Companies Must Consider Their Travel Providers’ Data Practices, or Risk Being Harmed

InfoLawGroup Counsel Andrew L. Hoffman contributed to this post. A recent article highlights the importance and the challenges of maintaining the confidentiality of corporate travel information.  Inappropriate disclosure of this type of data may significantly harm companies’ interests, including by compromising their ability to negotiate travel discounts, revealing sensitive details about business strategy, and potentially jeopardizing the physical security of employees.

Travel Providers’ Data Practices Questioned

According to the article, eSmash, a company responsible for handling billing and settlement for the International Air Transport Association (IATA) has been selling flight booking information about corporate travelers -- on a travel agency level -- to airlines, hotels and others.

eSmash claimed to be responsible for processing “more than 55 percent of all invoicing between travel agents and airlines for the IATA world,” which includes “the transmission of all payment instructions to clearing banks for secure and timely transfers from the travel agents to the airlines.”  eSmash also “host[s] the global IATA database BSPLink and provide[s] access to more than 50,000 air travel related actors."  eSmash processes an immense amount of information about companies’ travel behavior, which may include a company’s “total spend on every route, number of tickets on each route, spend and market share with [a customer] airline on each route, average fare on each route and average fare with the customer airline on each route.”  eSmash appears to have shared this data with airlines and hotels.

While that information pertained to bookings by a corporate travel agency rather than the corporate customers, the agency in the story serviced a single corporation.  As a result, the information also directly disclosed the client corporation’s corporate travel details.  Even at the travel agency level, however, such disclosures have the potential to significantly impact client corporations because the corporate customers to which the agency-level travel information pertains can be identified through further analysis of travel agency data.

eSmash’s data practices are not unique, although some of the  other data products, such as Amadeus Market Information (MIDT) and the IATA's controversial Passenger Intelligence Services (PaxIS) appear to be more widely known in the industry and are more closely watched.  The sale of corporate travel data by eSmash in Europe mirrors a practice that may be widespread in the U.S. corporate travel industry.  In the U.S., many of the providers of travel services to corporations take the position that they own the travel data and share the information via dashboards with hotels and other travel providers.  This data sharing gives rise to the risks discussed above, but the risks may be even greater in the U.S.  This is because U.S. companies are not limited by EU-style regulations and guidance that restrict disclosures of corporate travel data.  In the U.S., disclosures of corporate travel data likely involve more granular information than the data eSmash disclosed in Europe.  For example, travel services may disclose RFPs they received from each client corporation, details of the amounts clients agreed to pay for travel and other information.

Data Practices May Harm Corporate Travel Buyers

Disclosures of corporate travel information to third parties of the type discussed in the article pose a number of significant risks to client corporations.

First, the disclosures have the potential to increase corporate travel costs.  For example, the article explains that one airline raised its negotiated fares during a 12-month period as a result of obtaining data on its exact market share of a corporation’s travel budget and competitive fare pricing data on a route served by the airline and only one other carrier.  The article suggested that “by comparing the average fare spent on a route with the average fare spent with the customer airline,” the airline identified an opportunity to raise its negotiated fare and apparently took advantage of the opportunity.

Second, corporate travel data represents an attractive target because it can be mined and combined with other data to obtain details about corporate strategy, merger negotiations, or partnerships or relationships with other companies.  Indeed, big data is alive and well in the personal travel industry, and it does not take much of a leap of faith to reason that these types of analytics are being applied to corporate travel data.

Third, after corporate travel data is sold or disclosed, there are no guarantees that the recipients will take appropriate steps to secure the information.  It appears unlikely, for example, that the recipients would be bound by contractual requirements to secure the data.  Thus, the information may become vulnerable to access by the client corporation’s competitors or unauthorized individuals, entities or governments engaged in industrial espionage or other illegal behavior.  As the head of global travel for a large company reportedly stated, "[w]e don't know what kind of data [eSmash] [has], and we don't know how it's stored, what kind of security measures they have or how it's distributed."  Access to corporate travel data by bad actors also may undermine the physical security of personnel whose travel plans or travel patterns are exposed.  While this scenario may seem far-fetched, there isn’t a significant leap between the reported incidents of criminals using travel information that individuals share through social media to target vacant homes to sophisticated criminals using travel data to target company executives.

Addressing the Risks

Similar to the article’s assessment of European corporations, U.S. companies appear to have low awareness of their travel providers’ data practices. Decisions about retaining travel services are often made by purchasing organizations and do not involve information governance personnel or C-level executives.   Unaware of data confidentiality and security issues, purchasing organizations may be tempted, for example, to select travel services that offer the lowest acquisition cost, without investigating whether those travel providers’ data practices (on which they rely for additional revenue) may lead to higher travel costs, potential risks to corporate personnel, or exposure of company strategic information.

Addressing the potential risks posed by travel providers’ data practices requires companies to understand those risks and address data governance in the RFP and contract negotiation process with suppliers.  Companies should extend their information governance controls to detailed corporate travel information, develop their own requirements (including contract terms) for various types of corporate data and ensure that the travel supplier contracting process includes information governance personnel.  Travel providers should also do their part by striving for transparency and fairness in their data practices.