November 2018, Amsterdam
Own your Data. Master Digital. Dominate Bookings
Learn from Travel Industry Decision Makers how to Thrive in a Platform Dominated World
3 tips for managing travel data breaches
Since GDPR and the UK Data Protection Act 2018 came into effect in May there have been some high-profile airline data breaches. Data and cyber-security expert Keith Dewey shares some recent lessons
Data breaches are big news. Only last week Cathay Pacific discovered that the personal data of 9.4 million passengers had been compromised. Earlier in the year, in August, British Airways (BA) discovered that the personal and financial details of customers making bookings and changes on ba.com and the airline’s app had been breached. Although BA was praised by security experts for its speedy response to the crisis, the incident continues to make headlines. Reports last week suggest that the cyber attack compromised more customers than initially thought.
Breaches like this are costly and throw into sharp relief is the importance of having a comprehensive breach response plan.
Here are three important lessons and developments from recent months.
1. Act quickly: time is of the essence
The 72-hour window to report a breach to the Information Commissioner’s Office (ICO), if data subjects are at risk, can go in the blink of an eye, and getting things wrong can be hugely expensive. For businesses, it is crucial to understand where the gaps are and how to address the challenges when a crisis strikes. On this score, there is growing evidence to suggest that incident response teams are most effective if they know the business and have thoroughly tested a response plan.
- Run breach simulations, as a way to identify and remediate potential gaps
- Know who is going to say and do what, even down to the level of who should pull the power plug on the company’s live servers. This is much easier to work out during a desktop drill!
- Look at plans to engage law enforcement, insurance, legal (with careful use of legal privilege), IT forensics, staff, media, regulators, etc. The first 72 hours is not the right time to be negotiating terms of reference, contracts and the cost of support with a third party!
2. Understand the potential costs
The potential cost of security breaches is likely to increase considerably, and not just due to the notorious GDPR maximum fines. Both Morrisons and BA are potentially facing multi-million pound group action lawsuits, more often seen in the US through class actions!
That said the ICO is itching to make use of its new enforcement powers too. Both Equifax and Facebook have been fined since May, for activities performed before GDPR came into play. Both companies were fined the maximum allowable amount allowed under the older laws. However, £0.5m, just 0.001% of Facebook’s revenue, this was still just a slap on the wrist when compared to Tesco bank’s recent fine. In stark contrast, Tesco bank was fined £16.4 million by the FCA, after crooks attacked their systems to steal £2.3 million in 48 hours.
3. Ask questions and acquire nerves of steel
On our GDPR training courses, the questions being asked by participants have got a lot more complex since May. Those companies are now working to fully embed privacy by design and data protection obligations into their business-as-usual activities. For example, by ensuring all staff are trained, and the maintenance of records of processing, contracts, procedures and security.
Holding one’s nerve, and the ability to have difficult internal and external conversations, are emerging as important skills for data protection officers
However, it isn’t easy and several companies are receiving somewhat difficult ‘data subject requests’, especially where there is an underlying complaint or legal claim. Companies are also being increasingly threatened with legal action, even though their activities appear lawful. Holding one’s nerve, and the ability to have difficult internal and external conversations, are certainly emerging as important skills for data protection officers.
Of particular relevance to the travel industry, is the confusion around international data transfers. The EU-US Privacy Shield has been challenged and Brexit shenanigans are certainly taxing. A lot of inconsistency is being seen across EU, where local laws are still being agreed, and several countries are reporting an increase in breach notifications. Many companies are assuming a ‘no deal’ and that UK data protection will not be deemed adequate.
As it stands, the current position is such that EU Model Clause contracts may be required for many data transfers between UK, EU and US in the next 12 months. Hopefully, sense will prevail as the political discussions advance.
Keith Dewey is a GDPR and cybersecurity whizz with expertise in both security and privacy. His views are his own.