Listen on your favorite app
 |
 |
 |
 |
 |
 |
Welcome to Travel Buddy
In this episode of Travel Buddy, host Brandon Giella speaks with Scott Napieralski, Senior Director of Engineering at Switchfly, about the critical importance of data security in the travel and loyalty program industry. Scott explains how loyalty programs collect vast amounts of personal data—such as traveler numbers, passport information, and preferences—which make them high-value targets for cybercriminals. They explore the evolving regulatory landscape, including GDPR and CCPA, and why simply meeting compliance standards isn’t enough. Scott emphasizes the need for best practices like encryption, role-based access, and continuous audits to protect sensitive data and maintain user trust. He also highlights the importance of clearly communicating security measures to customers, which directly impacts user confidence and brand reputation. They touch on the role of AI in cybersecurity, both as a threat and a tool, and stress the necessity of ongoing vigilance.
Transcript
Brandon Giella (00:18.862)
Welcome back to another episode of Travel Buddy. I have with me on the show today for the first time, Scott Napieralski. And that is a Polish name. You just told me, right? Okay. So, but it depends on how people pronounce that, right? Napieralski. That's how you do it. Yeah.
Scott Napieralski (00:37.504)
Indeed. Yes, yes sir. Yeah, yeah, yeah, we're going with the Americanized pronunciation here, but it's Napieralski, very good.
Brandon Giella (00:45.626)
I love it. Perfect. Okay. Well, so great to meet you for the first time today. We're going to be talking about security. And so we're going to be talking about data compliance requirements and why brands need to go beyond just traditional compliance requirements and really build in a robust security practice in order that they build in trust and transparency with their audience.
So this is especially important for folks in the loyalty program industry because they have lots of data on lots of people. And so they are a prime target for cyber criminals to access that data. So we'll be talking about some things in that vein just here in a minute. But Scott, give us a little bit of background on what you do for Switchfly. What is your role? What is your team? What do you guys do? And then we'll dive into some of the specifics.
Scott Napieralski (01:36.387)
Yeah, absolutely. So I am a senior director of engineering here with Switchfly.
I've been with the company for about five years now doing a variety of different roles, most recently working with a couple of our Agile development teams here to build out a lot of different exciting features for our customers, things like amazing homepage features, trying to recommend different.
different trips for customers that they can take. So really the value that we're trying to deliver is to match the right person up with the right trip at the right time. Potentially, if we understand some data about you that maybe you have a family, you might want to go to Disney World.
A of people do. might, or potentially, you're starting to get married and you want to go on a honeymoon and you might want to go to the great beach destination or something like that. And we can match up some of that information that we have about our customers with great deals that we also have in our platform so that we can, again, deliver them that right trip at the right time. So as you can imagine, we use a lot of information that...
Brandon Giella (02:28.924)
Yes.
Scott Napieralski (02:56.782)
potentially, you know, things that we're talking about here today. know, personal data about people, what we can find out about them and make sure that, you know, we want to use that information to deliver great experiences for customers but also make sure it's protected at the same time.
Brandon Giella (03:13.33)
Awesome. So if I'm understanding you right, if you had information on me that I have a two and a half year old and a five week old, you will not serve me Disney excursions because you know, I don't want to lug around a toddler for 10 miles while I'm walking through the parks and the heat of Florida. Is that right? Okay. Okay. Great.
Scott Napieralski (03:31.258)
Well, we try. We try to get as close to that as we possibly can. The individual preferences of a user always play into what we try to present to them as well. It really kind of depends on how much you use the platform.
how good we can get that data. yeah, absolutely. If we figure out that you're not searching for any of those Florida destinations, we're gonna give you something completely different. Maybe a Calgary trip instead.
Brandon Giella (03:50.226)
That's right.
Brandon Giella (03:54.278)
That's right.
Brandon Giella (04:00.198)
That's right.
That sounds great. I've never been to Canada, so that would be great. I take it back. I've been to Quebec. No, yeah, it's my, have young children. And so my wife talks about Disney and I'm like, I don't know, give us a, give me a few more years before we get there. Okay. Awesome. Awesome.
Scott Napieralski (04:15.692)
Yep, yep, absolutely.
Brandon Giella (04:19.116)
Okay, so let's start with this first section talking about loyalty program data and why it's often a target because in order to have personalized travel deals in this case, but other loyalty perks and things like that with other programs, you do have to have a lot of data to really understand the person that you're trying to reach with this, you know, whether this offer or whatever the rewards might be. And so there's obviously like privacy and personalization issues within there. But as
result, is the loyalty programs themselves, loyalty providers, they become a target from cyber criminals because of this massive trove of data that they do have on people because they're trying to. Obviously, the point is, if you can be as personalized and targeted with your loyalty program, that is huge value to the members of these programs. But it also creates this kind of liability on the security side. So can you talk a little bit about what is the kind of data that a typical loyalty program
Scott Napieralski (04:49.057)
Absolutely.
Scott Napieralski (04:58.702)
sure.
Brandon Giella (05:19.12)
will collect, including Switchfly's programs, and then why that might be a target, and then what happens if that data does get breached? I mean, obviously, there have been a lot of high profile breaches over the last couple of years, and people talk about with modern AI tools, able to build programs and things faster that may likely continue unless you have really robust practices built in place. Is that the case?
Scott Napieralski (05:47.266)
Yeah, yeah, absolutely. you know, first of all, like, why are loyalty, you know, loyalty companies particular targets, you know, I think certainly it's a central point where so many of these different user data come together, you know, it can be.
potentially if you're going to Home Depot or to the restaurant down the street, they're gonna gather some very small specific pieces of information about you as you're a customer there. They might track your name, they might track your address, but they won't really delve as deeply into your life as maybe a loyalty provider would, especially in the travel space.
You know, people are potentially sharing things like their known traveler numbers with us or passport numbers, you know, information that can be like really sensitive for customers. So it becomes incredibly a large target for folks to, for malicious actors, for hackers to come in and try to grab all of that information from a central location rather than going out.
having to pull it from multiple different locations, it can be a really attractive target for them. At the same time, it means that we need to pay a lot of attention to putting multiple different protections in place for the consumer so that they are making life as difficult as possible for those people who want to grab that data from us.
Brandon Giella (07:28.114)
Mm-hmm.
Yeah, we'll talk about some of those in the future. Then in future parts of the show. But so OK, so very high value targets for criminals, lots of data that are involved in these kind of these loyalty programs. But as a result of that, there are regulations that have come across the pipe for a lot of different loyalty leaders, but data providers in general around compliance and like regulatory approval and things like that. So you have
Scott Napieralski (07:36.479)
Absolutely.
Brandon Giella (08:00.434)
for example, like GDPR, CCPA, and there's like SOC 2 certified, and there's all these acronyms that are kind of like base level like tables. Yeah, yeah. And it gets a little confusing as an outsider, you I don't know all this stuff. But so walk us through some of those, like what are the key characteristics or maybe the major like legislative or compliance requirements that a loyalty provider should.
Scott Napieralski (08:07.213)
A whole alphabet of letters and numbers, yeah. Absolutely, absolutely.
Brandon Giella (08:28.238)
obviously have in place. And then the point really is that it's not enough just to do that. They do some basic things that are very, very helpful and that it would be wise to follow those those kind of requirements. But it's not enough, which we'll get to in a second. But but walk us through kind of like the base level like table stakes.
Scott Napieralski (08:30.114)
Mm-hmm.
Scott Napieralski (08:46.561)
Yeah, absolutely. So, you know, one of the first large pieces of legislation to come on the scene was GDPR. And so this was a piece of legislation that came in in the European Union, actually I want to say about 10 or 15 years ago at this point.
Brandon Giella (09:07.282)
That sounds right, yeah.
Scott Napieralski (09:11.049)
Although my all my ears are starting to blur together now, but In any case There you go, so I was right on that I was right on so okay, so You know the interesting thing about that piece of legislation is that it applied not just to European companies But to anybody who does business with a European person and so, you know at that point in time a lot of US companies
Brandon Giella (09:13.65)
2016 it was adopted. There you go. Came into effect 2018. Yeah.
Brandon Giella (09:33.97)
Hmm.
Scott Napieralski (09:41.369)
They get caught unaware, I wouldn't say, but at the same, but maybe it wasn't top of the line for them. They weren't thinking about exactly how do we become compliant with this law that is in a completely other continent that we haven't thought about.
So it became a huge focus for a lot of US companies as that became clear as it started to be implemented, as you said, between 2016 and 2018. And a lot of the major protections that are included there are things that you see every day as you're browsing the web. If you enjoy clicking yes, I accept cookies every time you go to a web page, you can think.
Brandon Giella (10:18.562)
I don't Scott, I don't.
Scott Napieralski (10:22.404)
I don't know if anybody really does, but if you do enjoy it, you can thank GDPR for that. That's a provision of GDPR, just to let folks know as your...
collecting their data in one way or another to let them know that you're doing that. So you have to make sure that customers are aware that there is documentation about what data is being collected, what that data is being used for, and then give them the right to either pull that data out of your system and see what you're tracking or to have that data deleted from your systems. So it's really a very privacy focused law.
trying to protect the consumer's rights, individual rights, to what data a company might be collecting on them. CCPA is a very similar piece of legislation that came through in California.
I'll say that one probably didn't have as much of an impact in the industry as GDPR did because folks had already started to get used to GDPR by that point. And a lot of the provisions are very similar, except that one applies specifically to California residents rather than EU residents. So.
Maybe if you had a business at that point that you were only in the United States, you were guaranteeing that nobody outside the US could access it, maybe that impacted you a little bit more. But most folks have been allowing Europeans to do that, to access their sites forever. so there were some slightly different kinds of provisions and different.
Scott Napieralski (11:54.187)
ways of segmenting that data for CCPA, but in general, it's a very similar thing. It's just letting consumers know what you're tracking and making sure that they have the right to understand what you're using that data for.
Brandon Giella (12:06.898)
That's right, that's right. And now even there's further laws like the right to be forgotten, things like that, where you can like submit a request to be like, hey, delete me forever from your servers and all that kind of stuff, which sounds great actually. Yeah.
Scott Napieralski (12:15.838)
Absolutely, absolutely. So those are those are like specific provisions of those those two laws is that you know that right to be forgotten is is part of those those two laws for sure. Yeah
Brandon Giella (12:24.142)
Okay. Okay. Yeah, I've heard a lot of talk about that one lately. Very cool. Okay. So there's like this, these kind of base level, kind of, like you said, provisions, legislative actions, or just, you know, different kind of like compliance bodies that are writing laws and talking about the way that companies ought to handle consent, their data, especially when it goes across different borders and regions. But
Scott Napieralski (12:51.028)
Absolutely.
Brandon Giella (12:52.038)
but there's much more that companies ought to do to have best practices when it comes to security. So there's a step beyond that that a lot of loyalty providers have considered and are considering, but as these laws are always changing, as the technology is changing, it's great to be aware of some of these best practices.
And so some that come to mind are like encryption, multi-factor authentication, role-based access, providing regular audits on their systems and things like that. Can you talk about like, if we're making sure that we're gonna be compliant according to these certain regulations and certain industries and certain regions, but then the next step, what is the next step? What would you advise companies to look for when they're thinking about their data, their loyalty members?
Scott Napieralski (13:10.314)
Yeah.
Scott Napieralski (13:38.123)
Yeah, mean, absolutely. This is an area where, as you said, have to continue to raise the bar in the security and...
encryption areas, making sure that constantly you're paying attention to what the latest trends in the industry are and trying to get ahead of all the different malicious actors that are out there in the world. So, I mean, you mentioned encryption. That's a great one. Making sure that you've got
a really strong high level of data protection, making sure that it's data is encrypted both in transit and at rest so that when things are flying around the internet, they're not being able to be pulled out and viewed by somebody who's potentially watching that connection.
But also if a hacker gains access to your systems and is starting to look at your databases, that there's an additional layer of protection on that data so that it can't be downloaded and then looked at later by somebody who is trying to steal all your information. It's really a good thing to have in place even for just general incidental.
protection of that data. you know, having various people who have access to systems internally at a company, making sure that data is protected to the highest possible level so that, you know, only the folks who have to see information at any given time have the ability to see that information. That's partially related to encrypting the data and it's partially related to that role-based access that you talked about a little bit earlier where
Scott Napieralski (15:32.717)
you know, locking things down as much as possible, right? So you can think of that in terms of, you know, maybe walking around your house a little bit, right? You mentioned you have some small kids. You know, a role based, a great role based access model would be, hey, your role as the dad is, you know, you get to go into the kitchen cabinets with all the chemicals and things in there. And they don't, right? So you might put a lock on that cabinet to make sure that only you have the ability to get into them.
Brandon Giella (15:55.65)
Mm-hmm. Mm-hmm.
Scott Napieralski (16:02.67)
that area. That's a great example of making sure that those roles are split up correctly and only the people who can access that data have the ability to do so.
Brandon Giella (16:06.566)
And it's a good example.
Brandon Giella (16:12.882)
Yeah, that's a great example. Great example. OK, so I want to get into like there's there's a lot of different things that we could do and a lot of, you know, security folks at loyalty brands are doing these things and continue to these things as it evolves. But I want to dive into more of like, OK, why is this so valuable that loyalty providers get this right, especially when it comes to travel? I want to hear from you like I know there's been a lot of high profile cases of where
Scott Napieralski (16:44.556)
Mm-hmm.
Brandon Giella (16:48.516)
So how is it that, what is the value for a loyalty leader to make sure that they get this right and also like communicate it effectively to their audience or to their members? Yeah, I just want to hear like, what are things that you guys have done at Switchfly that has been really helpful on the like data protection side of things, especially as it relates to marketing, is it relates
to like building that trust and transparency with their audience. Are there things that you've seen that have been very helpful? Kind of best practices, but like, you maybe drivers within the business that have kind of pushed this forward. Yeah, just talk to us a little bit about that really open-ended, yeah, I want to get like, why is this so, why is this so important that people understand that why they're doing this?
Scott Napieralski (17:28.349)
Sure.
Scott Napieralski (17:34.41)
Yeah, I mean, it's a great question. So I would say for us as a travel business, it's very important to be able to give users the feeling that their data is safe with us and that...
to have a smooth as possible checkout process for those users, right? So as you're booking a trip, you can probably think back to many different times that you've been exploring, maybe I wanna book a hotel for a travel trip I have planned and I've done a bunch of research. I've got to the point where I'm about ready to put in my credit card information and click buy on that thing. If...
Brandon Giella (17:53.01)
Hmm.
Scott Napieralski (18:16.715)
It's not a brand that I use every day and see every day. Do I trust that brand or do I feel like I'm potentially giving my information to somebody who's not going to use it correctly?
Brandon Giella (18:29.586)
Yeah.
Scott Napieralski (18:30.153)
that sort of thing can just stop a user in their tracks. And especially in an industry that has as much commodification as we do in many ways, they can take that same booking over to another platform. We need to make sure that they feel safe and secure with us moving through that process so that there's nothing that stops them through that flow. So how do we do that? A number of different ways. The most effective ways are to try to integrate
integrate into the user's experience to provide some messaging as they're going through those checkout flows or different things that kind of tries to seamlessly give them the feeling that we're doing the right things, like potentially some little forms, some little...
links that go off into privacy policies or into just encryption methods, things like that that users might look for. And really also, but really also just.
re-itering that message throughout the user's experience. Anytime that there's an opportunity to kind of talk to people about, you know, what exactly our safety and security procedures are, it's useful to do so so that people get that message reinforced with them over and over again.
Brandon Giella (20:00.1)
thinking even as like little green locks you know when I like fill out something that like this little lock comes up it just makes me feel like okay they know what they're doing you know yeah
Scott Napieralski (20:07.819)
Absolutely, absolutely. And there's multiple different ways to do that, right? mean, as, you know, we've both been around enough times, things change in the internet little by little, and you used to see the little lock up on the top of your browser, and that's sort of standard now.
Brandon Giella (20:12.529)
Yeah.
Brandon Giella (20:19.194)
Yeah.
Scott Napieralski (20:25.511)
Folks, everybody's doing the HTTPS encryption. it's kind of table stakes for any website that's out there, but continuing that sort of messaging in multiple different ways can be really valuable.
Brandon Giella (20:35.868)
Yeah.
Have you, does anything come to mind where you have this example of a loyalty provider that might have thought that they were doing the right thing, but there was this loophole or there was this bug or something in the process that really opened them up to vulnerabilities that they didn't even know were there. Does any case like that comes to mind?
Scott Napieralski (21:00.075)
Well, I don't know if I can think of a particular loyalty provider, over and over again in the software world, there's been multiple, multiple instances of that sort of data happening. You you hear about credit card breaches from consumers all the time, things like that where, you know.
Anytime a user or a hacker is able to pull that kind of information out of a system, there's been some kind of failure in the process. I would say the thing that, again, you talk about staying up to date and making sure that developers are paying attention to latest security practices, it's a process of continuous retraining and improvement.
Brandon Giella (21:50.588)
you
Scott Napieralski (21:52.978)
that's partially required by some of the legislation and certification that you talked about, but then again going beyond that and making sure developers are constantly staying up to date on how to protect users information is really, really key because...
Brandon Giella (22:07.954)
Yeah.
Scott Napieralski (22:10.303)
You know,
Brandon Giella (22:40.06)
Do you think that there's, I mentioned AI earlier, do you see like generative AI having a positive or maybe negative effect on the security industry, just like that hackers now, they're able to up their game a lot better. Now, of course the security providers are as well, but you know, maybe there's some kind of like overlap there, yeah.
Scott Napieralski (22:58.613)
I was just gonna say, think that's, yeah, I think that's exactly what it is. AI is gonna be leveraged by both sides in this battle. I have seen, every new development in technology that I've seen over the 25, 30 years of my career has been this exact thing where one side uses it to find more vulnerabilities and then the other side uses it to try to patch and block those vulnerabilities.
Brandon Giella (23:06.418)
Hmm.
Scott Napieralski (23:25.931)
AI absolutely is going to be something that completely changes our industry. We're certainly seeing that already. But at the same time, it's going to be more and more important to have smart people who are able to figure out how to best leverage that AI to protect their users.
Brandon Giella (23:50.608)
What is one thing that
If you were speaking to an audience in the travel and loyalty industry, let's say you were on a podcast or something like that. What is one thing you would want to get across that these folks should know based on your 30 years experience? been doing this long time. What is one thing that maybe it might be overlooked, you know, long forgotten, or it might be there's a lot of hype and they shouldn't worry about it as much. What comes to mind? Something that you wish people would know more about.
Scott Napieralski (24:01.023)
Ha!
Scott Napieralski (24:22.442)
in the security area specifically? I think, I guess, that's a great question. What would be something that I, you know, I guess just, we've talked about it in a few different ways, but like the continued vigilance, I think is the thing that I would emphasize again, that, you know, really the, it's very easy to get.
Brandon Giella (24:24.52)
Yeah,
Brandon Giella (24:40.466)
Hmm.
Scott Napieralski (24:48.55)
excited about new features. That's what we all want to do as we're developing things. We want to deliver great things for our customers and make sure that they're having the best possible experience. Being able to deliver that stuff, but also continue to think about how we make it the safest possible experience for people is a real balancing act in a lot of ways. As a leader especially, making sure that you focus on
that security piece is it can very quickly and easily be put to the side if you're not on top of it. And I think that's where, as we talked about, you know, a lot of the people that have had or companies that have had issues in the past ended up falling on the wrong side of that split. So continue to be vigilant and making sure that users are protected. really easy to say, but probably one of the toughest things to actually do.
Brandon Giella (25:46.034)
It makes me think of like insurance or something. It's like nobody really wants to think about insurance or wants to pay that bill every month. But it's like the minute you don't or something goes wrong, it's a major problem. I mean, you're talking like billions of dollars in just, you know, the fines and fees that go with it. But then the brand trust that's lost because of a result of a breach. That's the stuff that I think it's it's hard to quantify that, but it is just enormously valuable. And if there were just some security
Scott Napieralski (25:55.911)
Absolutely.
Scott Napieralski (26:08.937)
Yes.
Brandon Giella (26:16.078)
that were put in place, know, small monthly premiums if you will, you know, put in every month, every quarter, every year. You could save yourself a lot of money in the future.
Scott Napieralski (26:23.476)
Yeah.
Well, that is 100 % true. mean, you said it better than I could ever say it there. think, you know, making sure that your brand is protected is really kind of the key there. You know, it's very, very easy. You can put in years and years of work to build it up in consumers' minds and you can lose it in a matter of hours. So making sure that that's not the case is key for any kind of technology leader.
Brandon Giella (26:55.25)
That's right, that's right. Okay, last question for you. You've been a wonderful guest. What is the favorite place you've ever traveled?
Scott Napieralski (27:05.258)
Great question. So a few years ago I got married to my wife and we took an awesome trip to the south of France. went to Nice. Spent a few days in Nice and then
Brandon Giella (27:16.665)
Scott Napieralski (27:22.94)
Perhaps I'm letting out a secret, but we drove along the coast here. You drive along the coast from Nice to Marseille and there is a national park right outside of Marseille called, and I'm probably messing up this pronunciation a ton, but the Calanques National Park, which is like these deep, almost like fjords with crystal clear blue water at the bottom of them that you hike into.
Brandon Giella (27:31.484)
Yeah.
Brandon Giella (27:38.992)
Okay.
Scott Napieralski (27:50.63)
So I would say that day, hiking into the Kalanx, on my honeymoon with my wife. Absolutely the best possible trip. I would recommend it highly to anyone.
Brandon Giella (27:59.762)
Wow. The clocks, is that Polish? So how you pronounce it? No, I'm just kidding. No, I love that. I've always wanted to go to the south of France. I just think the photos are beautiful. And I've been to Paris and Lyon and Bordeaux and, you know, Western or Eastern France. And I just love that area, but I've never been into the south of France. So now I know outside of Merseille, go to there's a park out there that's beautiful. OK, good to know.
Scott Napieralski (28:03.86)
French. man, you got me before, you got me.
Scott Napieralski (28:22.248)
Yeah. Yep. Absolutely. You gotta do it.
Brandon Giella (28:27.996)
Good to know, good to know. Well, Scott Napierowski, thank you so much for joining. Appreciate your insights as this is a really important topic and it continues to evolve. I mean, we've seen, like I said, a lot of breaches and things like that. And it's just an important, important thing for loyalty providers to get right. So thank you for your expertise and we will see you next time on the show.
Scott Napieralski (28:49.375)
Thank you so much.
