Meetings by their nature involve considerable collection and management of personal information. New data privacy and protection laws require those who collect to have a plan to protect--as well as report and remediate any breaches.
State and federal laws introduced to curb the "identity theft epidemic," which the U.S. government estimates now claims more than 9 million victims a year, could apply to meetings data, according to speakers at a National Business Travel Association conference session in August. "More electronic records were breached in 2008 than in the previous four years combined," according to the presentation. Nine of 10 breaches could have been avoided with basic prevention steps, speakers said.
Among the personal information that meeting planners regularly collect, store and manipulate are names, addresses, emergency contact information, travel booking data, passport numbers and credit card numbers, said meetings industry consultant Lisa Palmeri of Palmeri Consulting. Even such routine procedures as credit applications with a supplier involve personal data, she added. Attendee emergency contact lists also contain personal information.
Unauthorized access to such data by law now must be reported to various entities, depending on the applicable law. A laptop is stolen every 53 seconds in the United States, according to Gartner Inc.
The laws mandate that companies warn those impacted, pay for credit monitoring and face substantial fines for violations, said Amy Zellmer, account operations director at management firm Meetings & Incentives.[PULL_1]
The highest risk, Palmeri said, lies in a standard meeting organizer practice of collecting credit card numbers to provide to a hotel to guarantee a hotel room within a block. "While a great convenience, once you have that information in your system, you now have the onus to protect that information. If I had a choice, I'd prefer not to take that risk," said Palmeri.
Instead, Zellmer suggested that organizers guarantee rooms to a master bill, collect and store attendee credit card numbers in an encrypted database and provide the card number to the hotel only if the guest doesn't show up.
"Manage to the exception, not the rule," Palmeri said. "We were always trained to gather, collect and store as much information as possible. Now, we're saying, 'Collect as little information as you realistically need to do your job.' That's a big shift in thinking."
Several states recently have introduced data breach laws of concern to Zellmer. A new law in Massachusetts effective Jan. 1 stipulates penalties of $5,000 for each data breach. States dictate how and when companies must notify individuals of such breaches. Wisconsin requires notification within 45 days, but Illinois law says "immediately." Zellmer advised planners to search government Web sites of any states in which they do business, or industry sectors that might have specific rules, to ensure compliance with data privacy laws.
"If you're building a plan after the breach occurs, you're already behind," Palmeri said.
Also of concern to Zellmer is the Federal Trade Commission's Red Flags Rule, which requires creditors and financial institutions to have "written identity theft prevention programs to help identify, detect and respond to patterns, practices" or red flags that could indicate identify theft, stated the FTC Web site. At first glance, Zellmer said, she didn't think the law applied to her meeting planning company. However, FTC broadly defined a creditor as "anyone who provides goods or services, and bills for them later," a standard practice in meetings, she added. FTC on Oct. 30 delayed enforcement of the rule for the fourth time. The effective date now is June 1, 2010.
Building A Bulwark
While Zellmer said the FTC Web site ( www.ftc.gov) includes a guide for small businesses on how to develop a prevention program, the first step, Palmeri noted, "is really doing a personal assessment of your own systems, laptop and network drives to see what information you have, why you have it and if you still need it. Justify why you still have a meeting roster with credit card data from three years ago."
Palmeri said companies then can determine where best to store the data, what to encrypt, who may access it and how to monitor unauthorized access.
Zellmer said her company classified all data elements and then wrote standard operating procedures on storage, access restrictions and the eventual destruction of it all. As part of a crisis plan, she said, companies should identify a chief privacy officer and incident response team.