Proposed legislation aimed at protecting personal information and deterring identity theft could affect both corporate meeting buyers and suppliers, as the industry would be forced to reevaluate how it collects and stores attendee reservation information.
The New York Times on Nov. 1 reported that more than one dozen data-security bills have been introduced in Congress this year. The proposed legislation holds companies that compile and store consumer data to a higher standard of security.
There will be significant changes in data-protection laws over the next three to five years due to concerns over identity theft, said Kelly Franklin Bagnall, partner with Texas-based law firm Brown McCarroll LLP.
When Sarbanes-Oxley was passed in 2002, companies invested significantly in creating internal policies to comply with the new law. A data-protection law could have a similar effect on the industry, forcing both suppliers and buyers to build policies on how sensitive information is stored, attorney Bagnall said.
"Any time there is increased data-protection legislation, whether proposed or passed, people react. They'll start looking at what they're doing internally and make sure they're not violating a law," Bagnall said.
Hotels and corporations wouldn't be limited to protecting credit card information, said Rodman Marymor, CEO of Berkeley, Calif.-based meetings technology consulting firm Cardinal Communications and a principal in Tech3 Partners. Other sensitive information that might be protected by a federal law includes social security numbers, personal financial information and health records. Any organization that stores or collects such information could be liable if the information is stolen or misused.
California passed a data-protection law in 2003 in response to public concerns of identity theft. Even though the law was not aimed at the hotel industry, it forced chains to inform customers who had viewed their information. Since then, 17 other states have enacted similar notification laws.
"Usually the reaction by the legislature to various issues on privacy had nothing to do with hotels," according to Bagnall, "but the legislation is far-reaching enough that it encompasses that type of information."
Hilton Hotels has a special notification for California residents who may request a list of "the categories of personal information disclosed to third parties for third-party direct marketing purposes."
Diane Reardon, senior director of regions and groups for Carlson Hotels Worldwide, said her company has made significant investments in complying with existing privacy laws in Europe. Though regulations are strict abroad, Reardon said she expects U.S. data-protection regulations to become tougher during the next few years and that domestic hotel chains will have to change their internal systems to comply with new laws.
The European Union relies on comprehensive legislation that requires creation of government data-protection agencies, registration of databases with those agencies and, in some instances, prior approval before personal data processing may begin, according to the U.S. Department of Commerce. The E.U. in July 2000 approved the Safe Harbor framework to allow U.S. companies with "adequate" privacy protection to continue their businesses in Europe.
The amount of investment required by companies and chains to ensure compliance with new data-protection laws would depend on what, if anything, is passed by Congress. Any legislation also would include a review period, during which companies would have time to assess their internal programs.
If a data-protection law was aimed at securing computerized data, for example, companies would have to enhance their IT departments, train employees and make sure that electronic data it collected from attendees complied with federal law, Bagnall said.
It is difficult to predict what would be included in a national data-security law, Bagnall said. "Things get crammed into legislation at the last minute that sometimes causes all the problems," she said.
Bagnall said proposed privacy laws aimed at protecting the rights of minors in California limit the use of radio frequency identification tags, used in high-tech attendee badges
(Meetings Today, Oct. 17)."Hotels, especially the large chains with large legal departments, are going to be very cognizant of what the laws are and they're going to make sure that they comply. The meeting planners and the groups who book travel are going to likewise be compliant internally for their own needs and then they're going to externally say they want their external vendors to do X, Y and Z—which was exactly what happened with Sarbanes-Oxley," Bagnall said.
There is a gap between corporate expectations of privacy and legal protection of company data, Bagnall said, and privacy policies vary by chain and property. A hotel chain may have different privacy policy for specific programs as well, such as online reservations and frequent guest programs.
"They're all different, and all over the board," Bagnall said.
Data protection is "a huge" issue, said Tech3 Partner's Marymor.
"It's gotten to the point of when we think of taking and storing credit card information, unless it's done at the highest levels of capability, it's a best practice to not even do it," he said.
Numerous third-party services are available for hotels and companies that need to store sensitive information, he said. "As computers on which this information is stored are being networked and connected by the Internet, it's becoming a greater priority to make sure data is protected," Marymor said.
Compliance with a federal data privacy law could spark Sox-like changes and be a significant expense for meeting vendors, he said. "It should happen," Marymor said. "It would be the responsibility of anyone that is willing to accept or store personal data to store it in a secure way. If they don't, they're just opening themselves up for potential liability."
Buyers said that although data protection has not been a problem, they take steps to minimize risks and safeguard attendee and content information.
Beryl Gibbs-Roux, corporate travel manager for New York-based engineering giant Parsons Brinckerhoff Quade & Douglas Inc., said her company holds its most sensitive meetings using internal space, and external meetings are held at preferred vendor hotels. The company has worked with some hotels for more than a decade, she said. Strategic planning meetings are usually placed at PB offices, she said.
"We try to have meetings in hotels where we have negotiated rates, so we have an established relationship," Gibbs-Roux said. "It is an issue to think about, but I have to hope that with the relationships that we have with the hotels, it won't become a problem."
Gibbs-Roux said her expectations for hotels are to keep all information on her company and attendees private.
"I wouldn't expect the hotel to divulge information to anyone or give out any information about reservations that might be booked for any of my employees," she said. "I would be appalled if that were happening."
Nina Mallen, corporate meeting planner for energy provider Consolidated Edison Co. of New York Inc., said privacy has been a concern but not a problem for the company's executive meetings. A recent top-level meeting was left off of the hotel's daily event posting, at ConEdison's request.
"One of the first questions we had was how the meeting should be posted," Mallen said, "That reflected a concern for privacy."
Mallen said she's pleased with the ethics of the hotels she's worked with, and that her expectations of privacy have been understood.
Data protection and security issues are things the entire meetings industry should keep an eye on, she said. "The industry as a whole has to look at privacy" Mallen said.