. How Secure Is Your Delegates' Data? | Meetings & Conventions

How Secure Is Your Delegates' Data?

What to ask suppliers about safeguarding sensitive information

 Assess whether your technology provider's security policy makes protecting your event data a top priority.

 Find out what response plans your provider has in place to protect your data in case of a breach to its own servers.

Weigh the risk of using a provider that owns your event data.

 Ensure that your data is protected if integrated with event apps and other systems.

Cyber hackers have really upped their game over the past few years, stealing personal data from millions of people. Imagine if your own systems got hacked and exposed the personal details of the hundreds or thousands of delegates attending your events each year. Safeguarding this data is key, but how?

Steve Baxter, chief technology officer of cloud-based event-management software company Eventsforce, offers the following advice on the kind of data-security questions event planners should be asking their suppliers.

 Do you use strong, industry-standard encryption like HTTPS and Advanced Encryption Standard?

How is my data protected at rest (when stored on servers) and in transit (when accessed from your event-management system over a public Internet network)?

Where is your database stored, and how often do you back it up? (The more often, the better, so that no changes will be lost from your database if restoration is required.)

 Where is the physical location of your cloud servers (if applicable), and do you comply with accepted international standards and regulations?

 Who has access to the cloud servers, and what kind of security procedures do you have in place?

 How long do you keep this data on your servers? Is it moved to other locations or servers?

 How do you protect your own company data?

 How do you meet regulatory and legislative requirements (PCI-DSS, EU Data Protection regulations, etc.)?

 Who in the company has access to our data, and how do you handle authorization? What happens when someone leaves?  

 How do you share client information (email/phone), and where is this stored?

Some event-management technology companies have a legal right to use your data for their own marketing purposes. If so, it is highly likely that they store this data somewhere other than your company's database on their client servers, which can increase the risk of breach.

 Do you own my data? If so, what do you use it for?

 How long do you store it in your systems, and where is it stored?

Your software provider may have issued you an application programming interface (API) key for any integration you have between your event platform and other third-party systems. The key allows these applications access to your event data and vice versa. If you have just one API key for all your integrations, a data breach would lead to far more serious consequences for you and your organization.

 Can you issue separate API keys for each integration (event app, customer relationship management platform, financial systems and so forth)? This way, if one API key were to get lost or exposed, you could revoke the key, which disables the integration, and set up a new one.

 Can you issue different API keys for different functions? Doing so allows you to spread the risk by having one key to connect your system to the delegate section of your event app, for example, and another for your exhibitor section. If one is compromised, then the other isn't affected.