Intellectual Property

One of the increasing risks facing all businesses is cyber-crime. Computers now sit at the centre of almost every commercial activity, enabling consumers to find what they want quickly, pay for it, and have it delivered next day or even same day. The holiday industry is no different. Consumers search for destinations, read reviews, compare prices and then book and pay online.

Computers and the internet are intrinsic to 21st century trading. As an insurance professional, one of the most challenging products to sell to a customer has been Cyber Insurance. Ten years ago, when the cover was relatively inexpensive, we couldn’t give it away — there was absolutely no interest. Fast forward to today and the environment has changed dramatically.

Cyber-crime frequently hit the headlines and claims are rising. Major companies such as Marks & Spencer, the Co-op and Jaguar Land Rover have all been affected. Even government departments have suffered from cyber-attacks.

These attacks can lead to serious business interruption, significant costs in identifying and removing malware and further investment in security to prevent recurrence. On top of this, businesses may have to face ransom demands to regain control of their systems and, if found to have inadequate security, fines imposed by the Information Commissioner’s Office (ICO).

WHAT HAS ALL THIS GOT TO DO WITH HOLIDAY PARKS?
Cyber-crime is on the rise, and in the online world no one is immune. It is easy to assume that only large companies are targeted because those incidents make the news - but they are just the tip of the iceberg.

Small businesses are frequently targeted due to;
Perceived Vulnerability: Attackers often see SMBs as easier targets with weaker security.
Data Value: Even small businesses hold valuable customer data useful for identity theft and fraud.
Supply Chain Access: Small businesses can be used as entry points into larger digital supply chains

Holiday parks typically operate websites, booking systems, computerised accounts and billing. It’s surprising how much customer data is held, and if you hold customer data, you are responsible for protecting it.

SO, WHAT ARE THE MAIN RISKS?
• Financial Costs: Direct losses from theft, ransom payments, recovery costs (IT forensics, data restoration), legal fees, and potential fines.
• Operational Disruption: Ransomware and other attacks can halt business operations for days, leading to lost income and productivity.
• Reputational Damage: A data breach can undermine years of trust and goodwill.
• Data Loss: Compromise of sensitive customer and business data, including intellectual property.
• Business Failure: A significant number of small businesses never recover from major cyber-attacks
• What exactly are cyber-attacks or cyber-crime?
• Phishing: Fake emails tricking employees into revealing credentials or installing malware.
• SQL injection: An SQL injection happens when a cyber-criminal embeds harmful code into a webpage or application to access data.
• Malware/Ransomware: Malicious software that encrypts files and demands payment for their release.
• Denial-of-Service attacks (DoS): Flooding a system with traffic to make it unusable
• Man-in-the-Middle attacks: During a man-in-the-middle cyber-attack, a cyber-criminal will intercept conversations, transactions, and the transfer of data between the victim and a service they’re trying to use.
• Social Engineering: Manipulating people through fake emails, calls, or messages to gain access.

WHAT COVER IS AVAILABLE?
There are many providers of Cyber Crime or Cyber Liability cover which keeps the market competitive. Most will offer a comprehensive cover including:
• Data breach
• Security failure
• Illegal threat
• Cyber attack

The precise scope of cover will depend on the insurer and the policy wording. If a cyber-attack strikes, policies may also help with:
• Additional business expenses
• Data recovery costs
• Public relations costs

The consequences of cyber-crime are serious for both the business and their customers. The ICO can impose fines of up to £17.5 million or 4% of a firm’s annual global turnover, whichever is higher. British Airways were fined £20M for a data breach and Marriott Hotels £18.4M. The ICO has teeth and isn’t afraid to use them!

Compass Insurance
0344 274 0276
compassparks.co.uk

Compliance Countdown

Permission must be sought from the customer for each and every purpose for which a business intends to use that data.

Since the 1980s, the rise of the Internet, combined with widespread technological advancements, has led to a massive increase in the amount of data being stored, processed and transmitted between businesses. Essentially, this means that the Data Protection Act is no longer fit for purpose, nor provides adequate protection for people (‘data subjects’).

The corresponding surge in cybercrime and the ever-increasing value of an individual’s personal data for marketing use has led to data protection becoming a major hot topic in the legal and business world. Following four years of high profile negotiations, the General Data Protection Regulation (GDPR) was adopted by the European Union at the end of April 2016.

TICKING CLOCK

Park owners and operators can really set themselves apart by showing prospective customers how aware they are of the need to protect their information.

With a two-year bedding in period, the regulation will automatically become law in all EU member states in May 2018, by which time businesses will need to comply with the new rules.
When it comes into force, the GDPR will supersede both the UK Data Protection Act 1998 and the EU Data Protection Directive of 1995.

The clock is ticking towards May 2018 regardless of the UK’s decision to exit the EU. At the time of writing, the UK has still not given notice under article 50 of the Treaty on the European Union.
This means the GDPR will automatically become UK law before the end of the subsequent two year negotiation period regarding the UK’s EU withdrawal. According to experts, the GDPR is likely to remain in place afterwards, since it also provides a desperately needed and timely improvement on existing data protection law.

“It is critically important that businesses start preparing now for the GDPR as everyone will need to use that lead-in period up to 2018 to properly prepare their business for compliance,” comments Jowanna Conboye, Solicitor specialising in Intellectual Property and Information Technology at Stephens Scown in Cornwall.

“Park owners and operators can really set themselves apart by showing prospective customers how aware they are of the need to protect their information. The advent of the GDPR represents a great opportunity for businesses of all kinds to get their house in order.” “These new rules send out a clear message that every business must take data protection extremely seriously,” says Jowanna. “The data protection rules cover all aspects of data – relating to both customers and employees – and the use that companies make of personal details to build up customer profiles. Privacy and security have become critical issues,” explains Jowanna.

CLEAR RESPONSIBILITIES
“It’s not just your own company’s website and systems that need to be secure – it has to reach along the chain to any partner businesses, such as website hosting companies and payment processors. Companies need to review all of these arrangements and ensure that the contracts they have in place with partner businesses are robust and that responsibilities and liabilities are clear.” Despite the transition period of the next two years, it’s crucial that park owners and operators, and their related businesses, start preparing now for the enhanced legislation to ensure they are not caught short when the rules come into force. Ideally, businesses should conduct a full Data Protection Audit of their processes and systems.

To read more on this story, subscribe here.

Holiday Park Scene Magazine

Compliance Countdown

TICKING CLOCK