very cool.
Okay.
So there's like this, these kind of base
level, provisions, legislative, actions
or, just, different compliance bodies that
are writing laws and talking about the way
that companies ought to handle consent.
Their data, especially when it goes
across different borders and regions.
but there's much more that
companies ought to do, to have best
practices when it comes to security.
So there's a step beyond that that
a lot of loyalty providers have
considered and are considering.
as these laws are always changing, as the
technology is changing, it's great to be
aware of some of these best practices.
And so some that come to mind
are like encryption, multifactor,
authentication, role-based access.
you know, providing regular audits on
their systems and things like that.
Can you talk about like, okay, if
we're making sure that we're gonna be
compliant according to these certain
regulations and certain industries
and certain regions, but then the
next step, what is the next step?
What would you advise companies look
forward, when they're thinking about
their data of their loyalty members?
Scott Napieralski: Yeah,
I mean, absolutely.
this is, an area where, you have to
continue to raise the bar in, security
and, encryption making sure that you're
paying attention to the latest trends
in the industry And, trying to get
ahead of all the different malicious
actors that are out there in the world.
so I mean, you mentioned encryption.
That's a great one.
making sure that you've got a really,
strong high level of, data, protection.
making sure that data's encrypted,
both in transit and at rest.
so that, when, Things are
flying around the internet.
they're not being able to be, pulled
out and viewed by somebody who's
potentially watching that connection.
But also, if a hacker gains access to
your systems and, is starting to look
at your databases, that there's an
additional layer of protection in that
data so that, it can't be, downloaded
and then looked at later by somebody who
is, trying to steal all your information.
it's really like a good thing to
have in place, even for just general
incidental, protection of that data.
If, you know, having various people
who have access to systems internally,
at a company, making sure that, data's
protected to the highest possible level
so that you know only the folks who.
Have to see information at any given time,
have the ability to see that information.
that's.
Partially related to encrypting the
data, and it's partially related to
that role-based, access that you talked
about a little bit earlier, where,
locking things down as much as possible.
Right.
So you can think of that in
terms of, maybe walking around
your house a little bit.
you mentioned you have some small kids.
a great role based access model
would be, your role as the dad
is, you get to go into The kitchen
cabinets with all the chemicals
and things
Brandon Giella: Mm-hmm.
Scott Napieralski: and they don't, So
you might put a lock on that cabinet
to make sure that only you have
the ability to get into that area.
that's a great example
of making sure that,
those roles are split up correctly
and only the people who can access
that data have the ability to do so.
Brandon Giella: Yeah,
that's a great example.
A great example.
okay, so I wanna get into like.
There's a lot of different things that
we could do, and a lot of, you know,
security folks at loyalty brands are,
are doing these things and continue to
do these things at it as it evolves.
But I want to dive into more of like,
okay, why is this so valuable that
loyalty providers get this right?
Especially when it comes to travel.
I want to hear from you, like, I
know there's been a lot of high
profile cases of where breaches
have happened and it's led
to, you know, multimillion dollar,
billion dollar lawsuits in some cases.
what is the value for a loyalty leader,
to make sure that they get this right
and also like communicate it effectively
to their audience or to their members.
I just wanna hear what are things that
you guys have done at Switchfly that
has been really helpful on the, data
protection side of things, especially
as it relates to marketing, as it
relates to building that trust and
transparency with their audience.
Have there things that you've
seen that have been very helpful?
kind of best practices, but like, you
know, maybe drivers within the business
that have kind of pushed this forward.
Just talk to us a little bit about that.
Really open-ended, but, yeah, I wanna get
Scott Napieralski: Sure.
Brandon Giella: why is this so
important that people understand
why they're doing this?
Scott Napieralski: Yeah, I mean,
it's a, it is a great question.
So I would say as for us as a travel
business, it's very important to be
able to give users the feeling that
their data is safe with us and to
have the smoothest possible checkout
process for those users, right?
So.
As you're booking a trip, you can
probably think back to many different
times that you've been, exploring.
you know, maybe I wanna book a hotel,
for a travel trip I have planned
and I've done a bunch of research.
and I've got to the point where, I'm
about ready to put in my credit card
information and click buy on that thing.
If it's not a brand that I use
every day and see every day.
do I trust that brand or,
Do I feel like I'm potentially
giving my information to somebody
who's not gonna use it correctly?
that sort of thing can just
stop a user in their tracks.
and especially in an industry that
has as much, commodification as we
do in many ways, they can take that
same booking over to another platform.
we need to make sure that they feel.
safe and secure with us, moving through
that process, so that there's nothing
that stops them through that flow.
so how do we do that?
the most effective ways are to try to
integrate into the user's experience to
provide some messaging, as they're going
through those checkout flows or different
things that, kind of tries to seamlessly
give them the feeling that, that we're
doing the right things like, you know,
potentially some, forms or some, links
that go off into privacy policies or
into just, encryption methods, things
like that that users might look for.
and really also just, reiterating that,
message throughout the user's experience.
anytime that there's an opportunity
to kind of talk to people
about, what exactly, our safety
and security procedures are.
it's useful to do so, so that
people get that message reinforced
with them over and over again.
Brandon Giella: I'm thinking, even
as like the little green lock.
You know, when I like fill out
something that like this little lock
comes up, it just makes me feel like,
okay, they know what they're doing.
Scott Napieralski: Absolutely.
and there's multiple different
ways to do that, right?
we've both, been around enough times,
things change in the internet little
by little and, used to see the little
lock up on the top of your browser.
and that's sort of standard now,
folks, every, everybody's doing
the, the htt PS encryption.
So it's, it's kind of table stakes
for any website that's out there.
But then, continuing that sort of
messaging in multiple different
ways, can be really valuable.
Brandon Giella: Hmm.
does anything come to mind where you
have this example of, Loyalty provider
that might have thought that they were
doing the right thing, but there was
this loophole or bug in the process that
really opened them up to vulnerabilities
that they didn't even know were there.
does any case like that come to mind?
Scott Napieralski: Well, I don't
know if I can think of a particularly
loyalty provider, but it over and
over again in the software world.
there's been multiple instances
of that sort of data happening.
you hear about, credit card
breaches from, consumers all the
time, things like that where,
Anytime a hacker's able to pull, that kind
of information out of a system, there's
been some kind of failure in the process.
Brandon Giella: hmm.
Scott Napieralski: you know, I would
say the thing that, again, you sort
of talk about staying up to date and
making sure that developers are paying
attention to latest security practices.
It's a process of continuous,
retraining and improvement.
certainly, something that's partially
required by some of the, legislation
and certification that you talked about.
But then again, going beyond that and
making sure developers are constantly
saying up to date, on, how to protect end
user's information is, really key because.
You know, as a technical person, I'll
say, I always think I have a great
understanding of how to do this.
And then, every time I do the
training, I learn something new.
there's something else out there that
is, exciting and cool to find out, but
then also really beneficial and valuable
for our customers to help protect them.
So, it's an ever evolving,
area of expertise.
Brandon Giella: Do you see like generative
AI having a positive or maybe negative
effect on the security industry?
Just like that hackers now are, they're
able to up their game a lot better now.
Of course, the security
providers are as well,
Scott Napieralski: I was just
gonna say, I think that's
exactly what it is.
AI is gonna be leveraged by
both sides in this battle.
every new development in technology
that I've seen over the 25-30 years
of my career has been, This exact
thing where, one side uses it to find
more vulnerabilities and then the
other side uses it to try to patch
and block those vulnerabilities.
AI absolutely is gonna be, something
that completely changes our industry.
we're certainly seeing that already.
and, at the same time, it's gonna
be more and more important to have.
Smart people who are able to
figure out how to best leverage
that AI to protect their users.
Brandon Giella: What is one thing that.
If you were speaking to an audience in the
travel and loyalty industry, let's say you
were on a podcast or something like that,
what is one thing you would want to get
across that these folks should know based
on your, you know, 30 years experience?
You've been doing this a long time,
what is one thing that maybe it might
be overlooked, you know, long forgotten,
or it might be there's a lot of hype and
they shouldn't worry about it as much.
What comes to mind?
Something that you wish
people would know more about?
Scott Napieralski: in the
security area specifically.
Brandon Giella: Yeah.
Yeah.
Mm-hmm.
Scott Napieralski: What would be something
that I, I, you know, I guess just, we've
talked about it in a few different ways,
but like the continued vigilance, I think
is the thing that I would emphasize again,
that, you know, really the, it's very
easy to get excited about new features.
That's what we all want to do
as we're developing things.
We want to deliver great things
for our customers and make sure.
That, they're having the
best possible experience.
and being able to, to deliver that
stuff, but also continue to think
about how we make it the safest
possible experience for people is a
real balancing act in a lot of ways.
it's, as a leader, making sure that
you focus on that security piece, can.
Very quickly and easily, be put to
the side if you're not on top of it.
And I think that's where, as we
talked about, a lot of the, companies
that have had issues in the past
ended up falling on the
wrong side of that split.
so continue to be vigilant and
making sure that users are protected.
it's really easy to say, but probably one
of the toughest things to actually do.
Brandon Giella: It makes me think
of like insurance or something.
It's like nobody really wants to
think about insurance or wants
to pay that bill every month, but
the minute you don't or something
goes wrong, It's a major problem.
we're talking like billions of dollars
in fines and fees that go with it,
but then the brand trust that's lost
because of a result of a breach.
That's the stuff
that I think it's, it's
hard to quantify that.
But it is just enormously valuable.
And if there were some security
precautions that were put in place,
you know, small monthly premiums
if you will, you know, put in every
month, every quarter, every year,
you could save yourself a
lot of money in the future.
Scott Napieralski: Well, that
is a hundred percent true.
I mean, you said it, better
than I could ever say it there.
I think, making sure that,
your brand is protected, is
really kind of the key there.
it's very easy.
You can put in.
Years and years of work to build
it up in consumer's minds, and you
can lose it in a matter of hours.
so making sure that that's not the case,
is key for any kind of technology leader.
Brandon Giella: Last question for you.
You've been a wonderful guest.
What is the favorite place
you've ever traveled?
Scott Napieralski: great question.
So, a few years ago I got married
to my wife and we took, an awesome
trip to, the south of France.
We went to Nice, spent a few days in Nice.
Perhaps I'm laying out a secret,
but, we drove along the coast here.
you drive along the coast from NICE to
Marse and there are, there's a national
park right outside of Marse called, and
I'm probably messing up this pronunciation
a ton, but the Clunks National Park,
which is like, these.
Deep, almost like fjords, with
crystal clear blue water at the
bottom of them that you hike into.
and so I would say like that day,
like hiking into the klons, on my,
honeymoon with my wife, absolutely
the best, the best possible trip I
would recommend it highly to anyone
Brandon Giella: the clogs.
Is that Polish, is that
how you pronounce it?
no, I'm just kidding.
no, I
Scott Napieralski: Oh man, you got me
Brandon Giella: I, I've always
wanted to go to the south of France.
I just think the, the photos are beautiful
and I've been to Paris and Leon and
Bordeaux and, you know, west or Eastern
France, and I just love that area.
But I've never been to the
south of France, so now I
know outside of Merced go to, there's a
park out there that's beautiful.
Okay.
Scott Napieralski: Absolutely.
Brandon Giella: Good to know.
Well, Scott Napolski, thank
you so much for joining.
appreciate your insights as
this is a really important topic
and it continues to evolve.
we've seen, a lot of breaches and things
like that, and it's just an important
thing for loyalty providers to get right.
So thank you for your expertise and
we will see you next time on the show.