Ask the Experts: Are Events Doing Enough to Protect the Personal Information of Attendees?

Last month, the UK Conservative Party conference app suffered an embarrassing security breach which temporarily exposed the phone numbers and personal details of some of the country’s top politicians attending the event.  We’ve seen other incidents in the industry over the past year affecting the likes of both Ticketmaster and Ticketfly – where the personal details of tens of thousands of people were compromised.

So the question we have is this:  Is our industry giving enough attention to the growing issue of data security?  Let’s face it, the amount of information we collect from attendees is potential goldmine for hackers and keeping this data safe should be a top priority. But are event professionals doing what they need to do to protect the personal information of people attending their events? Should we be doing more?

Are you looking after your attendee data?  Find out the 8 things event planners need to STOP doing to prevent a data breach!  Get your copy of ‘The Event Planner’s Guide to Data Security’ here.

EventTech Talk spoke to some of the industry’s well-known tech experts and editors to find out what they thought about the issue. Here’s what they had to say:

1) Jason Koop, VP Marketing CSE Media & Storyteller, Canadian Special Events Magazine

Are event planners doing enough to protect the data they collect?  The simple answer is no.  Most planners don’t appreciate the value of that data or have the classic, “that will never happen to me” mindset.  The reality is, the event industry is a data rich soft target for cyber thieves.  Few planners are prepared for an attack, know what to do when it happens, and have little understanding of their own liability in the event of a cyber breach.

Follow Canadian Special Events Magazine on Twitter: @cdnspecialevent

2) Corbin Ball CMP, CSP, DES, MS, Meetings Technology Speaker, Consultant and Writer

Data security is a significant issue with growing concern. Hackers are becoming more numerous and sophisticated and I think event organisers, in many cases, are not doing enough. There are multiple levels that this should be addressed:

On a personal basis:

  • Use strong passwords (and/or a password manager)
  • Keep the operating systems on your devices up-to-date
  • Keep your antivirus/malware programs up-to-date.
  • Educate yourself on phishing scams – be cautious opening email links and attached documents.
  • Use caution while using public wi-fi.
  • Only use secure sites (those that start with a ‘https’ instead of only ‘http’) when purchasing online.

On a company basis:

  • Have a complete security/privacy policy and make sure that it is monitored.
  • Invest in privacy and security training for staff.
  • Use VPNs (virtual private networks), especially when connecting to a corporate server remotely

Vet your technology providers carefully:

  • Any that collect attendee data should be GDPR compliant (especially if there is even a remote chance that you are storing attendee data from those living in Europe).
  • Any that collect credit card data should be PCI (payment card industry) compliant.
  • Carefully examine how they store/manage/protect/backup your data.

Event data is a tempting target and adopting this multi-level approach should help to protect it.

Follow Corbin Ball on Twitter: @corbinball

3) Brandt Kreuger, Freelance Technical and Audio-Visual Production, Education/Speaking/Consulting for the Meeting and Events industry

Put simply, no. I think there’s a subconscious belief out there that somehow digital security is somebody else’s problem – that it’s the job of the IT nerds or the event technology supplier. That’s part of their job, sure, but the fact of the matter is that most networks aren’t compromised because some hacker broke in through the firewall, they’re compromised because someone clicked on a link in what looked like a completely legitimate email. A lot of people feel like as long as we have an antivirus program installed and don’t click on links from Nigerian princes or for discount Viagra, they’ll be fine- that’s simply not the case anymore.

Target and Home Depot weren’t cracked through faults in their internal networks, they were cracked via a 3rd party suppliers. Well, guess what? We’re third-party suppliers to hundreds of thousands of the largest businesses and organisations around the world. And think of the information we have access to: Executive names, titles, home addresses, personal cell phone numbers, spouse names, flight times, car and hotel reservations, and so much more.

We’re a juicy target, not because they want our own personal credit card numbers, but because of the enormous amount of our attendees’ personal information we have access to. That information can then be used to carefully craft emails, texts, or instant messages to the representatives of the organisations we plan events for. These communications look 100% legitimate, putting them one click away from disaster.

We need to start taking security into our own hands. Demand that your venue Wi-Fi be secured with a password on the network (no meeting codes, no hotel log-in pages – an actual password on the network itself). Use password managers to keep track of and generate unique passwords for every website and platform you have access to. And finally, we’re past “don’t click on emails unless you know who they’re from.” It’s now don’t click on links in emails, no matter how legitimate they look. These are the basic actions every planner can take as a first step toward protecting their attendees’ data.

Follow Brandt Krueger on Twitter: @BrandtKrueger 

4) Tahira Endean, CMP, DES, CED, Event Producer, Author – Intentional Event Design

In an age where convenience is often valued more highly than security when it comes to accessibility for our devices, we often find ourselves tapping into any available wi-fi network, without much thought to how easy it is to literally give away the data stored on our computers when we do this.

What are cyber thieves seeking that may be on our computers when it comes to events? The following are the four key areas identified by the Events Industry Council in their work on Cyber Security for events, and it applies not only to our own data, but the data we are storing of our clients.

  1. Personal identification information. Safeguard your attendee registration details.
  2. Payment card information. Protect and encrypt credit card information.
  3. Confidential company information. Safeguard your presentation content, after considering every piece of data you put into a presentation – if it can’t be public, don’t include it.

Any breach of these will potentially open your participants up to risk, which could range from credit card fraud to personal risk – for example your key executives travel details could land in the wrong hands. You could also suffer from damage to your (and your client’s) brand reputation, suffer financial or regulatory damage, and upset your participants. Of course, managing any of these will add time into an already stretched schedule leading up to an event.

When we are storing the personal data of our participants, and depending on the program, key information on their partners or families – it is incumbent upon us to keep this secure. What can we do?

  1. First, understand the information you have to protect
  2. Have an information security policy and best practices in place
  3. Monitoring these are being adhered to. Either of these may be done with internal or third-party providers)
  4. Password protection on your files is key, and
  5. Password protection on your public event wi-fi network
  6. Modify agreements as needed to address cyber security with any vendors

Keep an eye out on for their white paper coming soon on this topic. In the meantime, you will find a lot of other useful information on this site.

Follow Tahira Endean on Twitter: @TahiraCreates

Read: Top 8 Wi-Fi Considerations for Event Planners

 5) Sue Pelletier, Editor, MeetingMentor Magazine

I think data security is getting more attention these days — at least, we in the industry press are writing more about it and there are more webinars and conference breakouts on the topic. A lot of that was spurred by GDPR enforcement going into effect last spring, and many organisations did some data hygiene clean up in response, albeit at the last minute in a lot of cases. That said, most meeting professionals I’ve spoken with about data security still tend to think it’s someone else’s job to take care of.

I totally understand not wanting to add data security to the already huge and growing list of things planners need at least a passing knowledge about, but it’s just not something you can assume someone else is going to handle, not when you’re swimming with today’s data sharks. And especially not since so many of the potential security gaps they can get through exist on the planning front lines: Not just clicking through on that cleverly disguised phishing expedition email, but even common practices like emailing spreadsheets that contain personal data, sharing passwords with volunteers or vendors, asking for sensitive information you don’t really need just because you always have, or even just leaving a printout of event data in the show office — it all can come back to bite the unwary meeting pro and expose their attendees to risk.

 Follow Sue Pelletier on Twitter: @spelletier

 6) Kevin Iwamoto, Senior Vice President, GoldSpring Consulting LLC

I do see some improvement post GDPR launch in May 2018, however I still notice a large majority in the U.S. who remain unchanged and continue operating as “business as usual”. With all of the data hacking, phishing and nefarious schemes to get access to personal data, “business as usual” will eventually lead to a serious data breach that will be difficult to recover from. Meeting and event planners, managers and their management would benefit from reading the latest eBook from Eventsforce, ‘The Event Planner’s Guide to Data Security in a Post-GDPR World’.

Follow Kevin Iwamoto on Twitter: @KevinIwamoto

7) George Sirius, CEO, Eventsforce

Traditionally, there has been a general feeling of complacency across our industry when it comes to the issue of data security.  Since GDPR came into place, however, the protection of personal data has become a much bigger deal.  In fact, a 2018 survey by Eventsforce assessing the GDPR readiness of more than 120 event professionals found that 81% see data security to be a MUCH bigger priority for their events as a result of GDPR. Which isn’t surprising – given the consequences.

As an event planner, you may easily think that the whole issue of data security is something that needs to be dealt with by your IT, legal and operations team. But the reality is that there are many day-to-day things you may be doing that could easily put your organisation at serious risk of a data breach:

  • Not using strong system passwords or sharing passwords with others.
  • Emailing unencrypted spreadsheets that contain the personal information of attendees.
  • Not paying attention to the data your freelance staff have access to.
  • Leaving printed delegate lists lying around.
  • Not asking your third-party suppliers how they look after your event data.
  • Not reporting the loss of laptops and devices that contain personal information.

It is therefore more important than ever for event planners and team members to understand exactly what they should and shouldn’t do when it comes to securing the personal information of people coming to their events.

So, yes there is definitely a change in attitude across the industry but there is room to do a lot more. Remember that the volume of personal information we collect from events is staggering (registration forms, apps, networking tools, surveys etc). And doing things that minimise the chances of this data getting into the wrong hands will give attendees confidence that you are on the case and looking after them properly. Doing this all the time will boost your reputation, generate more confidence and ultimately bring you more business.  After all, why would people want to work with organisations who are doing as little as possible to safeguard their personal information?

Follow Eventsforce on Twitter: @eventsforce

Are your events ready for GDPR? Get your copy of  ‘The Event Planner’s Guide to GDPR Compliance’, and learn what impact Europe’s new data protection regulation has on event marketing, data management and event technology.