By Chunnie Wright, AdventureEDU Educator and Owner, Law Office of Chun T. Wright. This is a re-post from the blog of Chun T. Wright Law Office, and is published here with permission.
Sony Pictures. Target. U.S. Government websites. You’ve seen it all over the news: hackers gain access to the private and confidential data stored on the servers of these major entities, and serious chaos ensues. Sony’s employees brought a class action suit against the company, alleging that 47,000 social security numbers, employment files (including salaries, medical information, and much more) had been leaked to the public and “may even be in the hands of criminals.”
The U.S. government recently warned that cyber breaches are skyrocketing and that this is only the beginning. You might think you’re not in the sights of a cyber criminal looking for high profile corporations, but as a recent incident with an Australian travel insurer shows, the data that you keep on your clients can be a very tempting target. In the Australian incident, cyber thieves hacked the company’s computers and database and posted customer data online. Commenting on the vulnerability of the travel industry, one cyber security expert stated that “just like an animal in the wild, they target the weakest in the herd,” and that’s often smaller businesses that may not realize they are at risk for having their customers’ personal information stolen and fail to use secure connections for online transactions. See this article for more insight.
The purpose of this post is not to make you panic, close down shop, and buy a one-way ticket to a beach or mountain bungalow for the simple life (however tempting that might sound). Rather, it serves as a reminder that cyber mischief will always be a risk in a connected world and that good business practices can prevent and mitigate the damages of any breach. With this in mind, companies in the adventure tourism sector should have a plan of action to strengthen the security of their data and to promptly deal with the fallout of any attack.
Here are some things to consider when creating your cyber security plan:
- Software: Stay ahead of the latest trends in cybercrime and software solutions to prevent it. Make the investment in a proven and reliable program.
- Limit Collection of Sensitive Data: Collect and store only the information that you absolutely need and nothing more. Some companies accept credit card payments through a third party so that they never receive the credit card information in the first place.
- Obtain a Cybersecurity Insurance Policy: Cybersecurity insurance is very important to have as part of a risk mitigation plan. Dealing with security breaches can be very expensive and complex. While cybersecurity insurance will not cover all expenses associated with a breach, a good policy will cover enough to make it worthwhile. In reviewing the policy, be sure to examine the inclusions and exclusions, as well as any contingencies for coverage. Make sure it covers: a) first party and third party losses (i.e., losses to you and to third parties such as customers); b) unencrypted data (unless all of the sensitive data is encrypted); and c) regulatory actions, corporate information and customer information. Check to see whether it has geographical restrictions if data is stored outside U.S., if the costs of notifying the customer and providing credit counseling and identity theft protection are covered. You will also want to look into the exclusions and contingencies. For instance, does the policy require that you take reasonable computer security steps? If so, you’ll need to be vigilant about installing security patches/software updates and releases.
- Educate/train your clients: Communicate with them about cybercrime and what your company is doing to prevent it; if they have online accounts with you, you can take steps such as train them on using strong passwords and warn them of spam/fishing emails and suspicious links.
- Audit your vendors, partners and service providers: Ask them about their security protocols, especially when you are required to give them confidential client information.
- Communications plan: In case of an attack, be prepared to promptly inform and reassure your clients of the details, what’s being done, and what they need to do immediately to protect themselves. You’ll also want to advise your insurer and lawyer.
Learn more about AdventureEDU: Education for the Business of Adventure Travel.