Personal data is not entirely safe, even when encrypted and password-protected, as high-profile breaches reveal. And without those measures, it's easy pickings for hackers. All too often, common practices in the meetings industry equate to easy pickings.
It's a concern that Kevin Iwamoto, a self-described data-security evangelist and senior vice president at GoldSpring Consulting, has been harping about for years. He says we need to get into the habit of thinking, "Wow, this is personally identifiable information, and if it's ever hacked, everybody -- including me -- is going to be in a heck of a lot of trouble."
What's a safer way for planners to keep and share attendee lists?
People can still use whatever format they're comfortable using, they just have to take an extra step of protecting that information. At the very least, that means not sharing your password, and not printing things and leaving paper around without shredding it.
Even when you do that, there's still risk. It's not like the hotels or retail merchants who had their data breached were just leaving things lying around. They had encryption and other measures in place to protect the information, and they were still compromised. That alone should have raised the fear factor -- or at least awareness -- that even with protective measures your data can still be hacked.
If somebody really wants to hack it, they're going to move heaven and earth to do it. Just don't make it easier for them than you need to.
Data Breached? What to Do Now
If you spot a mysterious charge, cash withdrawal, or other suspicious account activity, take immediate action. Kevin Iwamoto of GoldSpring Consulting
recommends these four steps.
1. Notify any of the main credit bureaus -- TransUnion
-- that your data has been compromised.
2. Call the credit-card provider, cancel the card, and change your password and pin.
3. Subscribe to a credit monitoring and notification service, such as Experian
4. Change your passwords regularly, and don't use the same one for multiple accounts. Use a free app, like Dashlane
, to safely store your passwords. -- L.G.E.
What kind of attendee information should always be encrypted?
Even a name, address and phone number can be used as a starting point for identity theft. This information can be used by people with bad intentions to set up bogus accounts and make charges against your credit line. All of that data is pretty sensitive and is considered personally identifiable information. When sending an attendee list to a hotel or supplier, password-protect or encrypt the file.
Here's another thing: The hotel or supplier needs to agree to also safeguard that information, even when sharing it internally. Ask the hotels and venues what their data protection standard is. A violation could lead to a data breach, and the hotel should be required to notify you within 72 hours of the initial discovery that your attendee data was compromised. All of those things should be spelled out in future agreements -- or even existing agreements.
How does one encrypt a document?
You can purchase encryption software. [Here's a comparison of leading brands from PCmag.com.] And a lot of programs, including Excel, have a feature that lets you assign a password to documents. There's also Virtual Private Network (VPN) protection, which uses encryption technology to create a secure link between your device and a VPN server. If you're an independent planner and you don't have a corporate VPN to mask your online activities and transactions, you can purchase inexpensive VPN protection on an annual or multiple-year basis.
I would highly recommend that independent planners -- and anyone else -- invest in doing that, especially when they're traveling or working on-site and using open networks, which are the most vulnerable. You can type VPN into any search engine, and you'll see a host of a different companies and their pricing pop up. [Popular services include ExpressVPN, IPVanish, NordVPN, Hotspot Shield and Cyber Ghost.]
Make sure your license is for multidevice protection, so you can use it on your tablets and mobile phone, too. This is critical if you use all your devices on-site at the event and in your hotel room. Remember, hackers target and exploit the vulnerabilities of people, processes and technologies.
"What data-protection measures do you want us to take?" should be a standard question in the sourcing process. If there is a cost associated with doing that, you could add that to your pricing.
Is it typical for planners to build such fees into their pricing?
No, but here's the thing: If I was a client, I would appreciate that you're thinking about data protection, and I would absolutely pay a few bucks more to know you're doing your part in securing the personal data of my attendees. Whether it's a billable line item or built into your service agreement, it should become a standard consideration.
A lot of the effort to protect data is supplier-driven. Is it being addressed in group contracts?
Any supplier that doesn't have data-breach notifications and terminology built into their master services contract really needs to add that. Under GDPR [the General Data Protection Regulation that applies to the handling of personal information of EU residents], that's a given. You have to notify of any data breach or data-theft situation within 72 hours of the occurrence.
It wouldn't hurt to use that language when you're contracting with a venue or hotel. It should also stipulate that failure to do so will result in X, Y and Z, or the supplier will assume responsibility for the data breach and provide potential compensation or ID-protection service post-breach -- or something like that. I think that needs to be implicitly stated in all agreements. In most agreements that I look at, I don't see it in there.
Is force of habit a factor in how slow the meetings industry has been to adopt these measures?
Absolutely. Change management is one of the things human beings really don't do well. If you've done something for years and years and it has worked, the impetus for change is pretty low. People think, "Why should I change what I'm doing? It's worked so far. Nothing bad has happened so far." It's only when it does happen that people wake up to the seriousness of the issue. And it's happening more and more.
Why are we seeing so many data breaches? Are companies taking the appropriate measures?
At this point, many retailers have pretty robust firewalls and encryption, and they have taken many precautions to protect data, and they still get hacked. That's because hackers are smart: They find that one flaw, an entry portal that they can exploit. If that can happen to retailers and airlines and hotels, imagine how easily hackers can get access to conference or event data. It's kind of scary, right? If somebody really wanted to look for easy pickings, they'll find plenty of personal data to exploit.
Again, why make it easy? Even if you can't always prevent a breach, you can at least make it challenging for hackers to access your information.
The hotel industry, and most recently Marriott, has experienced a number of large-scale breaches. Should planners be responsible for finding out if their attendees' data was compromised?
I would feel terribly responsible for that, and I would want to know what my levels of exposure were based on that data breach. I think it's a fair question to ask. If there is a high level of exposure, I would rather be the one breaking that news to my management and participants, than letting them first hear about it in the media or from the hotel company.
If I realized that I had held a meeting at one of those properties, I would definitely reach out to my rep and ask whether any of my events and attendees were affected. You can't just sit in the dark and hope and pray that your events weren't impacted.
How likely is it that someone's data has been compromised but they don't realize it?
It happens all the time. I was just reading an article that said most people should assume their personal data is already on the dark web for sale. It actually listed prices that people pay for personal data. It has been so commoditized that the price to get somebody's Social Security number, address, phone number or email is in mere dollars.
The big bonanza for hackers is getting a whole cache of information to basically take over somebody's life, which includes passport information, date of birth, the whole kit and caboodle. That's still worth a lot of money.
Don't forget that half the country's cached information that was "secured" via Equifax was compromised. You might have done all the right things to protect yourself, but your information was still compromised, which is ironic because what they sell and promote is data security.