Data Privacy and Information Security
Data protection and privacy practices are key components of our customers’ experience. Our goal is to collect and process only necessary personal data. We utilize physical, electronic and managerial safeguards to protect all information.
We regularly review safeguards to protect against unauthorized access, improper use and disclosure of customer information and maintain those data’s accuracy and integrity. We aim to communicate with customers promptly in case of a policy change or data breach. If an incident occurs, we assist those who may have been impacted by deploying our cybersecurity corporate business continuity plan, which is tested regularly to ensure its effectiveness. To maintain strict data security, Delta follows the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which emphasizes identification, protection, detection, response and recovery. We expect all Delta employees to adhere to information security and privacy policies as they handle corporate and customer information in their daily jobs. Our Information Security team is trained to remediate vulnerabilities identified within established timeframes and reports to management on a weekly basis regarding the security risk posture of our information technology assets.
Enterprise-wide training is a vital component to reducing risk and promoting a secure brand that is serious about protecting customers, employees and company information. We require all employees and contractors with access to Delta’s information to complete annual training, which is updated as new technology, security and privacy issues emerge. All new hires are required to complete training within 30 days of hire. We regularly assess our information security program capabilities and tools to improve reliability, enhance capabilities and scan our environment for vulnerabilities and weaknesses.
Our Information Security Awareness program also includes an expert speaker series along with awareness and engagement events. We also participate in National Cybersecurity Awareness Month in October and Data Privacy Day in January.
Awareness campaigns throughout the year focus on hot topics such as phishing, anti-tampering, data classification, password protection and ensuring a secure workspace.
We have established a dedicated Information Technology (IT) Risk team tasked with the goal of ensuring that risk remediation activities are carried out consistently and that risk remediation controls are operating as intended and within established thresholds.
At the Board level, the Audit Committee reviews cybersecurity risks and the security and operations of our information technology systems. All U.S. air carriers are subject to laws regarding the privacy and security of customer and employee data that vary between the countries in which we operate. We continue to update our processes to adhere to domestic and international privacy and data protection laws and regulations.