The burgeoning scourge of identity theft is certainly not sparing the hospitality industry.
Kerzner International, owner and operator of the Atlantis Resort in the Bahamas, recently revealed that personal information—credit card numbers, bank account numbers, and even social security numbers—had been stolen from approximately 55,000 guests.
And back in January, a hacker invaded the computer system of the University Place Conference Center and Hotel at Indiana University in Indianapolis, according to Privacy Rights Clearinghouse (PRC), a nonprofit consumer information organization based in San Diego. Reservation information, including credit card data, was compromised for an unknown number of people. Further, on December 28, a Marriott Vacation Club backup tape was lost that held social security numbers and credit card data for 206,000 people.
In the Atlantis case, most details, including dates when affected guests stayed at the property and when the breach was discovered, have not been released because of a continuing investigation. Kerzner sent a letter to each guest whose information was stolen and offered credit monitoring for a year. For legal reasons, Kerzner could not comment for this article, says spokesperson Lauren Snyder.
The idea of identity theft produces in many people a feeling of helplessness: If they're going to get me, I can't do much of anything about it. But is that actually the case when it comes to planners safeguarding the information of attendees at properties?
"Asking questions of the host venue is the first step," says Brad Utter, president of Global Security Services in Davenport, IA. "You can get a feel for properties' awareness by learning which steps they take to make sure that information is locked tight. For instance, are they simply throwing information in the garbage, or are they contracting with a company to securely dispose of it? The properties do that for their own proprietary information, but what about consumer information?"
Planners should ask hotels for a copy of their security policies, Utter says. While they likely won't provide detailed information on all security maintenance, which would be counterproductive, they should offer general information on how they hold and destroy sensitive information and assure planners that they "don't throw it out in the trash with the food scraps."
Planners may want to consider pressing hotels further on the issue of data security, says Tom Fragala, CEO of Santa Barbara, CA-based Truston Corp., an online service that helps victims of identity theft, and CEO of Vistera Systems, which handles systems integration for hotel owners and managers. "If anybody's going to push the lodging industry in the direction of more safeguards, it's going to be the market, and meeting planners are a big part of that," Fragala says.
Twenty-two states currently have security-breach notification laws, whereby residents must be made aware if their information has been violated. Fragala says planners should consider holding meetings in such states, or ask the hotel to agree in writing to notify attendees in the event of a breach. "It's totally reasonable for any planner to add contract language about this," Fragala says. "This is now part of planners' jobs—what are they doing to make sure their people are protected?"
He also suggests planners be aware of other possible sources of security breaches, such as a conference registration desk, where attendee information might be lying in plain sight. "These are public places and there are people other than the attendees milling about," he says. Show offices (often set up in small meeting rooms) that are left unattended even momentarily should always be locked as well.