Historically, data security and privacy have not been high priorities for event organizers. Many don’t feel particularly vulnerable because the incidence of data breaches associated with events is low. That posture is changing.
As the meeting industry transforms digitally, more data is produced and processed by more suppliers. New regulations put non-compliant organizations in legal and financial jeopardy and data theft outside the event industry occurs daily. It’s time to look at where the vulnerabilities lie and how to preserve the integrity, transparency and reputation of the industry.
Pointing Out Weaknesses
Hugh K. Lee, president of Rochester, N.Y.-based Fusion Productions and the annual digitalNow conference, has emphasized to association leaders the importance of data security and privacy for more than a decade, saying that it’s “fundamental to your trusted role, brand, community and content. But because software and devices at events today are so connected, data passes more easily from one platform to another and organizers can easily lose control.
“When data gets two or three connections down the line, you don’t know if it’s being hacked or how it’s being used,” Lee says.
He believes that association meetings are particularly high-value targets because so much desirable information is collected about a specific population of individuals when people convene.
“Think about what [bad actors] want,” Lee says. “They want names, addresses, citizenship, interests, frequent traveler information, food preferences, allergies, special interests and those kinds of things.”
Even meeting programming—session topics and speakers—have value to would-be disrupters, he says.
Corporate meetings, such as user group conferences, are arguably even more exposed, says Debbie Chong, an attorney specializing in regulatory compliance and privacy and co-founder and CEO of San Francisco-based Lenos Software. It’s not only credit card, passport, driver license and other forms of identification often collected to verify and qualify attendees that attract the attention of data hackers.
“Housing information can pose a risk from a security standpoint and Bluetooth beacons that capture information like who you’re meeting with and where is highly valuable to competitors, in addition to being privacy intrusive,” Chong says.
Risking Revenue and Reputation
According to Frank Schettini, owner of Philadelphia-based digital and business transformation consultancy FAS concepts and former chief innovation officer for ISACA (previously known as the Information Systems Audit and Control Association), events are at risk on two fronts.
“If your organization doesn’t really care about its data security and it becomes public, the likelihood of the event being successful not only from a revenue perspective, but from a reputation perspective is highly suspect,” he says.
The regulatory climate is also heating up. The European Union’s General Data Protection Regulation (GDPR) has impacted the data privacy policies and practices at organizations and companies around the world. Organizations deemed not to be in compliance face steep fines.
“The U.K. Information Commissioner’s Office (ICO) fined British Airways a proposed US$230 million for an incident that took place from June to September 2018 and compromised the data of 500,000 customers,” according to a CNBC.com report. “The ICO gave Marriott a $123 million proposed penalty for the loss of 339 million guest records, reported in November 2018.”
GDPR is one of several regulatory measures that governments are taking. The California Consumer Privacy Act (CCPA) is “stricter and tougher to track” than GDPR, Schettini says. Under California’s new law, organizations “literally have to tell everyone what data they have, describe how they’re going to use it, give [users] an option on how to change how the data can be used and every year report to them how the data was used,” he explains. Biometric surveillance systems such as facial recognition (an emerging event technology) are being scrutinized or banned in some major cities, including San Francisco.
Almost all event owners use at least one third party, such as event management companies and event technology providers. While GDPR requires that data controllers (owners) be as compliant as data processors (third parties), many organizations don’t have the resources or internal expertise to appropriately vet third-party solutions.
“Having a clear understanding of what the potential threats are and still saying, ‘I’m going to go with my third party on that without asking questions,’ says to me that you’re rolling the dice,” Lee says. “One day, if it comes up craps, you’re in trouble. It could wipe out an association or a show.”
Event Wi-Fi is probably the biggest area of weakness on site, Schettini says. Even the fortified Wi-Fi networks of hacker conferences such as Black Hat get hacked, he adds. Onsite registration in an unsecured environment, for example, can yield attendee credit card, personal identification and demographic data to hackers. Pocket-sized devices called Wi-Fi Pineapples, originally developed to sniff out the vulnerabilities of wireless networks, can also facilitate the collection of sensitive personal information from unsuspecting event participants over unsecured or easily accessible Wi-Fi networks.
Bad actors can capture attendee tracking information transmitted from proximity beacons and radio frequency identification (RFID) readers to cloud-based software via the internet if they also obtain the registrant’s identification number.
“Whenever you have an industry getting together with key people and key information around future products, innovation or R&D pathways, digital IDs become a valuable target,” says Joe Colangelo, CEO and co-founder of Arlington, Va.-based Bear Analytics Inc.
Other ways to compromise event data include spoofing, “gaining access to key registration information by pretending to be an official from the event or from an event technology company to gain private and sensitive information about registrants,” Colangelo explains.
With registrant emails, phishing scams (sending emails designed to induce individuals to reveal personal information, such as passwords and credit card numbers) could wreak havoc on an event.
“You could imagine getting emails saying, ‘You’ve registered, but your payment didn’t go through,’” Colangelo says.
Unauthorized individuals roaming a conference pose another threat. Unsecured computers (in the show office, for example) connected to the show organizer’s network or event technology solutions’ administrative dashboards are open doors to all types of sensitive information. Likewise, hackers can upload malware or ransomware to the organization’s network using a USB drive on an unattended laptop. The local area networks (LANs) from technology vendors are also at risk from tampering. Credit card skimmers can be placed over the card swipe mechanisms on ATMs inside event venues.
Overcoming Inherent Obstacles
The wholesale embrace of data security and privacy policies and processes in the meeting industry is complicated. Technology is outpacing governance and event owners are hard pressed to solve problems (the widespread hacking of meetings, for example) that haven’t completely manifested.
“I just can’t emphasize to [organizers] enough that we live in a world where leadership in the digital age is very different,” Lee says. “It’s about new and disruptive technologies coming out at a faster rate than ever.”
Budget is also a deterrent. Blockchain technology has been suggested as a remedy for giving individuals more control over their personal data, and “it would be a great strategy,” Schettini says.
“[But] the question then becomes, ‘What applications are out there that leverage blockchain or do you have to do a custom build?’ Because, again, now you have to ask how much it’s going to cost,” he adds.
GDPR complicates the efforts of event owners to monetize attendee data. While selling attendee contact information is a nonstarter for many groups, proximity data (which attendees visited a booth, how long they stayed and what they were looking at) is definitely still on the table. Plus, monetizing data is an important objective of corporate event owners—software even places information about one-to-one meetings taking place during the event directly into the company’s sales enablement platform to speed up sales conversions. GDPR makes the processes for gathering and using such data more cumbersome.
The demands of data security and privacy can be overwhelming to many organizations—especially smaller event owners with fewer resources to address the challenges. Most are still trying to cope with the rapid onset of digital technologies, the abundance of data being collected and the training and personnel required to manage events in the 21st century. Following data through the various channels and vendors can seem like one more exercise they’re ill-equipped to handle.
Stepped-up efforts to make an event more secure can also translate into potentially disgruntled and lost attendees. Making it more difficult to log into the conference Wi-Fi, giving attendees unique mobile app passwords that are easy to forget and difficult to recover and requiring multiple forms of identification to gain entry to an event are good ways to make the event more secure, but a breeding ground for participant discontent.
Finding the Fixes
A comprehensive approach to data security and privacy requires that event organizers take a number of actions. Training employees should be a top priority. Organizers have to show staffers “how to avoid scams and misinformation and who to notify,” Lee says.
When Frank Schettini worked at ISACA, the organization ran a fake phishing attack using employee information that was easily gleaned from the internet. About 60 percent of the staff opened the emails and 25 percent to 30 percent clicked through.
“Training about what to be aware of and what to avoid is really important and it doesn’t cost a lot of money,” Schettini says.
Third-party security audits can reveal serious vulnerabilities. They expose policies and processes associated with collecting, processing and displaying customer information that breach security and compliance protocols. Such examinations of an organization’s security capabilities can also produce reports, such as Security Organization Control (SOC) reports, a third-party approved standard for auditing an organization’s internal data and security infrastructure.
Communicating information appropriately and multiple times to attendees reinforces trust. Schettini advises “something as simple as an explanation of how the data is going to be used, collected and shared and the measures we are taking to protect that data” should be confirmed in an email after registration and again during the event. Chong points out that “privacy rights are different than terms and conditions” and recommends placing two separate statements requiring user consent on the event website.
Choosing only to work with vendors that take data security and privacy seriously is a policy shift that organizers can also make. Chong’s firm adheres to a “Privacy by Design” business model, which considers data protection and privacy in software design and implementation, as well as a company’s business practices.
“It’s always been our position that our clients’ data belongs to our clients, and it’s their decision whether they share it or not,” she says.
Chong also advocates reducing the amount of data technology companies collect and store.
“At Lenos, attendee credit card information goes directly to the credit card company and we receive a token,” she explains.
Protecting data and privacy requires diligence and some resources. However, Schettini says, it also represents an excellent opportunity for organizations across the event ecosystem (planners and suppliers) to build competitive advantage—an industry-wide cyber security and data privacy task force “that gets groups to admit there is a challenge, start communicating and share best practices is a good initial step,” he adds.
Until then, Lee offers the industry a Chinese proverb: “The best time to plant a tree was yesterday, but it’s now today, so plant it today.”
Michelle Bruno is a writer, blogger and technology journalist. She publishes Event Tech Brief, a newsletter and website on event technology. You can reach her at email@example.com or @michellebruno on Twitter.