Recent news stories concerning the theft of laptop computers on which so-called personally identifiable information about individuals was stored raises the issue of what meeting planners do to protect the information they gather about meeting attendees. (See article, page 17, in this issue.)
Planners generally don't collect social security numbers from attendees, but they routinely gather credit card information when allowing attendees to register for meetings on Web sites. Many planners maintain databases that contain addresses, telephone contact information, and e-mail addresses, which, if obtained by identity thieves, could lead to the discovery of even more sensitive information. Such information is often referred to as “personally identifiable information.”
The sharing of attendee data with exhibitors and other third parties, such as registration vendors and hotels, presents another opportunity for theft of personally identifiable information. In most organizations, the meeting planning function is separate from the data management function, so planners should consult with webmasters and database maintenance operators to be sure that appropriate practices have been instituted. Such practices can include limitations on access to data, encryption of stored data, and similar security procedures.
Planners and their organizations should also consider adopting a privacy policy, which should be made clear to attendees and others who use the Internet to register for meetings. Such a policy should indicate, at a minimum, what the organization plans to do with the data it collects. For example, does it share information with third parties, such as meeting exhibitors? Or does it not share any data? Many such policies give the individual attendee the ability to “opt out” of such data sharing.
One state, California, has gone so far as to adopt an Online Privacy Protection Act, which requires organizations collecting data from California residents via the Internet to conspicuously post their privacy policies. Although the California law is applicable only to information collected for nonbusiness reasons, the law's principles provide good guidance for organizations using the Internet to collect data for business meetings.
As indicated, planners should be sure that any stored data is saved only in an encrypted form to deter computer hackers who might break into a database. Think about whether it is necessary to maintain particularly sensitive information, such as credit card numbers, longer than is absolutely necessary. For instance, there may be no need to maintain credit card data after the individual's bank has transferred funds. If such information has to be transferred to laptop computers — for use on-site at a meeting, for example — take care to safeguard the laptop, as well as to protect the stored data through encryption and password protection. Planners should carefully consider whether it is absolutely necessary to store the data on a laptop in the first place.
Personally identifiable information about meeting attendees sometimes has to be shared with hotels in order to perform a rooms audit to be sure that the group gets credit for all rooms used by its attendees, including those booked outside of the contracted room block. Any time such data is provided to a hotel, it should be done pursuant to a confidentiality agreement (which can be stated in the underlying meeting agreement), or steps should be taken to ensure that the data is returned to the planner after the rooms reconciliation is performed by the hotel.
Many planners use outside vendors to process meeting registrations. Contracts with those vendors and any others who either collect or receive attendee data should include strong confidentiality provisions, the requirement that the planner be informed of any data security breach, and indemnification of the planner in the event attendee data is misused.
Interest in unauthorized use of individual data prompted one major national hotel chain, in adopting a new standard contract last year, to include a provision in which the planner pledges that he or she has the appropriate authorization to transfer personally identifiable information to the hotel, and specifically authorizing the hotel to use such information for virtually any purpose, including the further sharing of the information with any third party. The provision states that the planner's organization agrees to indemnify and hold the hotel harmless from any liability relating to the disclosure of the attendees' individual information. Needless to say, many planners and their attorneys have vigorously opposed such a provision in a meeting contract and have argued for its total elimination in meeting contracts.
James M. Goldberg is a principal in the Washington, D.C., law firm of Goldberg & Associates, PLLC. He is the author of The Meeting Planner's Legal Handbook.
For more articles on legal meetings issues, click here.