by Brendan M. Lynch | June 01, 2006

In the increasingly digitized 21st century, electronic personal privacy is a real and growing concern for meeting planners, attendees and even hoteliers. Identity theft is a significant danger at lodging establishments, which routinely request, transfer and store sensitive data pertaining to guests and groups. In 2006, it is nearly impossible to do business with a hotel that uses computerized reservation systems, websites, electronic key cards and e-mail without electronically providing extensive personal information.

For meeting planners, it’s important to take responsibility for protecting attendees. “Planners have to know they are the guardians of that information,” says Jeff Rasco, CMP, president of Wimberley, Texas-based Attendee Management Inc., an online registration service. “It really is a sacred trust. If the wrong people get hold of that information, you could have thousands of individuals at stake.”

Furthermore, planners themselves could be open to lawsuits should they fail to take basic steps to safeguard attendees’ personal data. “Everyone these days is very litigious. A planner could be sued for not doing due diligence,” says Diana S. Barber, Esq., professor of hospitality law at Georgia State University and an attorney with Barber Law Associates in Suwanee, Ga. “If a planner has discovered something and didn’t tell the client, the client may have a claim of action against the planner. It may not be successful, but it could cost a ton of money to defend.”

With so much on the line, how can planners most effectively protect sensitive electronic personal information when working with hotels? M&C went to knowledgeable insiders for advice.

Information please
Hotels do not shy away from requesting a raft of personal data when fulfilling reservation requests, registering guests, processing program memberships and even conducting regular communications.

For instance, according to its website, White Plains, N.Y.-based Starwood Hotels & Resorts Worldwide Inc. collects personally identifiable information that “may include your name, home, work and e-mail addresses, telephone and fax numbers, credit card information, date of birth, gender and lifestyle details such as room preferences, leisure activities, names and ages of children, and other information necessary to fulfill special requests [e.g., health conditions that require special room accommodations].”

Starwood’s senior vice president and chief privacy officer, Bill Min, assures that the hotel company is “dedicated to protecting guest privacy and safeguarding personally identifiable information, using both procedural and technical safeguards,” including password controls, firewalls and encryption technology.

But information collection by hotels isn’t limited to just the guests. Meeting planners, too, often must provide potentially sensitive business data that helps a property customize its services for a group. Hilton Hotels, for example, “may request more information about your organization, such as organization name, annual budget for events, number of events you sponsor per year, date of event, number of guests and number of guest rooms required,” according to (Hilton declined to comment for this article, citing a longstanding policy in regard to its security measures.) And hotel companies might save the content of e-mails they receive regarding events and collect other information online. This all adds up to a lot of knowledge about a person and/or group.

And all too often such information can fall into the wrong hands: In 2005 alone, the Federal Trade Commission received more than 685,000 complaints about consumer fraud and identity theft.

“The kinds of risks conventioneers face are the same as any company using credit card information,” says Marc Rotenberg, executive director of the Washington, D.C.-based Electronic Privacy Information Center, an advocacy group. “Systems are weak, and security is not as strong as it should be. Identity theft is the biggest crime in the United States -- worth $53 billion in 2004 -- with a real impact on U.S. businesses. Companies collecting and storing information on behalf of attendees or members need to be incredibly concerned about how it’s used. If you can’t protect it, don’t collect it.”