From August 31 to September 2, three hospitality companies—Kimpton Hotels & Restaurants, Noble House Hotels & Resorts, and Hutton Hotel—announced major security breaches that resulted in unauthorized charges made at several of the companies' locations nationwide. The companies, which blamed the security breach on rogue malware installed on their systems, issued apologies and posted information on their respective websites about the affected locations and dates.
Here are some tips on how event planners can deal with security issues before and after a breach.
1. Alert clients immediately.
Even if a client did not do business with the affected company in the time frame when the security breach occurred, event planners should alert them about the issue—in writing. Planners should include information on how the supplier is addressing the problem and remind clients about who has liability. “There needs to be a clear, written understanding of whose liability a potential breach in transaction security [is],” says the Unthinkable founder Timo Kiuru, an event marketer and creative consultant who has worked with brands such as Samsung, MTV, Nokia, McLaren, Cosmopolitan, the Huffington Post, and SKII.
2. Have clauses in contracts that give legal protection.
Legal protection is essential, especially if the event planner was not involved with transactions handled by other event partners. “If a client gives me their credit card, [the contract] should outline what their expectations are going to be,” says Will Milligan, founder of Will Milligan Events, which specializes in corporate event planning and political fund-raisers. Milligan adds that having clear contract guidelines about which event partner is responsible for which financial transaction is “a nice insurance policy” that can prevent any confusion or liability if a security breach occurs.
3. Find out the security policies of potential event partners.
Before contracting with suppliers such as hotels and restaurants, planners should research their policy for security breaches that involve payments, accounts, or other sensitive client information. Kiuru advises, “Ask them what kind of security protocols and protection methods they use to secure the transactions, how are they prepared and protected against any malware being installed to their payment systems, and what would happen if there was a breach in transaction security. If the venue is not willing or able to give you a convincing answer, then it’s probably better to consider another venue.”
4. Have clients give account information directly to other event partners that are handling specific duties.
When possible, event planners can opt to have a client give payment information directly to suppliers such as caterers or venues, which limits liability for the event planner in case the account information is compromised.
5. Consider alternative payment options.
PayPal and Samsung Pay are two examples of electronic payment services that do not require users to submit a bank card or credit card for each transaction. “Electronic payments are the transaction method of the future,” says Kiuru. “We have too much faith on the security of a piece of plastic with a magnetic stripe. Electronic payments are more encrypted, and thus more difficult to copy than a piece of plastic.”
Milligan suggests another option: “So many hotels send you a link to your B.E.O. [banquet event order], so why not send a link to your credit card, instead of using a traditional credit-card authorization form?”
6. Learn what hacked companies did to resolve the problem.
Milligan says that the recent rash of hotel hacking has not turned him off from doing business with the affected companies. “I don’t think it would preclude me from wanting to work with them,” he says. “I’ve worked with Kimpton, and I still think they’re a great brand. As long as they showed to me that they’ll do things a little differently.”
Kiuru adds, “I would ask for a very in-depth analysis of what led to the security breach, what has been done to make sure it would not happen again, and how the venue took responsibility of what happened. I would ask them to give me all the possible information I would need to convince first myself, then my team, and eventually my client that this venue is in all ways a safe facility to organize a successful event.”