Many organizations now
view itinerary tracking as an absolute necessity for travel risk management, but
to keep their personnel safe, are companies opening themselves up to potential data
security risks? In passing the General Data Protection Regulation in May, the EU
shined a light on responsible data handling and forthcoming penalties to organizations
that don't comply with the rules within the next 12 months. With that and a number
of high-profile data hacks over the last 12 months and even U.K. travel association
ABTA itself falling foul of a cyberattack in March, data security and the individual's
right to privacy also have risen on travel management agendas.
Of course, travelers
themselves play an important role in protecting both personal and corporate data,
but companies and their suppliers must look closer to home to ensure data security,
the right to privacy and adherence to the confidentiality, integrity and availability
triad—or CIA—particularly when handling data for travel risk management.
Adding Risk to TRM Integration
To keep their people
safe, companies need to be able to obtain and track the travel itineraries of their
personnel. But companies also need to ensure that tracking systems do not add unnecessary
privacy or security risks to the data supply chain. Consider these questions:
- Where is the passenger name record data
coming from?
- Who owns this data, and could they use
it for other purposes?
- Is the data transferring through other
third parties or countries?
- What legal jurisdictions apply?
- If there were a data breach, how and when
would you be notified and who would take ownership of the resolution?
Impact of Aggregators
TRM firms collect their
clients' PNR data either by setting up direct connections with global distribution
systems or by using the services of third-party data aggregators. The aggregator
route is cheaper, thanks to economy of scale, though it comes with additional risks:
- A Numbers Game—An aggregator represents an additional link to the data supply chain. The
longer the chain, the weaker it becomes. As a general rule, the fewer attack surfaces
you have, the more robust data security you have.
- Who's in Control?—An aggregator in the supply chain means a third party is receiving personally
identifiable data. That third party could store it on servers in various locations,
introducing data residency and legal jurisdiction issues. Although official ownership
of the data always sits with the original company, as does the ultimate liability,
every addition to the supply chain reduces the company's direct control over its
data.
- Data Integrity—Data segregation is a critical requirement for security within the social
technical system. Even if a TRM firm assures that it provides each of its clients
its own dedicated database to enable truly segregated data and prevent data leakage
between clients, can the firm provide the same assurances about any aggregators
they use?
- Recovery—GDSs can recover from a disaster more quickly than an aggregator can. U.S.
government surveillance agencies use metadata within the PNRs on GDSs to help protect
U.S. borders, allowing them to identify suspects, enforce no-fly policies and establish
travel patterns. Because of this, GDS systems are secure. Should the unlikely happen,
they have extremely robust processes in place to ensure confidentiality, integrity
and availability, far surpassing anything an aggregator could provide.
Any company implementing
TRM should review its own data risk appetite and ask all potential providers serious
questions about processes, data sources and the data supply chain risk-mitigation
measures they have in place before contracting for services.