When Dmitry Argarkov received a credit card offer from his bank he did the unusual: he read the terms and conditions. Then he went a few steps further. He scanned them into his computer and altered the terms to be at 0% interest, an unlimited line of credit and heavy penalties to the bank if they changed the terms or cancelled the card. When the bank sent back his credit card he realised they had accepted his altered T&Cs. However, when he didn't pay his bill the bank thought differently.
How risky are the terms and conditions at all the access points other organisations have access to data? There have been several changes in recently updated T&Cs in hotel websites, certain airline distribution sites and new emerging access points not previously recognised. The question that also has to be asked is whether this area of risk is the responsibility of the travel manager or a company's security division.
The travel manager's role continues to evolve. As we know, it is no longer merely contracts, reporting, analysis, on the road technology, duty of care, and human resources demands that expand the role. Most companies have very tight internet security through their company portals. It is on the road that data escapes and travels on its own and is very often completely outside the jurisdiction of company policy.
©iStock.com/maxkabakov
So whose job is it anyway?
All websites under EU law are required to publish their "Privacy Policy." It is supposed to be clear and accessible. However, this is not always the case. For example, one very prominent website wants to let you know your data will be used for targeted ads by highlighting in their T& Cs that data will be used to provide you with "ads you'll find most useful." It also highlights in bold type that they will track "the people who matter most to you online." This might be fair enough because when we write emails the system prompts us with others we may want to copy in on the email. However, the T&Cs then follow on in non-highlighted, smaller print, to let us know that they will also track "which YouTube videos you like."
Which YouTube videos does your CEO or managing director like? Somebody knows.
Emma Cox, director at the internet privacy research organisation Big Brother Watch says, "a privacy policy shouldn't be so loosely-worded that it allows for any number of companies to have access to a customer's data." Yet most T&C refer to the fact that the data will be passed to third parties for consolidation so that ads can be better targeted to the user's interest. This is where the leakage starts. Here is a typical clause taken from a well-known hotel chain website:
"The Services may frame or contain references or links to other websites not operated or controlled by us (the "Third Party Services"). The policies and procedures we described here do not apply to the Third Party Services.
This means that they are going to sell my data to a third party whose Privacy Policies I cannot see, and do not know. Furthermore the services that I use 'may' frame or contain references to other links; they 'may' but they don't HAVE to indicate who these companies might be. In all my research I have not found one set of T&Cs that indicate who these 'third parties' might be. It seems to be a step too far to be told. Here's another clause that might give us pause for thought on the topic.
"You also hereby grant each user of the Services a non-exclusive licence to access your User Content."
This implies that not only do I give permission for the website I am using to access my user content but this permission is non-exclusive. By using the website, I have given permission for them to share my data, and I agree to the non-exclusive use of it, so it can be passed along to anyone. This is not a round trip ticket for my data, but an open-ended Round the World pass. Just in case there is any doubt about this, the clause goes on to say:
"and to use, reproduce, distribute, prepare derivative works of, display and perform such User Content as permitted"
Since I have already given away the rights to my "User Content" the door is wide open. There is a new and emerging area now open to collecting data. Wearables such as the watch, the 'lifestyle' band, the glasses and who knows what next are popular and sales of them are predicted to increase by more than 35% over the next few years. These devices, particularly the 'lifestyle' wrist bands, collect data about how much we sleep, how well we sleep, how successful we are at losing weight, giving up smoking, or in some cases how high is our happiness index.
In investigating some of the T&Cs of these wearables, I find that the Privacy Policies are the same as websites. Basically, they can collect all data, even the names of my Facebook friends, in just the same way. Should I be worried? Perhaps not. But since these companies can sell on my data and that it will be combined with other sources, they will know many details about me including my employer. Collectively, what is the risk factor for a given corporation's work force? Where will this data end up, who will use it, will it help or hinder?
Nicolas Borel, COO of technology at Amadeus, speaking at the recent Business Travel Show in London thinks that wearables could be useful in the travel space. Suppose the 'lifestyle' wearable sends data back to the travel manager. This data shows that the traveller has had less than four hours' sleep for the last four nights because they have been travelling on company business. This information prompts an automatic upgrade to business class. The company's travel policies could be completely redefined. No longer would it be a question about the length of a flight but more about the length of time on the road, measurable stress factors, and sleep patterns. Is this yet another of a travel manager's tasks?
When the bank took Mr. Argarkov to court they used the defence that they had not read the terms and conditions. The judge had none of it, and found in Mr. Argarkov's favour stating that he had heard that defence all too often before from consumers!
Might it now be time to consider where your company's data is travelling and through which 'gates' it is taking its ride?