The Meeting Network

If confidential data resides on an on-site meeting network or in a registration database, it's the planner's responsibility to protect it. Here are security best practices from a technical perspective.

Rampant Identity Theft and credit card fraud have raised awareness that personal information must be protected. But as fast as changing technology provides new ways to share data — from secure wireless networks to voice-over-Internet cell phones — hackers devise new ways to gain unauthorized access. If you think these issues are a concern only for your IT department, think again.

“The Sarbanes-Oxley Act has created a duty of care for anyone with access to data to take measures to keep it confidential,” says Joshua Grimes of Grimes Law Offices LLC, a Philadelphia law firm serving hospitality professionals and associations. “Under SOX, they have a responsibility to protect data, and that responsibility spreads to outside meeting planners and hotels.”

Failure to protect personal information can have serious repercussions, from fines and penalties levied by credit card companies to lawsuits and damaged reputations. Last year, 53 million people had personal data exposed, and 8.9 million adults were victims of identity fraud, according to Information Week magazine. The hospitality industry is not immune. Marriott International's data loss incident late last year, affecting 206,000 customers, ranked among the top 10 disclosures tracked by the Privacy Rights Clearinghouse. And Hotels.com reported in June that 243,000 customers' personal information had been potentially compromised when a laptop computer was stolen from its auditing company.

To minimize risk and liability, meeting professionals need high standards of due diligence. Grimes advises taking a “virtual walk-through” of your network to anticipate how data can get out and to make sure that you have taken all reasonable measures to protect it.

Registration Data

Confidential data is first exposed when attendees register for your meeting. Online registration should be over an Internet connection using the Secure Sockets Layer encryption protocol. (The URLs for Web sites with an SSL connection begin with https instead of http.) The data should be stored in an encrypted, relational database behind a firewall to prevent unauthorized access.

Registration forms, housing lists, and other hard copies with confidential information should never be faxed or left in the open. Staffers with access to this information should have shredders at their desks.

If you send a pre-registration database to suppliers for on-site registration, lead retrieval, or other communication services, don't send it via e-mail. Use a secure File Transfer Protocol site where the file can be downloaded. “The most vulnerable point that planners aren't aware of is e-mail,” says Roger Lewis, vice president of sales and marketing for AllianceTech, an Austin, Texas, technology solutions provider for meetings and events. “There are points along the way where an unencrypted e-mail could be intercepted.”

When you select suppliers, ask about data security practices. Determine who is authorized to access the data, and how that access will be controlled. Be sure the contract includes language that makes it clear you own the data, and that it may not be shared without permission.

“We have only certain approved vendors who are set up through our preferred vendor system,” says Randy Lee, CMP, CMM, CTSM, PMP, senior events program manager and IBM-Americas marketing manager in Austin. “It's procurement's job to make sure they comply with our corporate standards.”

Registration and housing contractors with the highest security comply with Payment Card Industry Data Security Standard requirements. Ask vendors that store, process, or transmit credit card data if they comply with PCI standards.

“Going through these security measures doesn't guarantee that you're completely immune from a security breach, but it means that you've taken every reasonable step to meet the highest level possible,” says Brian Scott, chief information officer for Conferon Global Services, Frederick, Md., whose registration business, ExpoExchange, recently received PCI certification as a “Level 1 Merchant.”

Network Protection

“Corporations spend money on data security within their own environment, but when they go off-site, it's chaos or anarchy,” says Paul Sullivan, managing director of the enterprise conference solutions group for iBAHN, South Jordan, Utah, a technology solutions provider for meetings and conferences and wired and wireless broadband services for hotels. “I would like to think that a meeting planner, whether for a corporate or industry event, would want the meeting to deliver the same level of security that the corporation would provide.”

Don't rely on public wireless Internet access for your participants, which exposes them to possible data theft. Provide an SSID, or service set identification number, that restricts access to event participants. For the highest level of security, ask for a Wi-Fi Protected Access (WPA) — compliant network, which encrypts the data. To gain access, each user needs a unique password.

Segregating the network into virtual local area networks (VLANs) and assigning priorities based on bandwidth needs prevent data on one part of the network from being visible to other parts of the network. To access their corporate virtual private networks (VPNs), participants need individual public IP addresses, so provide enough to support your maximum number of simultaneous users.

Ask your network services provider about how the network is protected against denial of service attacks and other intrusions. There should be a network operations control center with intrusion detection and incident response capabilities, and network servers should be in a room with restricted access.

“Systems that track and identify the MAC [Media Access Control] address, which is a unique network card identifier, IP address, or personally identifiable credentials such as a credit card number, allow a person to be tracked down,” says Josh Friedman, co-founder and vice president of marketing for Portland, Ore. — based Eleven Wireless, providing network management software and services to hotels and convention centers. “This needs to be balanced with the privacy of guests.”

If you have complex networking needs, bring IT support or contract with a reliable on-site provider.

Wildfires in the Exhibit Hall

Find out exhibitors' security requirements before the meeting to strike a balance among ease of access, security, and cost. In the exhibit hall, where viruses can spread like wildfire, suck up bandwidth, and crash the network, require computers to have up-to-date virus protection and security patches.

“We talk to those who administer the networks about their proxies and firewalls,” says Robert Richardson, editorial director for the Manhasset, N.Y. — based Computer Security Institute, whose annual conference includes about 200 exhibiting companies. “Our exhibitors are all security folks, so the odds that they have up-to-date virus scanners are reasonably good. But it's a building full of people who know how computers are protected and where they're weak. If someone wanted to go after the network, they'd be better prepared than most.”

When multiple vendors use a network, one vendor could launch a denial of service attack that renders a competitor helpless. “It's common to assume that the security threat will come from outside the network, but they're more likely to come from inside the network,” says David Langford, vice president of technology for Smart City Networks, Las Vegas, communications technology provider for convention centers and hospitality venues. “We have intrusion detection, firewalls, and Layer 1 [physical] and Layer 2 [electronic] security.”

Post-Event Security

The need for data security does not end with the meeting. Be sure that suppliers return confidential data within a reasonable time. When you no longer need this information, erase it completely. “Scrubbing” the storage medium, such as a hard drive, renders the data meaningless. “Wiping” it erases everything on the drive. These procedures may seem extreme if you're not accustomed to thinking about data security on a daily basis. But it's time that you do.

“The hospitality industry is finally keeping in compliance with data security and privacy. They're doing it as much out of fear as the goodness of their hearts,” says Jay Ramadorai, senior vice president and chief technology officer for Passkey, Quincy, Mass., an online solution for group reservation management. “That means vendors and partners who work with hotels need to prepare for a higher level of security and data handling in their own organizations.”

Hacked!

During routine maintenance on January 13, 2006, computer engineers at University Place Conference Center and Hotel in Indianapolis found a virus program commonly used by intruders. They immediately removed the reservation system from the network and initiated an investigation. On January 20, despite no evidence that data had been compromised, the hotel notified roughly 7,600 guests whose names, addresses, and credit card numbers were exposed that it had had a security breach. At least 70 percent of those guests had been event attendees.

“The letter came from me, with my direct phone line,” says Tom Cappucci, general manager of the property, which is part of Indiana University-Purdue University Indianapolis. “The majority of people who called thanked me for telling them.” He answered questions, then posted FAQs on a Web site. After the attack, the university IT department rebuilt the server, installed an upgraded reservation system, and put a firewall between the database and network. The new software encrypts credit card numbers upon entry.

“What we learned through this process is to communicate with customers as quickly as possible,” Cappucci says. “The guests understand that these things happen, but they just want to know about it.”

Privacy Policy

Strong data handling policies and well-designed contracts with hotels and other third parties can go a long way toward protecting attendees' personal registration data.

IF JANE DOE registers online for your meeting and provides an e-mail address to receive updates, will she also receive solicitations from the hotel to join a frequent guest program? Does she know that the credit card number she supplied to reserve her room could end up on a rooming list fax? And would she be concerned to learn that her private information is still filed in a box five years later?

Lax practices can cause an attendee's personal information to be used in unexpected ways, or worse, be exposed to theft. Data passes like a hot potato from meeting planner to registration contractor to housing bureau to hotelier. Privacy policies and practices are not enough to reduce your exposure to risk. When you contract with third parties, include a contract clause that passes along the responsibility for safeguarding confidential information.

“Data collected about attendees ought to be treated as confidential information,” says James M. Goldberg, lawyer, of Goldberg & Associates PLLC, a Washington, D.C., law firm serving associations and nonprofits. “I put in a confidentiality clause that says, anything that we give you belongs to us is confidential, and you can't use it for any purpose other than the purpose for which we're giving it to you. When the contract is over, you have to give us the data back.”

If the contract is with Starwood Hotels and Resorts, that clause might not fly. As Dave Scypinski, Starwood's senior vice president of industry relations in Washington, D.C., explains, confidentiality clauses are too broad, because they don't distinguish confidential information, such as e-mail addresses, from nonconfidential information, such as room setup plans. The solution: If it's confidential, don't share it.

“We want the minimum amount of information we need to do our jobs,” Scypinski says. “We don't need a rooming list with addresses, credit card numbers, and phone numbers. We would rather not have that because we become responsible for it.” If a planner does pass along such information, there's a clause to cover it. Starwood's group contract states, “to the extent that they give us personally identifiable information, then they represent that they have the right to do that,” he says.

Therein lies the sticky issue for privacy protection. When you collect attendee information, you must advise attendees that their information might be shared and get their permission to do so. Under online privacy protection laws now or soon to be in effect in 23 states, anyone who collects personal information online must state and enforce a privacy policy. If that information is compromised by a security breach — or carelessness — you must notify the people whose information was exposed.

Since California enacted its Online Privacy Protection Act in 2003, more than a dozen bills have been introduced in Congress that would supersede existing state laws. Soon, online privacy protection could be a federal mandate. But don't wait for it. There are a number of steps you can take to protect attendees' privacy.

At Collection Points

In the California Online Privacy Protection Act, “personally identifiable information” (PII) includes first and last name, e-mail address, physical address with city and street, phone number, Social Security number, or any other identifier that permits a person to be contacted in person or online — such as a credit card number and driver's license number. If you collect any of this information from your attendees, then you must protect it.

TRUSTe, an independent nonprofit organization dedicated to online privacy protection, recommends sketching a personal information flow chart to determine who comes into contact with the data, how it is shared outside your organization, how it is stored, and how it is archived or destroyed. Then you can be sure that you have data-handling policies to keep that information safe.

Posting your privacy policy on the meeting registration Web site is the first step to getting informed consent from attendees to collect, share, and save their personal information. IBM's exemplary privacy policy is available from a prominent link on every page at IBM.com. It applies to IBM customers, prospects, business partners, and suppliers.

“We all go off the same privacy policy,” says Randy Lee, CMP, CMM, CTSM, PMP, senior events program manager and IBM-Americas marketing manager in Austin, Texas. For proprietary events such as the Global Financial Services Forum, Lee collects just the information he needs to manage the event, such as name, title, company, and e-mail address. If he has questions about privacy protection, he consults the privacy resources on IBM's intranet.

When attendees register for the Computer Security Institute's annual conference, a privacy policy is disclosed through a link at the bottom of the page, as well as on the registration form. In addition to billing information, attendees can choose to provide information that helps CSI plan programming. By opting in, they give permission for CSI to save this information for future use, including communicating with them by e-mail.

“When you collect information from your customers, the baseline expectation is that you'll be responsible about the information they shared with you,” says Robert Richardson, editorial director for CSI, Manhasset, N.Y. “If you make commitments in a privacy statement, you're honor-bound to observe them.”

Entrusted to Third Parties

Review supplier contracts for clauses that expose your organization to risk, should PII be compromised. For example, the Starwood Hotels group contract includes a “content clause” that covers anything a customer gives the hotel to promote and manage the meeting. As explained by Starwood's Scypinski, it's intended to ensure that logos, music, photos, and other information is owned by the group and may be used by the hotel.

“Our clause says the information the group provides to the hotel is free and clear, and they have the rights and permissions to use that information,” Scypinski says. “The clause grants the right to use data for any lawful purpose, such as setting up registration.” Once an attendee checks in, the hotel has the right to use his PII for business-related purposes such as marketing to Starwood preferred guests. Contrary to popular belief, “We don't sell that information or give it to someone for marketing purposes outside the hotel,” he says.

As Goldberg points out, the Starwood contract also includes an indemnification clause stating that the group will hold the hotel harmless for any claims that arise from the use of that information. If you're uncomfortable with that, he advises, “My first preference is to take out the whole provision. The next step would be to delete the indemnification part. An alternative is to modify it to say you can't share the data unless it's covered under a confidentiality agreement.”

Archival Data

After registration and attendance have been reconciled, and room-block pickup has been confirmed, collect the data from third parties and save only the information you need to plan future meetings. Archived information should be stored in a safe place, preferably off-site.

“Data is active in our system for a period of time after the event for the many reconciliation activities and historical reporting that needs to occur. Subsequent to that, the database will be emptied, and the historical data stored in managed, secure, locked environments,” says Scott Tallarida, vice president of information technology for Chicago-based Travel Technology Group.

If privacy protection is expected, then new, high-level security standards are required. “New standards usher in a whole new perspective on security,” says Tallarida. “It helps get every employee in the mindset that every piece of customer data is a privacy concern.”

What's Your Privacy Policy?

A privacy policy tells people how you use their information. According to TRUSTe, the Federal Trade Commission's Fair Information Practices are the closest thing to a standard for online privacy protection. Based on the principle of full disclosure, they include:

NOTICE. Disclose what personal information is collected and how it's used.

CHOICE. Allow people to choose how their information is used.

ACCESS. Give people access to the information once they've disclosed it.

SECURITY. Secure personal information so it stays private.

REDRESS. Enable people to resolve any problems that arise.

For more information, download “Your Online Privacy Policy” from TRUSTe.com. For a complete list of states with online privacy and/or security breach laws, contact Consumers Union (www.consumersunion.org).