5 Data Security Questions to Ask Your Business Travel ManagerBy Jenn Roberts
Travel Management Companies need personal data to book your travel — do you know how they’re protecting it?
Information security is an essential component of any software product. But, it is especially critical when that software requires the submission of sensitive information, such as credit card information, social security number, and passport information, among other pieces of personal data. Whenever you hand this data over to a third party, you’re putting a lot of trust into their hands.
Therefore, it’s important to make sure you know the answers to some fundamental questions: Do you know where your data is stored? What about the security precautions your vendor has in place? And how long do they hold onto your data for?
These questions are especially relevant to corporate travel management platforms, which, by their very nature, involve the storage of personal information.
When working with a corporate travel management company, you give that third party access to each of your traveling employees’ personal data and travel information, including flight schedule, hotel location, and passport number. You have the right to know just how that data is protected.
So, do you understand how your personal information is secured by your corporate travel manager? If not, here are 5 questions to ask before moving forward with a new travel management company.
1. Where is the sensitive data stored?
Where in the world is your data? The geographic location of your data is actually really important to know. Different places have different data breach and privacy laws, so you want to make sure you know where in the world your data is stored and the specific laws of that jurisdiction. In the United States and worldwide, stronger requirements for secure storage are also coming into place based off of where the person being protected resides. For example, the required protections will soon increase for those living in California. Know what rights your employees have and push for these protections.
2. What level of protection/encryption is in place?
Different kinds of data require different levels of protection. And different vendors will likely have different security processes. For example, companies working with credit cards need to be PCI compliant. Ask your travel manager about their security procedures, and make sure that they line up with your company’s data security needs.
3. Who has access to my information?
It’s easy to plug in a credit card number without thinking twice about where it goes, but one experience with compromised data will make you pause before clicking submit. When working with a corporate travel management company, you should know exactly who has access to sensitive information and why. Access to data should only be permitted for necessary business operations and should be limited to as few people as possible.
Make sure to also ask how long your data is stored in the system for. Your data is vulnerable as long as it is stored by a third party vendor, so you want to make sure they hold onto it for a little time as necessary. What happens if you stop working with a vendor? Make sure the process of leaving a vendor is understood before you sign a contract.
4. How often are security practices updated?
Does your vendor frequently update their data protection software? There are frequently updates available (antivirus, patch updates for example), so you want to ensure that whoever stores your data uses the most up-to-date data protection in place. There are also many good monitoring systems, for example, IDS, that keep a constant eye on secure environments and recommend updates as needed. Check with your vendor to see if one of these is in place. For companies with certifications like ISO27001 or SOC-2, ask for updated documentation once a year to ensure all standards are being upheld.
Any updates to privacy policies are also important to be aware of. Make sure to double check that anyone with access to your data has strong policies in place and that the policies correspond with the regions in which your employees reside.
5. Is there an action plan in place in case of a data breach?
Despite the best laid plans, data breaches can still happen. Which is why a reaction plan is always necessary. You need to know what action plans your vendor has in place in case a breach ever occurs. Ask how they communicate with clients in the event of a data breach to notify them of possible security vulnerabilities. Lean on them a bit to make sure they have a plan in place to work with you through any security incidents.
These steps and questions may feel tedious, but maintaining secure data protection for your corporate travelers is essential for their safety. It is better to go the extra mile to prevent data from being compromised rather than having to figure out how to deal with a breach after the fact.
Want to learn more about how Lola.com handles personal information? Check out our detailed security page.