Preventing Guest Information Theft in Meeting Contracts

 Padlocks and Binary Code

Hotels and other meeting industry vendors process millions of credit card charges daily. They are also entrusted with tons of guests’ personal information, including driver’s licenses, birth dates, home addresses and personal email addresses. Given the increasing threat of computer hackers, it seemed like only a matter of time before a breach of hotels’ computer systems occurred. 

Unfortunately that time has arrived. When a national hotel management company recently revealed guests’ credit card data was stolen from at least 15 hotels over a 9-month period, the hospitality industry joined the list of large retailers whose customers are victims of apparent carelessness.

This theft happened as many hotel companies are demanding more access to guests’ personal information. The meeting contracts of some major chains include a clause giving the hotels permission to use guests’ personal email addresses not only for pre-event notices; but also for marketing purposes unrelated to the group event that brings them to the hotel. 

Further, in the same clause the hotel companies seek to secure the meeting sponsor’s permission to share guests’ personal information with the hotel’s third party marketing partners. The group hosting the meeting is even given the contractual responsibility to obtain permission from its guests for the hotel and vendors to use their personal information. The contract clause also requires that the group indemnify the hotel from any damages claimed by a guest from the unauthorized use of his personal information if the group fails to properly secure that guest’s permission.

These requests to use guests’ personal information are broad and outside the scope of a meeting. But unless a meeting sponsor reads the contract and objects, the hotels and other vendors will gain the right to distribute and use guests’ personal information seemingly without limit.

So faced with these contract demands and the threat of serious security breaches with guests’ personal data, what should meeting sponsors do?

There are several things to consider:

•  Don’t agree to let hotels and other suppliers use guest personal information except as needed to execute the event. Require the written approval of the meeting sponsor or each individual guest for all other purposes.

•  Include a contract provision prohibiting the hotel or other supplier from sharing personal information with their marketing partners or other third parties without an actual need to do so as part of group’s event.

•  Allow use of guests’ personal data for purposes unrelated to the meeting only if the hotel makes a request of each guest, and the guest expressly agrees.

•  Require that the hotel or supplier warrant it has installed professional security measures to protect its computers from viruses and hacking.

•  Include a contractual warranty that the hotel and authorized suppliers will actually update and test their security measures on a regular basis, to prevent systems filled with viruses.

•  Insist upon an indemnification provision requiring the hotel to protect the meeting sponsor and its affected guests from any damages or other harm caused by unauthorized use or distribution of guest personal information or data.

•  During the meeting, warn guests not to send personal and confidential information over the hotel’s public Wi-Fi network without some additional security program in place. 

Finally, meeting sponsors should assume some responsibility for data security themselves. Meeting organizers—like any entity accepting guest personal information for business purposes—must themselves implement and continually update measures to keep hackers away from their computer systems and networks, and to prevent their guests from becoming victims of data theft.

Measures should include educating employees on data protection, limiting transmission of credit card data over unsecured wireless networks, and using only computer terminals that the group knows employ up-to-date antivirus protection and firewalls.

Final Note: This blog is not “legal advice”; rather, it’s a discussion intended to make you think and draw your own conclusions. Legal advice can only be rendered after a discussion of your particular circumstances with an attorney competent in meetings law.

blog comments powered by Disqus


Subscribe today to stay up-to-date on the meeting industry.

Check the boxes of the newsletters that interest you, enter your email, then submit the form.