Personal data is not entirely safe, even when encrypted and password-protected, as high-profile breaches reveal. And without those measures, it's easy pickings for hackers. All too often, common practices in the meetings industry equate to easy pickings. It's a concern that Kevin Iwamoto, a self-described data-security evangelist and senior vice president at GoldSpring Consulting, has been harping about for years. He says we need to get into the habit of thinking, "Wow, this is personally identifiable information, and if it's ever hacked, everybody -- including me -- is going to be in a heck of a lot of trouble."
What's a safer way for planners to keep and share attendee lists? People can still use whatever format they're comfortable using, they just have to take an extra step of protecting that information. At the very least, that means not sharing your password, and not printing things and leaving paper around without shredding it. Even when you do that, there's still risk. It's not like the hotels or retail merchants who had their data breached were just leaving things lying around. They had encryption and other measures in place to protect the information, and they were still compromised. That alone should have raised the fear factor -- or at least awareness -- that even with protective measures your data can still be hacked. If somebody really wants to hack it, they're going to move heaven and earth to do it. Just don't make it easier for them than you need to.
What kind of attendee information should always be encrypted? Even a name, address and phone number can be used as a starting point for identity theft. This information can be used by people with bad intentions to set up bogus accounts and make charges against your credit line. All of that data is pretty sensitive and is considered personally identifiable information. When sending an attendee list to a hotel or supplier, password-protect or encrypt the file. Here's another thing: The hotel or supplier needs to agree to also safeguard that information, even when sharing it internally. Ask the hotels and venues what their data protection standard is. A violation could lead to a data breach, and the hotel should be required to notify you within 72 hours of the initial discovery that your attendee data was compromised. All of those things should be spelled out in future agreements -- or even existing agreements.