From the time a member of the Chicago-based American Health Information Management Association pre-registers for the annual meeting to the time the registration database is disposed of seven years later, not even an e-mail address is shared without that member's explicit permission. Members have password-protected access to their profiles and control what information is saved and shared.
“It's my responsibility to make sure we're not transferring confidential information to anyone,” says Kelly Fox, director of meetings and exhibits. (After this interview, Fox joined the Academy of General Dentistry as associate executive director of member programs.) When AHIMA works with suppliers, “we contractually tell them they can't share any member information in any way without our prior approval.”
Fox has taken a proactive approach to a growing problem — how to protect attendees' personal information. If Jane Doe registers online for your meeting, and she provides an e-mail address to receive updates, will she also receive solicitations from the hotel to join a frequent-guest program? Does she know the credit card number she supplied to reserve her room could end up on a rooming list fax? And would she be concerned to learn that her private information is still filed in a box five years later?
Lax practices can cause an attendee's personal information to be used in unexpected ways or, worse, be exposed to theft. In the meetings and hospitality industry, data passes like a hot potato from meeting planner to registration contractor to housing bureau to hotelier.
Since California enacted the first Online Privacy Protection Act in 2003, more than a dozen bills have been introduced in Congress that would supersede existing state laws. Soon, online privacy protection may be a federal mandate.
To protect the privacy of your meeting participants, you need to understand what is meant by personal information. The California Online Privacy Protection Act defines “personally identifiable information” (PII) as including first and last name, physical address with city and street, e-mail address, phone number, social security number, or any other identifier that permits a person to be contacted in person or online — such as credit card number and driver's license number.
If you collect any of this information from your attendees, then you must protect it. TRUSTe, an independent nonprofit organization dedicated to online privacy protection, recommends sketching a personal information flow chart to determine who comes into contact with the data, how it's shared outside your organization, how it is stored, and how it is archived or destroyed. Then you can be sure you have data-handling policies in place to keep that information safe.
But privacy policies and internal practices are not enough to reduce your exposure to risk. When you select suppliers, ask about their data security practices. Determine who should be authorized to access the data and how that access will be controlled. Be sure supplierinclude language that clarifies that you own the data, and that it may not be shared with third parties without your permission.
“Data collected about attendees ought to be treated as confidential information,” says Jim Goldberg of Goldberg & Associates PLLC, a Washington, D.C., law firm serving associations and non-profits. “I put in a confidentiality clause that says [that] anything we give you belongs to us, is confidential, and you can't use it for any purpose other than the purpose for which we're giving it to you. When the contract is over, you have to give us the data back.”
If the contract is with Starwood Hotels and Resorts, that clause may not fly. As Dave Scypinski, Starwood's senior vice president of industry relations in Washington, D.C., explains, confidentiality clauses are too broad because they don't distinguish confidential information, like e-mail addresses, from nonconfidential information, like room setup plans. The solution: If it's confidential, don't share it.
“We want the minimum amount of information we need to do our jobs,” Scypinski says. “We don't need a rooming list with addresses, credit card numbers, and phone numbers. We would rather not have that because we become responsible for it.” If a meeting planner does pass along such information, there's a clause to cover it. He says that Starwood's group booking contract states: “To the extent that planners give us personally identifiable information, then they represent that they have the right to do that,” he says.
This “content clause” covers anything a customer gives the hotel to promote and manage the meeting. As explained by Scypinski, it's intended to ensure that logos, music, photos, and other information is owned by the group and may be used by the hotel.
“Our clause says the information the group provides to the hotel is free and clear, and they have the rights and permissions to use that information,” Scypinski says. “The clause grants the right to use data for any lawful purpose, such as setting up registration.” Once an attendee checks in, the hotel then has the right to use their PII for business-related purposes such as marketing to Starwood preferred guests. Contrary to popular belief, “We don't sell that information or give it to someone for marketing purposes outside the hotel,” he says.
Planners should review supplier contracts for clauses that expose your organization to risk, should personally identifiable information (PII) be compromised. As Goldberg points out, the Starwood contract also includes an indemnification clause, stating the group will hold the hotel harmless for any claims that arise from the use of that information. If you're uncomfortable with that, he advises, “My first preference is to take out the whole provision. The next step would be to delete the indemnification part. An alternative is to modify it to say you can't share the data unless it's covered under a confidentiality agreement.”
Planners also need to take steps to protect the security of their computer networks. Rampant identity theft and credit card fraud have raised awareness that personal information must be protected. But as fast as changing technology provides new ways to share data — from secure wireless networks to voice-over-Internet cell phones — hackers devise new ways to gain unauthorized access. If you think these issues are only your IT department's concern, think again.
“The Sarbanes-Oxley Act has created a duty of care for anyone with access to data to take measures to keep it confidential,” says Joshua Grimes of Grimes Law Offices LLC, a Philadelphia law firm serving hospitality professionals and associations. “Under SOX, they have a responsibility to protect data, and that responsibility spreads to outside meeting planners and hotels.”
To minimize risk and reduce liability, meeting professionals need high standards of due diligence. Grimes advises taking a “virtual walk-through” of your network to anticipate how data can get out and to make sure that you've taken all reasonable measures to protect it.
Confidential data is first exposed when attendees pre-register for your meeting. Online registration should be over an Internet connection using the Secure Sockets Layer (SSL) encryption protocol. (The URLs for Web sites with an SSL connection begin with https instead of http.) The data should be stored in an encrypted, relational database behind a firewall to prevent unauthorized access.
Registration forms, housing lists, and other hard copies with confidential information should never be faxed or left in the open. “All of our staff who are involved with registration or credit card transactions have shredders at their desks,” says Fox.
If you send your pre-registration database to suppliers for on-site registration, lead retrieval, or other communication services, don't use e-mail. Use a secure File Transfer Protocol (FTP) site where the file can be downloaded.
“The most vulnerable point that planners aren't aware of is e-mail,” says Roger Lewis, vice president of sales and marketing for AllianceTech, Austin, Texas, technology solutions provider for meetings and events, including attendee relationship management. “There are points along the way where an unencrypted e-mail could be intercepted.”
Registration and housing contractors striving to achieve the highest security standards comply with Payment Card Industry Data Security Standard requirements. Ask vendors that store, process, or transmit credit card data if they comply with PCI standards.
“Going through these security measures doesn't guarantee that you're completely immune from a security breach, but it means that you've taken every reasonable step to meet the highest level possible,” says Brian Scott, chief information officer for Conferon Global Services, Frederick, Md. Conferon's registration business, ExpoExchange, recently received PCI certification as a “Level 1 Merchant” processing more than 6 million credit card transactions per year, and now undergoes quarterly security scans and annual on-site security assessments to verify compliance.
Your venue's network security protocols should provide an on-site environment that is as safe as your participants' everyday work environment. If you have complex networking needs, bring IT support or contract with a reliable on-site provider to ensure the network is secure.
“We bring one person from IS [Information Systems] to work with us on site,” says Cheryl Russell, CAE, director of convention and meetings for the American Speech-Language-Hearing Association, Rockville, Md. “I see my responsibility as working with our team in IS and accounting to make sure that all these requirements are in place.”
Find out what exhibitors' security requirements are before the meeting to strike a balance between ease of access, security, and cost. In the exhibit hall, where viruses and worms can spread like wildfire, suck up bandwidth, and crash the network, require computers connecting to the network to have up-to-date virus protection and security patches.
When multiple vendors use a network, one vendor could launch a denial of service attack that renders a competitor helpless. “It's common to assume that the security threat will come from outside the network, but they're more likely to come from inside the network,” says David Langford, vice president of technology for Smart City Networks, Las Vegas, communications technology provider for convention centers and hospitality venues. “We have intrusion detection, firewalls, and Layer 1 [physical] and Layer 2 [electronic] security.” The company also configures routers and switches to mitigate electronic attacks, and sets up VLANs [virtual local area networks] as another security measure to help protect exhibitors.
After Your Meeting
The need for data security doesn't end with the meeting. After registration and attendance have been reconciled, and room-block pickup has been confirmed, collect the data from third parties and save only the information you need to plan future meetings. Archived information should be stored in a safe place, preferably off site.
When you no longer need confidential information, erase it completely. “Scrubbing” the storage medium, such as a hard drive, renders the data meaningless. “Wiping” it erases everything on the drive. These procedures may seem extreme if you're not accustomed to thinking about data security on a daily basis. But it's time you do.
“The hospitality industry is finally keeping in compliance with data security and privacy. They're doing it as much out of fear as the goodness of their hearts,” says Jay Ramadorai, senior vice president and chief technology officer for Passkey, Quincy, Mass., an online solution for group reservation management and distribution. “That means vendors and partners who work with hotels need to prepare for a higher level of security and data handling in their own organizations.”
Disclose what personal information is collected and how it's used.
Allow people to choose how their information is used.
Give people access to the information once they've disclosed it.
Secure personal information so that it stays private.
Enable people to resolve any problems that arise.
For more articles on risk management, click here.