At the end of 2015, some of the world's most renowned hotel chain including Starwood Hotel & Resorts, Hilton, and Hyatt announced they had become victims of cyber attacks. Hackers had specifically targeted these chains to acquire data relating to their clients and payment information.
With the sudden increase in the number of data breaches specifically targeting the hospitality sector, it is not surprising that data security has been cited as a top priority for travel managers. According to the Carlson Wagonlit Travel (CWT)'s annual travel manager survey, data security is set to have the biggest impact on travel in 2016.
Over the years, global travel managers and businesses in general have invested large amounts of time and resources to acquire valuable information about their customers and stakeholders.
Currently, the types of information held in business databases range from sensitive (passport details) to trivial (lunch preferences).
Companies often rely on more than one data management platform, both internal and external, to store and access sensitive data such as global distribution systems (GDS) or point of sale (POS) systems. For example, it is common practice for hotels to store your payment details as they might be used across a number of facilities such as spas, on"site restaurants and shops. Having multiple custodians of your data exponentially increases the data security risks as each external supplier represents yet another point of potential failure and data security breach. The fact that these external suppliers will most likely be connecting to other internal or external systems further compounds the problem.
The data is therefore often fragmented and littered with inconsistencies and duplications. The unfortunate truth is that most businesses have not implemented systems to ensure that the data they hold is processed and managed according to stringent security standards designed to mitigate the risks around data governance. Many executives have been blindsided to the fact that poor data governance could literally destroy a business. Consequently, a formal process for data governance rarely makes it to the forefront of company agendas.
We are regularly witnessing businesses and professionals losing years of credibility due to data breaches. Government agencies, FTSE 250 companies, universities and even non"profit organisations have all become victims of security violations. This has led to falling stock prices, investigations from regulatory bodies, loss of reputation and serious financial penalties.
With cyber"attacks on the increase, it is now more important than ever to ensure that your business has robust security protocols in place when it comes to managing and processing data. Businesses that are unable to adequately protect sensitive information potentially face a ticking time"bomb of risks, fines and criminal prosecutions.
Beyond these very serious concerns, global travel managers have to contend with the very real threat to a duty of care as personal information is typically part of the data that the travel functions creates and consumes. It means that the travel function has to be ever more vigilant and sensitive to the very real realities to breaches to data security.
Protecting your data
In 2014, nearly 43% of companies of all sizes across all industries witnessed a security breach, leading the year to be officially pegged as the 'Year of the Breach'. The increase in security breaches was largely attributed to businesses relying on cloud based technologies to hold and share data.
Continued below
Data is fed in from various sources, meaning the potential risk is higher. ©RyanKing999/iStock
There are two types of data that businesses should concern themselves with: personal data and commercial data. Both of these data forms have to comply with certain rules and regulations.
However, personal data is subject to the most stringent EU legislations.
Any form of information that can directly or indirectly lead to an identifiable person is classified as personal data. In the travel industry, examples of this data include: addresses, bank statements, credit card numbers, etc. Over the years, businesses have acquired a huge amount of sensitive data and, for various reasons, have simply retained it. Therefore, data held by your organisation may not be compliant with current regulations and this can lead to very serious consequences for you and your business.
There are key three data areas your business needs to consider: storage, transmission and access.
If, for example you make a booking in GDS, that data will be transferred to airlines, the credit card company, hotels and other suppliers. What happens to the data controls then? What policies do they have in place regarding storage, transmission and access? The truth is that we just don't know and that's concerning.
Current legislation
Under the EU Data Protection Directive, your business is legally obliged to protect information regarding your clients, employees, suppliers and customers.
All businesses must make sure that their data complies with the following eight principles as outlined in the EU directive. Data must be:
- Used fairly and lawfully
- Used for limited, specifically stated purposes
- Used in a way that is adequate, relevant and not excessive
- Accurate
- Kept for no longer than is absolutely necessary
- Handled according to people's data protection rights
- Kept safe and secure
- Not transferred outside the European Economic Area without adequate protection
Under these legislations, businesses need to implement strict security measures and ensure that they have a process in place for regularly testing, assessing and evaluating their data management policies.
Avoid a career-ending mistake
Breaches in data protection legislation can not only lead to hefty fines (the EU agreed in December to raise the fine to 4% of turnover for companies breaching new data protection rules), they can also be a serious threat to your brand reputation and client relationships. In order to avoid these risks, your business needs to ensure that its privacy procedures, policies and documentation are in order across your entire organisation.
It is important to start thinking smartly about the data you have acquired and possess and which suppliers also have traveller data. Get your internal stakeholders on board and find out how and if all information in your databases is being stored, transmitted and accessed in line with the legislations above.
If you are currently outsourcing data to a third"party data processor, it is important that they also follow the regulations outlined in the data protection legislation. This includes only allowing qualified data processing professionals access to your data, and ensuring that the data is not outsourced to a country outside the EEA without adequate levels of rights and protections for the data subjects.
Many organisations are not aware of how their data is handled and processed. As a business you may be using an external organisation to process your data but exactly how much do you know about the processes they have in place? The travel industry is global and it is not uncommon for businesses to have branches and operations across various different continents. Therefore it is entirely possible that they are outsourcing your data to an organisation that sub"contracts overseas or hosts data on a public cloud storage platform (which may be outside of the EEA). If so, you may already be in breach of the jurisdictional requirements of the regulations.
So what's the solution?
Full visibility into data and data handling processes according to information governance procedures is a key requirement for travel managers and only through this visibility and understanding can they be assured that they are meeting their obligations to the business and travellers.
Start by carrying out a robust review of all the personal data currently held by your business and the risks associated with it. Many security breaches arise due to negligence. Therefore, in order to mitigate risk, you ought to ask the following questions.
- Is your data up to date and relevant?
- Who has access to your data? If you are outsourcing to an external data processor, are they compliant with the EU's Data Protection Directive or the relevant legislation in your own country?
- What controls are in place limiting access to your data?
- Do you have any encryption in place?
- Are your IT systems equipped with the latest anti"virus and anti"malware?
- Is there physical security in place the limit access to only authorised staff?
- Is the technical solution single or multi"tenanted?
Many organisations already have data protection policy in place across the entire business but some have not extended these procedures to process and manage personal information to the much more demanding standards required for safeguarding personal data. More importantly, each and every party that has access to the data must also comply with the same policies. One way to do so is to make all of your suppliers sign a personal information privacy agreement or similar.
To mitigate risk, you should ensure that the companies that manage your data comply with stringent set of standards, such as the requirements of ISO 27001. The ISO 27001 certification should be held for the more demanding and appropriate standards for personal data rather than merely commercial data.
Complying with these standards, by way of establishing, implementing, operating, monitoring, reviewing, maintaining and improving information security management systems, can help safeguard the data you hold.