Meeting Mentor Magazine

May 2024

Keep Your Contracts Cybersafe

With data breaches becoming increasingly common — even large hotel chains have been proven to not be immune — it’s not enough for meeting and event professionals to just review their supplier data privacy policies carefully. And now, with the recent implementation of the European General Data Protection Regulation (GDPR) and California’s new data privacy act that goes into effect in January, every organization that holds meetings should develop its own data privacy and cybersecurity policy, said Joshua Grimes, a meetings industry attorney with Grimes Law Offices in Philadelphia.

Why? First, most policies of the companies you work with severely limit any recourse to any other organization should a breach occur, he said. In addition, especially in the case of large hotel companies, most say they reserve the right to change their policy at any time. “So I question whether they offer any real protection to an organization hosting a meeting,” Grimes added. “This makes it important for every organization holding a meeting to develop its own data privacy and protection policy and insist on incorporating it into the contract.”

Some key aspects to cover:

• What kind of data will suppliers be given?

• What are the limitations on their right to distribute it? Can they distribute your meeting-related data to their own suppliers or to their marketing partners? Or should it only be distributed on a need-to-know basis for the purposes of the meeting?

• What level of compliance with GDPR do you require?

• What cybersecurity measures do you require your vendors to take? For example, Grimes said, you may want to include in the contract that vendors run antivirus programs at regular intervals, and again just before the event.

• For technology vendors, will they give you a warranty that there won’t be any pirate networks set up in the venue? What measures must they take to detect and prevent pirate networks from being set up? “If you can’t get sufficient warranties and protections, you should insist on bringing in your own tech company,” he said. While not everyone will need that level of protection, it’s something to consider.

One basic and simple way to protect your attendees is to ensure that the network you use for your meeting or event is password-protected and that your attendees are made aware of the official name of the authorized network.

Some hotels may push back on planner demands to incorporate cybersecurity provisions in the contract, saying that they have no authority to change the individual hotel’s or hotel company’s data privacy policy — that it is what it is — and they have no authority to negotiate. “My position is, fine, we’re not asking you to change anything on your policy, but we do need these additional clauses to protect the group.”

After all, even if those policies were created with the customer in mind, “they haven’t prevented the company from having a massive breach in the past few years, which almost all of them have,” he said. Grimes, who has had clients refuse to sign a contract over just this issue, added that once the hotel realized the planner was prepared to walk away over the issue, it suddenly found it could be a bit more flexible after all. — Sue Pelletier



Free Subscription to
MeetingMentor Online


About ConferenceDirect
ConferenceDirect is a global meetings solutions company offering site selection/contract negotiation, conference management, housing & registration services, mobile app technology and strategic meetings management solutions. It provides expertise to 4,400+ associations, corporations, and sporting authorities through our 400+ global associates.

About MeetingMentor
MeetingMentor, is a business journal for senior meeting planners that is distributed in print and digital editions to the clients, prospects, and associates of ConferenceDirect, which handles over 13,000 worldwide meetings, conventions, and incentives annually.

Design by: Loewy Design