Recent News Stories about the theft of laptop computers on which so-called personally identifiable information about individuals was stored raise the issue of what meeting planners do to protect the information they gather about meeting attendees. Planners generally don't collect social security numbers from attendees, but they routinely take other personally identifiable information such as credit card information when allowing attendees to register for meetings on Web sites. Many planners maintain databases that contain addresses, telephone contact information, and e-mail addresses, which, if obtained by identity thieves, could lead to the discovery of even more sensitive information.

Sharing attendee data with third parties, such as registration vendors and hotels, presents another opportunity for information theft. In most companies, the meeting planning function is separate from the data management function, so planners should consult with webmasters and database maintenance operators to be sure that appropriate practices have been instituted. Such practices can include limitations on access to data, encryption of stored data, and similar security procedures.

Hone a Policy

Planners and their organizations should also consider adopting a privacy policy, which should be made clear to those who use the Internet to register for meetings. The policy should indicate, at a minimum, what the company plans to do with the data it collects. For example, as is mentioned above, does it share information with third parties? Many policies give the individual attendee the ability to “opt out” of such data sharing.

One state, California, has gone so far as to adopt an Online Privacy Protection Act, requiring organizations collecting data from California residents via the Internet to conspicuously post their privacy policies. Although the California law is applicable only to information collected for nonbusiness reasons, the law's principles provide good guidance for companies using the Internet to collect data for business meetings.

Planners should be sure that any stored data is saved in an encrypted form to deter computer hackers who might break into a database. Think about how long it is necessary to maintain particularly sensitive information, such as credit card numbers. There may be no need to keep credit card data after the individual's bank has transferred funds. If such information has to be transferred to laptop computers — for use on-site at a meeting, for example — take care to safeguard the laptop, as well as to protect the stored data through encryption and password protection. Planners should carefully consider whether it is absolutely necessary to store the data on a laptop in the first place.

What About Hotels and Vendors?

Personally identifiable information about meeting attendees sometimes has to be shared with hotels in order to perform a rooms audit to be sure that the group gets credit for all rooms used by its attendees, including those booked outside of the contracted room block. Any time such data is provided to a hotel, it should be done pursuant to a confidentiality agreement (which can be stated in the underlying meeting agreement), or steps should be taken to ensure that the data is returned to the planner after the rooms reconciliation is performed by the hotel.

Some planners use outside vendors to process meeting registrations. Contracts with those vendors and any others who either collect or receive attendee data should include strong confidentiality provisions, the requirement that the planner be informed of any data security breach, and indemnification of the planner in the event attendee data is misused.

Interest in unauthorized use of individual data prompted one major national hotel chain, in adopting a new standard contract last year, to include a provision in which the planner pledges that he or she has the appropriate authorization to transfer personally identifiable information to the hotel, and specifically authorizing the hotel to use such information for virtually any purpose, including the further sharing of the information with any third party. The provision states that the planner's organization agrees to indemnify and hold the hotel harmless from any liability relating to the disclosure of the attendees' individual information. Needless to say, many planners and their attorneys have vigorously opposed such a provision and have argued for its total elimination in a meeting contract.

James M. Goldberg is a principal in the Washington, D.C., law firm of Goldberg & Associates, PLLC. He is the author of The Meeting Planner's Legal Handbook.