Welcome to Travel Buddy, presented by Switchfly. In this podcast, we talk about all things travel, rewards, and loyalty. Let's get to it.
Welcome back to another episode of Travel Buddy. I have with me on the show today for the first time, Scott Napolski. And that is a Polish
indeed.
told me. Right? Okay. So, but it depends on how people pronounce that, right?
We're going with the Americanized pronunciation here, but Napolski very good.
Napolski. Perfect. Okay. Well, so great to meet you for the first time. Today we're gonna be talking about security, and so we're gonna be talking about data compliance requirements and why brands need to go beyond just traditional compliance requirements and really build in a robust security practice in order that they build in trust and transparency with their audience.
So this is especially important for folks in the loyalty program industry because they have lots of data on lots of people, and so they are a prime target for cyber criminals to access that data. So we'll be talking about some things, uh, in that vein just here in a minute. But Scott, give us a little bit of background on what you do for Switch fly. What is your role? What is your team? What do you guys do? And then we'll dive into some of the specifics.
Yeah, absolutely. So, uh, I am, a senior Director of engineering here with Switch Fly. I've been with the company for about five years now. doing a variety of different roles, but, most recently working with a couple of our, agile development teams here to build out, a lot of different exciting features for our customers.
Things like, amazing homepage, features, trying to recommend Different trips for customers so that they can take, so really the value that we're trying to deliver is to match the right person up with the right trip at the right time. if we understand some data about you that, you have a family, you might want to go to Disney World, a lot of people do.
you might, You, you know, or potentially, you know, you're, you're starting to, to get married and you want to go on a honeymoon and you might want to go to, the great beach destination or something like that. and we can match up some of that information that we have about our customers, with, great deals that we also have in our platform so that, we can deliver that right trip at the right time.
So, as you can imagine, we use a. Lot of information, that is, personal data about people, what we can find out about them and, and make sure that, you know, we wanna use that information to deliver great experience. For customers, but also make sure it's protected at the same time.
if I'm understanding you right. you had information on me that I have a two and a half year old and a five week old, you will not serve me Disney excursions because, you know, I don't wanna lug around a toddler for 10 miles while I'm walking through
Yeah.
parks and the heat of Florida.
Oh, well, we try to get as close to that as we possibly can. the individual preferences of a user always play, into, what we try to present to them as well. it really kind of depends on, how much you use the platform and, how good we can get that data. But, Yeah, absolutely. if we figure out that you're not searching for any of those Florida destinations, we're gonna give you something completely different. maybe a Calgary trip instead.
That sounds great. I've never been to Canada, so that would be great. I know I take it back. I've been to Quebec. it's my, we have a young children and so my wife talks about Disney and I'm like, I don't know. Give us a, give me a few more years, you know, before we get
Yeah,
Awesome. Okay, so let's start with this, first section talking about, loyalty program data and why it's often a target because in order to have personalized, travel deals in this case, but other loyalty perks and things like that, with other programs, you do have to have a lot of data to really understand the person that you're trying to reach with this, you know, whatever this offer or whatever the rewards might be. and so there's obviously like.
Privacy and personalization issues within there, but as a result, loyalty programs themselves, loyalty providers, they become a target. From, cyber criminals because of this massive trove of data that they do have on people because they're trying to, obviously the point is if you could be as personalized and targeted with your loyalty program, that is huge value to the members of these programs, but it also creates this kind of liability on the security side.
So can you talk a little bit about what is the kind of data that, a typical loyalty program will collect, including? Switch flies programs. and then why that, might be a target and then what happens if that data does get breached. I mean, obviously there have been a lot of high profile breaches over the last couple of years and you know, people talk about with modern AI tools able to build programs and things faster that may likely continue unless you have really robust practices built in place.
Is that the
Yeah. Yeah, absolutely. So, you know, first of all, like why are loyalty companies, particular targets? You know, I think, it's a central. Point where so many of these different user, data come together. you know, it can be, if you're going to Home Depot or to, the restaurant down the street, they're gonna gather some very, specific. Pieces of information about you as you're a customer there.
You know, they might track your name, they might track your address, but they won't really delve as deeply into your life as maybe a loyalty provider would especially in the travel space where, people are potentially sharing. Things like their, known traveler numbers with us, or passport numbers, you know, information that can be really sensitive, for customers. so it becomes incredibly a large target for malicious actors, for hackers to come in and try to grab.
All of that information from a central location rather than going out, having to pull it from multiple different locations, it can be a really attractive target for them. and at the same time, it means that, we need to pay a lot of attention to putting multiple different, protections in place for the consumer so that they are, Making life as difficult as possible for those people who want to grab that data from us.
Yeah, we will talk about some of those in future parts of the this show. Um, very high value targets for criminals. Lots of data involved in these loyalty programs. as a result there are, regulations for a lot of different loyalty leaders, but data providers in general around, compliance and, regulatory approval So you have, for example, G-D-P-R-C-C-P-A SOC two certified and all these acronyms that are kind of like base level, like
letters and numbers.
Yeah. And it gets a little confusing as an outsider, you know, I don't know all this stuff. but so walk us through some of those, like what are the key characteristics, or maybe the major, legislative or compliance requirements that a, loyalty provider should. Obviously have in place. And then the point really is that it's not enough just to do that.
They do some basic things that are very, very helpful, and that it would be wise to follow those, requirements, but it's not enough, which we'll get to in a second. but walk us through kind of like the base level, like table stakes.
Yeah, absolutely. so, you know, one of the first large pieces of legislation to come on the scene, was GDPR. this was a piece of, legislation that came in the European Union. about 10 or 15 years ago at this point.
right. Yeah.
uh. Although my all my years are starting to blur together now, but, uh, in any case, um,
it was adopted. There you go. Came into effect
was right on.
Yeah. Yeah.
I was right on. So, okay. you know, the interesting thing about that piece of legislation is that it applied not just to European companies, but to anybody who does business with a European person. And so, you know, at that point in time, a lot of, US companies, didn't get caught unaware, I wouldn't say. But maybe it wasn't top of mind for them. They weren't thinking about, exactly. How do we become compliant with this law that is in a completely other continent that we haven't thought about.
So it became a huge focus for a lot of US companies is that became clear, as it started to be implemented, between 2016 and 2018. and a lot of the, the major protections that are included, there are things that, you know, you see every day as you're browsing the web. if you, you know. Enjoy clicking. Yes, I accept cookies Every time you go to a webpage,
don't, Scott. I don't.
I don't know if anybody really does, but if you do enjoy it, you can thank GDPR for that. that's a provision of GDPR, just to let folks know as your, collecting their data in one way or another to let them know that you're doing that. So you have to make sure that customers are aware that there is documentation about what data is being collected. What that data is being used for.
and then give them the right to either pull that data outta your system and see what you're tracking or to have that data deleted from your systems. it's really a very privacy focused, law, trying to protect the consumer's rights, individual rights to what data a company might be collecting on them. CCPA is a very similar piece of legislation that came through in California.
I'll say that one probably didn't have as much of an impact in the industry as GDPR did because folks had already started to get used to GDPR by that point. a lot of the provisions are very similar, except that one applies specifically to California residents rather than EU residents. So maybe if you had a business at that point that, you were only in the United States, you were guaranteeing that nobody outside the US could access it, maybe that impacted you a little bit more.
most folks have been allowing, Europeans to access their sites forever. And so there were some slightly different kinds of provisions and, you know, different, ways of segmenting that data up for CCPA. But in general, it's a very similar thing. It's just letting consumers know what you're tracking, and making sure that they have the right to understand what you're using that data for.
That's right. And now even there's further laws like the right to be forgotten, things like that where you can like submit a request to be like, Hey, delete me forever from your servers and
Absolutely. So those are, specific provisions of those two laws. Is that right. To be forgotten part of those two laws? For sure. Yeah.
Okay. Yeah, I've heard a lot of talk about that one lately. Um, very cool. Okay. So there's like this, these kind of base level, provisions, legislative, actions or, just, different compliance bodies that are writing laws and talking about the way that companies ought to handle consent. Their data, especially when it goes across different borders and regions. but there's much more that companies ought to do, to have best practices when it comes to security.
So there's a step beyond that that a lot of loyalty providers have considered and are considering. as these laws are always changing, as the technology is changing, it's great to be aware of some of these best practices. And so some that come to mind are like encryption, multifactor, authentication, role-based access. you know, providing regular audits on their systems and things like that.
Can you talk about like, okay, if we're making sure that we're gonna be compliant according to these certain regulations and certain industries and certain regions, but then the next step, what is the next step? What would you advise companies look forward, when they're thinking about their data of their loyalty members?
Yeah, I mean, absolutely. this is, an area where, you have to continue to raise the bar in, security and, encryption making sure that you're paying attention to the latest trends in the industry And, trying to get ahead of all the different malicious actors that are out there in the world. so I mean, you mentioned encryption. That's a great one. making sure that you've got a really, strong high level of, data, protection. making sure that data's encrypted, both in transit and at rest.
so that, when, Things are flying around the internet. they're not being able to be, pulled out and viewed by somebody who's potentially watching that connection. But also, if a hacker gains access to your systems and, is starting to look at your databases, that there's an additional layer of protection in that data so that, it can't be, downloaded and then looked at later by somebody who is, trying to steal all your information.
it's really like a good thing to have in place, even for just general incidental, protection of that data. If, you know, having various people who have access to systems internally, at a company, making sure that, data's protected to the highest possible level so that you know only the folks who. Have to see information at any given time, have the ability to see that information. that's.
Partially related to encrypting the data, and it's partially related to that role-based, access that you talked about a little bit earlier, where, locking things down as much as possible. Right. So you can think of that in terms of, maybe walking around your house a little bit. you mentioned you have some small kids. a great role based access model would be, your role as the dad is, you get to go into The kitchen cabinets with all the chemicals and things
Mm-hmm.
and they don't, So you might put a lock on that cabinet to make sure that only you have the ability to get into that area. that's a great example of making sure that, those roles are split up correctly and only the people who can access that data have the ability to do so.
Yeah, that's a great example. A great example. okay, so I wanna get into like. There's a lot of different things that we could do, and a lot of, you know, security folks at loyalty brands are, are doing these things and continue to do these things at it as it evolves. But I want to dive into more of like, okay, why is this so valuable that loyalty providers get this right? Especially when it comes to travel.
I want to hear from you, like, I know there's been a lot of high profile cases of where breaches have happened and it's led to, you know, multimillion dollar, billion dollar lawsuits in some cases. what is the value for a loyalty leader, to make sure that they get this right and also like communicate it effectively to their audience or to their members.
I just wanna hear what are things that you guys have done at Switchfly that has been really helpful on the, data protection side of things, especially as it relates to marketing, as it relates to building that trust and transparency with their audience. Have there things that you've seen that have been very helpful? kind of best practices, but like, you know, maybe drivers within the business that have kind of pushed this forward. Just talk to us a little bit about that.
Really open-ended, but, yeah, I wanna get
Sure.
why is this so important that people understand why they're doing this?
Yeah, I mean, it's a, it is a great question. So I would say as for us as a travel business, it's very important to be able to give users the feeling that their data is safe with us and to have the smoothest possible checkout process for those users, right? So. As you're booking a trip, you can probably think back to many different times that you've been, exploring. you know, maybe I wanna book a hotel, for a travel trip I have planned and I've done a bunch of research.
and I've got to the point where, I'm about ready to put in my credit card information and click buy on that thing. If it's not a brand that I use every day and see every day. do I trust that brand or, Do I feel like I'm potentially giving my information to somebody who's not gonna use it correctly? that sort of thing can just stop a user in their tracks.
and especially in an industry that has as much, commodification as we do in many ways, they can take that same booking over to another platform. we need to make sure that they feel. safe and secure with us, moving through that process, so that there's nothing that stops them through that flow. so how do we do that?
the most effective ways are to try to integrate into the user's experience to provide some messaging, as they're going through those checkout flows or different things that, kind of tries to seamlessly give them the feeling that, that we're doing the right things like, you know, potentially some, forms or some, links that go off into privacy policies or into just, encryption methods, things like that that users might look for.
and really also just, reiterating that, message throughout the user's experience. anytime that there's an opportunity to kind of talk to people about, what exactly, our safety and security procedures are. it's useful to do so, so that people get that message reinforced with them over and over again.
I'm thinking, even as like the little green lock. You know, when I like fill out something that like this little lock comes up, it just makes me feel like, okay, they know what they're doing.
Absolutely. and there's multiple different ways to do that, right? we've both, been around enough times, things change in the internet little by little and, used to see the little lock up on the top of your browser. and that's sort of standard now, folks, every, everybody's doing the, the htt PS encryption. So it's, it's kind of table stakes for any website that's out there. But then, continuing that sort of messaging in multiple different ways, can be really valuable.
Hmm. does anything come to mind where you have this example of, Loyalty provider that might have thought that they were doing the right thing, but there was this loophole or bug in the process that really opened them up to vulnerabilities that they didn't even know were there. does any case like that come to mind?
Well, I don't know if I can think of a particularly loyalty provider, but it over and over again in the software world. there's been multiple instances of that sort of data happening. you hear about, credit card breaches from, consumers all the time, things like that where, Anytime a hacker's able to pull, that kind of information out of a system, there's been some kind of failure in the process.
hmm.
you know, I would say the thing that, again, you sort of talk about staying up to date and making sure that developers are paying attention to latest security practices. It's a process of continuous, retraining and improvement. certainly, something that's partially required by some of the, legislation and certification that you talked about.
But then again, going beyond that and making sure developers are constantly saying up to date, on, how to protect end user's information is, really key because. You know, as a technical person, I'll say, I always think I have a great understanding of how to do this. And then, every time I do the training, I learn something new. there's something else out there that is, exciting and cool to find out, but then also really beneficial and valuable for our customers to help protect them.
So, it's an ever evolving, area of expertise.
Do you see like generative AI having a positive or maybe negative effect on the security industry? Just like that hackers now are, they're able to up their game a lot better now. Of course, the security providers are as well,
I was just gonna say, I think that's exactly what it is. AI is gonna be leveraged by both sides in this battle. every new development in technology that I've seen over the 25-30 years of my career has been, This exact thing where, one side uses it to find more vulnerabilities and then the other side uses it to try to patch and block those vulnerabilities. AI absolutely is gonna be, something that completely changes our industry. we're certainly seeing that already.
and, at the same time, it's gonna be more and more important to have. Smart people who are able to figure out how to best leverage that AI to protect their users.
What is one thing that. If you were speaking to an audience in the travel and loyalty industry, let's say you were on a podcast or something like that, what is one thing you would want to get across that these folks should know based on your, you know, 30 years experience? You've been doing this a long time, what is one thing that maybe it might be overlooked, you know, long forgotten, or it might be there's a lot of hype and they shouldn't worry about it as much. What comes to mind?
Something that you wish people would know more about?
in the security area specifically.
Yeah. Yeah. Mm-hmm.
What would be something that I, I, you know, I guess just, we've talked about it in a few different ways, but like the continued vigilance, I think is the thing that I would emphasize again, that, you know, really the, it's very easy to get excited about new features. That's what we all want to do as we're developing things. We want to deliver great things for our customers and make sure. That, they're having the best possible experience.
and being able to, to deliver that stuff, but also continue to think about how we make it the safest possible experience for people is a real balancing act in a lot of ways. it's, as a leader, making sure that you focus on that security piece, can. Very quickly and easily, be put to the side if you're not on top of it. And I think that's where, as we talked about, a lot of the, companies that have had issues in the past ended up falling on the wrong side of that split.
so continue to be vigilant and making sure that users are protected. it's really easy to say, but probably one of the toughest things to actually do.
It makes me think of like insurance or something. It's like nobody really wants to think about insurance or wants to pay that bill every month, but the minute you don't or something goes wrong, It's a major problem. we're talking like billions of dollars in fines and fees that go with it, but then the brand trust that's lost because of a result of a breach. That's the stuff that I think it's, it's hard to quantify that. But it is just enormously valuable.
And if there were some security precautions that were put in place, you know, small monthly premiums if you will, you know, put in every month, every quarter, every year, you could save yourself a lot of money in the future.
Well, that is a hundred percent true. I mean, you said it, better than I could ever say it there. I think, making sure that, your brand is protected, is really kind of the key there. it's very easy. You can put in. Years and years of work to build it up in consumer's minds, and you can lose it in a matter of hours. so making sure that that's not the case, is key for any kind of technology leader.
Last question for you. You've been a wonderful guest. What is the favorite place you've ever traveled?
great question. So, a few years ago I got married to my wife and we took, an awesome trip to, the south of France. We went to Nice, spent a few days in Nice. Perhaps I'm laying out a secret, but, we drove along the coast here. you drive along the coast from NICE to Marse and there are, there's a national park right outside of Marse called, and I'm probably messing up this pronunciation a ton, but the Clunks National Park, which is like, these.
Deep, almost like fjords, with crystal clear blue water at the bottom of them that you hike into. and so I would say like that day, like hiking into the klons, on my, honeymoon with my wife, absolutely the best, the best possible trip I would recommend it highly to anyone
the clogs. Is that Polish, is that how you pronounce it? no, I'm just kidding. no, I
Oh man, you got me
I, I've always wanted to go to the south of France. I just think the, the photos are beautiful and I've been to Paris and Leon and Bordeaux and, you know, west or Eastern France, and I just love that area. But I've never been to the south of France, so now I know outside of Merced go to, there's a park out there that's beautiful. Okay.
Absolutely.
Good to know. Well, Scott Napolski, thank you so much for joining. appreciate your insights as this is a really important topic and it continues to evolve. we've seen, a lot of breaches and things like that, and it's just an important thing for loyalty providers to get right. So thank you for your expertise and we will see you next time on the show.