Recently I was on vacation, and while most of it was great, one hotel we stayed at was subpar, for several reasons. Finding a hotel for the place, time frame, and price point we wanted was not easy, and I admit I was more focused on finding viable options and didn’t do a whole lot of checking reviews. 

After we arrived and experienced that hotel’s unique “charm,” I decided to take a look at a popular travel-and-reviews site. Now, normally I don’t spend much time on that site or put a lot of stock in the content due to their “pay to play” reputation. But in this case, it was the quickest and easiest way to satisfy my curiosity. 

Lo and behold, there were a bunch of low-star reviews closely mirroring our experience. (For example, I am pretty sure the room type we booked does not actually exist in that building.) Also curiously, the positive reviews were very positive, all written in the same language, and in a noticeably similar style. Hmm.

The day after we got home I got an email from the hotel, thanking me for staying there, saying they hoped I had a good stay and they looked forward to seeing me again, and asking me to leave a positive review on that very same travel and reviews site. I immediately forwarded the email to the friend I’d travelled with and we both boggled at the request. I believe the term “chutzpah” certainly applied.

I half-wondered if they’d ever actually looked at their reviews on that site. Or perhaps they do, hence trying to up their average. By doing absolutely nothing about all the issues outlined in multiple low-star reviews.

In this instance, my poor impression of one company affected my experience with another, and vice versa. (If I’d seen those reviews before booking, I would have booked elsewhere.) Now I just think they’re both sketchy.

Recently, I read about a data breach affecting a financial services company. As I understand it, the source of the breach was a third-party vendor they worked with at two degrees of remove. (In data privacy parlance, the data controller’s data processor’s data processor.) Additionally, the actions that led to the breach were sloppy and bad policy/processes.

This breach may or may not cause serious issues for the financial service’s company’s clients, but the company’s reputation and its clients’ trust had to have taken a big hit. Which will also likely translate to a longer-term revenue hit for the company paying for mitigation and monitoring services, as well as if some clients take their business elsewhere. There can also be fines, system and operational upgrades, and other expenses that were likely not planned for.

The financial services company wasn’t directly responsible for the screwup, but it’s going to be tarred with the same brush as the vendor. Probably more so. Especially since no one’s ever heard of the vendor, but the financial services company is reasonably well known. 

At the same time, though, that sloppiness and those bad policies and processes should have come to light in a risk assessment or audit a long time ago. So the financial services company isn’t entirely blameless. Under many data-privacy laws it is the data controller that is ultimately responsible for data protection, including work done for them by third parties. 

There are also plenty of regulations to which companies are beholden beyond just data-privacy laws, and running afoul of any of them could cause big problems.

Two cautionary anecdotes of widely varying type and severity, but they highlight the same warning: choose and vet your partnerships carefully. Getting too entwined with the wrong one, especially financially, could have dire consequences.

I’ve already noted a couple of risk categories: trust and reputation, and financial. But it doesn’t end there. As the data-breach example shows, there can be security and compliance risks if partners and/or vendors are not adequately diligent, especially about data that comes from your company, customers, or other partners. Bad reviews on a third-party site could reveal a business’ health and safety violations.

A number of laws require companies to perform security due diligence on vendors and partners, but companies actually have to do it and keep up with it. The more outsourcing or third, fourth, or fifth parties that become involved, the harder it can be to ensure that everyone is following the rules and putting the customer first.

Tied to the financial risks are operational ones. I’m sure everyone at the financial services company is very busy. I’m sure none of them welcomed the urgent and significant workload that would have arrived courtesy of the vendor’s data breach. 

Crisis communications and planning for customers, cooperating with authorities, setting up programs to help mitigate and protect theft-related issues that could result for clients, etc. Also, under some laws, if there are data-protection issues, authorities can halt data processing and other operations temporarily or permanently, which could be a serious wrench in the works of a company’s operations.

Particularly relevant to the hotel and travel reviews site issue is the importance of analyzing why you are considering partnering or have partnered with another organization. Do you think it will be lucrative and help you grow? Is it because you don’t feel you have a choice as they’re an 800-pound industry gorilla? Is it because it just seems like the thing to do because you’ve seen that others have done so? Maybe they seem to have the best sell of their features or what they can do for you? 

This really goes for any vendor due diligence. It’s literally companies’ sales and marketing job to make you and other organizations believe that they’re the best, the most user-friendly, powerful, growth-centric, reliable, scalable, AI-driven, etc. solution that is absolutely tailored to your needs. Even if their solution has umpteen widgets you don’t need and would cost half your budget. Or could expose you to liabilities.

Partnerships aren’t like marriage, per se, but they can end more ugly than the ugliest divorce, and affect far more people if there is a point of failure (or the partnership breaks down entirely). Even if it’s not your fault.

And it’s not like the partner that let you down is going to help you recover. Sure, they may have some legal responsibilities, but there’s nothing they can do to help you salvage your customer base, your company’s good reputation, or long-term revenue. There’s a good chance you want to get as far away from them as possible. 

I mean, some companies that have really screwed up have ended up entirely rebranding and changing their names to try and distance themselves from past sins. Number one focus for them is saving their own butts.

You can be sure I am going to check reviews more carefully next time I book hotels for a trip. I’m not sure how that financial services company’s customers would go about demanding all the details of their vendors’ security operations, but they would probably like to know. Barring that, I imagine some of them will take their business elsewhere while regularly checking their credit scores for some time.

Consumers need to be diligent about protecting themselves when doing business with companies, and companies need to be even more diligent about partnering with other companies because there are so many more moving parts and entities involved. 

Caveat emptor all around.