The following article is by Debbie Venn Partner, Head of Commercial and Technology, asb Law for Travel Law Today 4th ed. which can be downloaded from ABTA's Member zone and read here.
You can help make sure your business is GDPR-ready by attending one of ABTA's forthcoming seminars:
A Beginner’s Guide to Travel Law – 5 December (Manchester)
Essential Business Travel Law – 25 January (London)
Data Protection and Cyber Security in Travel – 1 February (London)
Travel Law Seminar – 22-23 May (London)
The consequences of a cyber attack have been brought into sharp focus in recent months, particularly when the NHS fell victim to a ransomware attack in the WannaCry incident. In 2017, an estimated 5.6 million incidents of fraud and computer misuse offences were reported. Sadly, cyber attacks are on the up and growing in sophistication and frequency. Prevention is often better than cure, although sometimes your best efforts will not stop a determined cyber criminal. So what should you be aware of to try and reduce risk as much as possible to protect your business information, data and systems.
What is cyber crime/attack? Data is a valuable business asset and developments in technology and a changing landscape on how businesses store, hold and transfer data mean that data is often in many different places; and, in the travel industry in particular, in different countries with different levels of data security. Use of third party IT providers or hosting platforms (e.g. the cloud); will mean that data is unlikely to be in your direct control. This makes it easier for someone to try to gain unauthorised access to your data.
Examples of types of threats that might appear in a ‘cyber’ environment are:
All quite nasty stuff and your IT teams should be able to explain the systems security that you have in place to try and combat cyber attacks. However, a larger vulnerability is often people in the organisation who accidentally let attackers in to their systems and network. People in an organisation therefore need to be made aware of your organisation’s cyber security measures and be vigilant to potential attacks and communications that they might receive (such as a phishing email) so they can alert IT and shut the attack process down swiftly.
What can I do to improve cyber security? The National Cyber Security Centre gives ten useful steps to be cyber secure: www.ncsc.gov.uk. The key steps include:
For travel businesses, there are key considerations around data flows, including passing passenger information to authorities, hotels, airlines or other providers of services that are outside your organisation. You should map the data flow of your organisation so you know where the vulnerabilities to cyber attack might exist (technical and physical), to ensure that this forms part of your cyber security policy and risk management regime. Once data mapping is complete, conduct a risk assessment to also form part of your internal data protection and cyber/IT policies, which should be monitored, maintained and updated as necessary to keep up-to-date with new technologies and ways of working. It will also help feed into your disaster recovery and business continuity policies.
You should check whether your existing insurance policies include cyber cover, or whether you need to take out specific cyber insurance. Any cyber insurance cover you have should cover the risks applicable to your business and therefore should be checked against the risk assessment that you have carried out on the organisation. Cyber insurance can help with not only dealing with the costs associated with a cyber attack, but also the costs of controlling and managing the attack, PR costs and dealing with reputational issues and potentially damages for breach of data protection or confidentiality. There may also be fines to regulators, such as the Information Commissioner for data protection breach (exacerbated by GDPRs). Your policy should be checked to see what help you can get if something goes wrong.
If something happens, actions to take: