Rampant identity theft and credit card fraud have raised awareness that personal information must be protected. But if you think these issues are only your IT department's concern, think again. “The Sarbanes-Oxley Act has created a duty of care for anyone with access to data to take measures to keep it confidential,” says Joshua Grimes of Grimes Law Offices LLC, a Philadelphia law firm serving the meetings industry. “Under SOX, they have a responsibility to protect data, and that responsibility spreads to outside meeting planners and hotels.”
Failure to protect personal information can have serious repercussions, from fines and penalties levied by credit card companies, to lawsuits and legal fees, to lost trust and damaged reputations. To minimize risk and reduce liability, meeting professionals need high standards of due diligence. Grimes advises taking a “virtual walk-through” of your network to anticipate how data can get out and to make sure that you've taken all reasonable measures to protect it. Read on for the benchmarks to look for and questions to ask on that walk-through.
Confidential data is first exposed when attendees pre-register for your meeting. Online registration should be over an Internet connection using the Secure Sockets Layer encryption protocol. (The URLs for Web sites with an SSL connection begin with https instead of http.) The data should be stored in an encrypted, relational database behind a firewall to prevent unauthorized access.
Registration forms, housing lists, and other hard copies with confidential information should never be faxed or left in the open. “All of our staff who are involved with registration or credit card transactions have shredders at their desks,” says Kelly Fox, director of meetings and exhibits for the American Health Information Management Association, Chicago. (Fox has joined the Academy of General Dentistry since this article was researched.)
If you send your pre-registration database to suppliers for on-site registration, lead retrieval, or other communication services, don't use e-mail. Use a secure File Transfer Protocol site from which the file can be downloaded. “The most vulnerable point that planners aren't aware of is e-mail,” says Roger Lewis, vice president of sales and marketing for AllianceTech, Austin, Texas, technology solutions provider for meetings and events, including attendee relationship management. “There are points along the way where an unencrypted e-mail could be intercepted.”
When selecting suppliers, ask about their data security practices. Determine who should be authorized to access data — and how that access will be controlled. Be sure supplier contracts include language that makes it clear you own the data, and they may not share that data with third parties without permission.
Registration and housing contractors striving to achieve the highest security standards comply with Payment Card Industry Data Security Standard requirements. Ask vendors that store, process, or transmit credit card data if they comply with PCI standards.
“Going through these security measures doesn't guarantee that you're completely immune from a security breach, but it means that you've taken every reasonable step to meet the highest level possible,” says Brian Scott, chief information officer for Experient Inc. (formerly Conferon Global Services). Experient's registration business, (formerly ExpoExchange), has received PCI certification as a “Level 1 merchant” processing more than 6 million credit card transactions per year, and now undergoes quarterly security scans and annual on-site security assessments to verify compliance.
Your venue's network security protocols should provide an on-site environment that is as safe as your participants' everyday work environment. “Corporations spend money on data security within their own environment, but when they go off site, it's chaos or anarchy,” says Paul Sullivan, managing director of the enterprise conference solutions group for iBAHN, South Jordan, Utah, a technology solutions provider for meetings and conferences, and wired and wireless broadband services for hotels. “I would like to think that a meeting planner, whether for a corporate or industry event, would want the meeting to deliver the same level of security that the corporation would provide.”
Don't rely on public wireless Internet access for your participants. Access on an open network exposes them to possible data theft. Provide an SSID (service set identification) number that restricts access to event participants. For the highest level of security, ask for a Wi-Fi Protected Access-compliant network, which encrypts the data. To access it, each user needs a unique password.
Segregating the network into virtual local area networks (VLANs), and assigning priorities based on bandwidth needs, prevents data on one part of the network from being visible to other parts of the network. To access their corporate virtual private networks (VPNs), participants need individual public IP addresses, so provide enough to support your maximum number of simultaneous users.
Ask your network services provider about how the network is protected against denial of service attacks and other intrusions. There should be a network operations control center with intrusion detection and incident-response capabilities, and network servers should be in a locked room with restricted access.
“Systems that track and identify the Media Access Control address, which is a unique network card identifier, IP address, or personally identifiable credentials such as a credit card number, allow a person to be tracked down,” says Josh Friedman, co-founder and vice president of marketing for Portland, Ore. — based Eleven Wireless, providing network management software and services to hotels and convention centers. “This needs to be balanced with the privacy of guests.”
If you have complex networking needs, bring IT support or contract with a reliable on-site provider. “We bring one person from IS [Information Systems] to work with us on site,” says Cheryl Russell, CAE, director of convention and meetings for the American Speech-Language-Hearing Association, Rockville, Md. “I see my responsibility as working with our team in IS and accounting to make sure that all these requirements are in place.”
Determine what exhibitors' security requirements are before the meeting to strike a balance between ease of access, security, and cost. In the exhibit hall — where viruses and worms can spread like wildfire, suck up bandwidth, and crash the network — require computers connecting to the network to have up-to-date virus protection and security patches.
“We talk to those who administer the networks about their proxies and firewalls,” says Robert Richardson, editorial director for the Manhasset, N.Y. — based Computer Security Institute, whose annual conference includes about 200 exhibiting companies. “Our exhibitors are all security folks, so the odds that they have up-to-date virus scanners are reasonably good. But it's a building full of people who know how computers are protected and where they're weak. If someone wanted to go after the network, they'd be better prepared than most.”
When multiple vendors use a network, one vendor could launch a denial-of-service attack that renders a competitor helpless. “It's common to assume that the security threat will come from outside the network, but it's more likely to come from inside the network,” says David Langford, vice president of technology for Smart City Networks, Las Vegas, communications technology provider for convention centers and hospitality venues. “We have intrusion detection, firewalls, and Layer 1 [physical] and Layer 2 [electronic] security. We implement configurations on routers and switches that are Layer 2 service attack mitigation technology, and we implement VLANs.”
Data security doesn't end with the meeting. Be sure suppliers who had access to confidential information return that data within a reasonable time. When you no longer need confidential information, erase it completely. “Scrubbing” the storage medium, such as a hard drive, renders the data meaningless. “Wiping” it erases everything on the drive.These procedures may seem extreme if you're not accustomed to thinking about data security on a daily basis. But it's time you do.
“The hospitality industry is finally keeping in compliance with data security and privacy. They're doing it as much out of fear as the goodness of their hearts,” says Jay Ramadorai, senior vice president and chief technology officer for Passkey, Quincy, Mass., a company that provides Web-based applications for housing management and reservation processing. “That means vendors and partners who work with hotels need to prepare for a higher level of security and data handling in their own organizations.”
During routine maintenance on January 13, 2006, computer engineers at University Place Conference Center and Hotel in Indianapolis found a virus program commonly used by intruders. They immediately removed the reservation system from the network and initiated a forensic investigation.
On January 20, despite no evidence that data had been compromised, the hotel notified roughly 7,600 guests whose names, addresses, and credit card numbers were exposed that they'd had a security breach — at least 70 percent of those guests had been event attendees.
“The letter came from me, with my direct phone line,” says Tom Cappucci, general manager of the property, which is part of Indiana University — Purdue University Indianapolis. “The majority of people who called thanked me for telling them.” He answered their questions, then posted FAQs on a Web site.
After the attack, the university information technology department completely erased and rebuilt the server, installed upgraded reservation system software, and put a firewall between the database and network. The new software encrypts credit card numbers upon entry and displays only the last four digits.
“What we learned through this process is to communicate with customers as quickly as possible,” Cappucci says. “The guests understand that these things happen, but they just want to know about it. It's important for the integrity of the facility to communicate openly. That open communication helps build trust.”