Navigating the handling of event attendee data requires the right balance between collecting valuable information and respecting privacy. But with rapid advancements in technology and laws that struggle to keep up, finding balances can be tricky, especially as tech becomes cheaper and easier to access.
In February of this year, the Ann & Robert H. Lurie Children’s Hospital of Chicago was forced to take its email, phone and medical records system offline as it battled a cyberattack, while a hospital in rural Illinois announced it was permanently closing because it couldn’t recover financially from a cyberattack that kept it from filing insurance claims. And in June of 2023, HCA Healthcare was the target of a major data breach involving 11 million patients and 1,400 facilities in 20 states. As a result, America’s top health agency is developing new rules for hospitals to protect themselves from cyber threats.
According to Electric, an IT management platform, “The rate of cybersecurity breaches at large and small companies alike have reached alarming levels. With high-profile attacks targeting healthcare, finance, retail, government, manufacturing and energy, it’s clear that the threat landscape has evolved significantly in recent years.” But the “Mother of All Breaches” (MOAB) occurred earlier this year when 26 billion records were accessed via data leaks from sources like Twitter, My Space, Adobe, Canva and LinkedIn. (The responsible party remains unknown.) In fact, it’s estimated that 4,000 cyberattacks happen every day — which translates to one taking place every 14 seconds.
Another troubling fact is that most companies that have been hacked don’t even know it until days (or sometimes, weeks) after the event has occurred. In comparison, the time it takes to do the actual damage takes mere minutes: According to Verizon’s 2016 Data Breach Investigation, in 90% of the cases where data was stolen, systems were compromised in minutes.
With multi-billion-dollar companies like City National Bank, eBay, Facebook, Microsoft, Shell, T-Mobile, Verizon and Yum! Brands (which owns KFC, Taco Bell and Pizza Hut) falling victim to ransomware and/or threat actors, what’s a planner to do in an era of electronic adversity, angst and antagonism?
Data privacy translates to keeping personally identifiable information (PII) secure. Before your event even begins, ensure you have control over who has access to it and only grant access to those who need it.
Be transparent about the PII you’re collecting and how it’s being stored. Not only will it be reassuring to those attending, but you’ll be adhering to legal regulations such as the California Consumer Privacy Act (CCPA) which mandates clear communication about data usage.
In the case of EU citizens attending a corporate event in the U.S., planners need to be aware of the General Data Protection Regulation (GDPR). The toughest privacy and security law in the world, the regulation was passed by the EU and put into effect in 2018. It imposes obligations onto any organization, anywhere, if it collects data from people from the EU. According to GDPR.EU, the regulation levies “harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.”
One way to ensure you’ve protected yourself from possible prosecution is to clearly state on your registration form how you plan to use the data you’ve collected, how/where it’s being stored, provide an explicit opt-in checkbox, and let attendees know if any data is going to be shared with event sponsors for marketing and analytical purposes.
Although it may seem obvious, when it comes to the use of email to communicate information about the event, make sure that whatever is being shared isn’t private (such as payment information), and never share data with anyone outside the events team. And while it’s a pain, changing your event systems passwords several times a year will help ensure privacy. Using a password manager that picks random, long passwords can be synchronized across devices.
In many instances, attendee data isn’t collected by the planner; rather, the information has already been compiled and sent to the hosting company.
In the case of Carol Riddle, Seattle’s tourism ambassador and seasoned account director at SHW, a full-service event management company, corporate clients provide the attendee data.
“The company houses the information, in essence lending it to us for the event. That ‘clean’ information is then uploaded onto our registration platform so we can customize it or use it to determine dietary restrictions, obtain travel information, slot them into different tracks, etc. And we also issue everyone who’s registered a unique QR code to use at check-in, which accompanies their photographic ID.”
Another must-have is a reputable “payment gateway” to handle all those online transactions. As Riddle explains, “Let’s say we’re hosting a five-day conference and we charge money for registration, receive payments for exhibitor booths, collect sponsorship funds and make payments to vendors. Because of those types of transactions, we have multiple layers of security, including an internal ops team that makes sure information can’t get out.”
Employee training is another key factor to a cohesive network of cooperation when it comes to cybersecurity. To that end, conducting regular training sessions and making sure everyone understands the implication of being involved in a cyberattack or data leak is critical. You can also integrate your data privacy plan with “endpoint protection” which includes malware detection, network security and breach prevention. Likewise, taking out cyber-risk insurance for that just-in-case scenario is an option.
In the post-Covid era, more professional gatherings are held virtually or they’re a hybrid of virtual and in-person. Using software such as Zoom has its obvious benefits, but there’s also a need to keep the lid on the invitee list as an uninvited “guest” could gain access to sensitive data, overhear a confidential conversation, or capture screenshots of those in attendance for possible facial-recognition use.
The solution? Don’t allow just anyone in the virtual door. Host controls can help, but you can also use one-time links, send out special codes, and create a pre-screened list of attendees within the registration process.
To add another layer of protection for in-person events, especially when you have high-profile attendees or guest speakers, you “absolutely need” to vet your attendee list leading up to the event, notes Kelly Squier, owner and principal for a company in the fintech industry.
“We had a few instances of ‘bad actors’ who continued to register for different events to gain access to our CEO. We worked with our internal trust and safety team to identify those folks, removed them from the list, politely let them know they’d been removed, and had strict guidelines in place at the door to not allow anyone in who wasn’t on the approved list.”
Squier adds that when working with public figures (such as government officials or performers), most attendee lists need to be handed over at least 72-hours in advance for vetting by their own internal teams.
Document your data privacy practices and make them available to any attendee who asks for it. Detailing your policies and protocol is important for both your employees as well as your attendees and clients as it shows you’re taking their privacy seriously. Onsite, continue to encourage the use of strong passwords and employ multi-factor authentication (MFA).
Udayan Deshpande holds a PhD in Wireless Security and is Chief Data Scientist at Threatworx, a proactive cyber security platform that helps identify systems’ vulnerabilities.
In the case of using MFA, Deshpande says, “Let’s assume someone manages to get ahold of your username and password. But then the odds of that same person getting ahold of your phone and making it past facial recognition or figuring out your password to utilize a security code, are extremely high. So just those two barriers alone provide an exponentially high layer of protection that are exceedingly difficult to penetrate.
“Facial recognition is extremely effective. I’ve never seen it not work. And there is potential for voice or thumbprint identification. The popularity of these technologies in phone (and home) security implies that consumers are comfortable with the seamless integration of biomarker-based security.”
Using a secure event management platform is likewise essential, and many planners (such as Riddle) use Cvent. But Heather Johnson Mullin, owner of California-based Adelphi Experiences, prefers Swoogo, a software system that streamlines the organizational aspects of events, from registration through post-event data reports.
“We only use software that’s already been created,” explains Mullin. “But any information we’re using has to be supplemented by multi-factor authentication. Because my clients, many of whom are large tech companies, are putting their trust in me, I am absolutely going to use a program that provides multiple layers of protection. And I always start the conversation with, ‘This is how we plan to handle your clients’ information. How else would you like us to do that?’
“And we sign NDAs that state we won’t share any information or sell it. When the event’s over, we delete it.”
By their very nature, meetings are especially vulnerable to data hacking because everyone is using a different computing device. In the case of hundreds (or thousands) of attendees, it’s simply not feasible for everyone to have the same level of data security.
If you’re planning a smaller event, such as an incentive experience, C-suite meeting or BOD conference, Deshpande suggests the use of loaner devices that have been wiped clean before the event. These devices could also be programmed so that the data only remains accessible during the event, but then (like one of those Mission Impossible tapes) “self-destructs” at its conclusion.
While at the event venue, having a Mobile Device Management (MDM) plan in place can help keep your company’s devices secure, no matter when or where they’re being used. Everyone’s computers, tablets or phones can be synched up remotely by sending out updates, and you retain the option to shut them down immediately if they’re stolen or compromised.
If you think holding onto attendee data is a good idea, you couldn’t be further from the truth. An after-the-fact data breach is just as much of a nightmare as it is before or during. Plus, many data protection regulations block indefinite storage. Notes Riddle, “Once the event’s ended, we have 30 days to provide reports to our client and wrap up our accounting. After that, we are contractually obligated to destroy the data.”
But what if, despite your best efforts and intentions, a breach or leak occurs? If you’ve planned for “disaster recovery,” you’ll be steps ahead of the game. That could be something as simple as having your data backed up in another location, the speedy transfer of post-event analytics to a client, or an investigative team to determine who the “threat actors” were and seek compensatory damages.
Like many other event management software, Swoogo has analytics built in so planners can conduct post-event polls to see which tracks were popular, or to capture information like: “Did people stay for the entire event?” or “Were the morning meetings well attended?” or “Was the price of the conference reasonable?”
But what would really be interesting is to ask attendees, “During your event, did you feel your personal information was kept safe and secure?” C&IT