Introduction
Padgett-Beale has three main operating units – the Entertainment Team (ET), Resort Operations (RO), and Marketing & Media (M&M). These teams are tasked with the procurement of a new cloud-based event management platform whose main work is to provide end-to-end management for various events including festivals, concerts, and conferences among other related events. The three teams involved in the procurement process have elaborately indicated the advantages of the new platform, among them is the provision of customized RFID bands that attendees should wear for easy tracking. Additionally, this platform would potentially reduce fraud cases, specifically counterfeit tickets that negatively affect revenues.
Similarly, the use of RFID will play a major role in cost-saving because the technology supports automatic identification and tracking without the need of hiring extra staff members. Moreover, the data collected through this platform could be analyzed to generate useful information in future event planning coupled with making follow-ups as part of direct marketing after the event (RFID4U, n.d.). This technology could also be used to streamline the purchasing process by linking the attendees’ debit or credit card accounts with the bands (Stabile, 2015). Another advantage associated with this technology is that RFID has been in the market for quite some time now and with time, it has become affordable and more robust (Advancing Identification Matters, 2018).
However, some high-level managers are cautious about the integration of RFID technology into wristbands as a way of managing and tracking attendees, despite the elaborate justification of the importance of this technology by various heads of operating teams and their fellow members. At the top of the issues surrounding the use of this technology as proposed is the question of privacy of the attendees. Therefore, the Chief Privacy Officer requested more information concerning the proposal to use the RFID technology in the tracking and management of event attendees. This analysis and report are written to address this request, specifically majoring on the underlying privacy and security issues associated with the RFID system relying on proposed use cases.
The first use case of interest is the practice of verification of identification for those attending a festival or other related events for the sole purpose of establishing proof of age, which is a legal requirement, especially where the consumption of alcoholic beverages is involved. According to MartĂnez-Cabrera (2012), “Privacy organizations have long criticized the use of RFID chips in documents and items that could be used to track people’s movements, determine their identities, or make inferences about their habits.” In other words, one of the major concerns with the deployment of RFID is the collection of personal information.
Some of the security and privacy questions that arise include the nature of the information that is collected, where it goes after being obtained, and how it is stored. In addition, it is important to highlight who has access to such data. These are real security and privacy concerns that will determine the level of responsibilities that Padgett-Beale will have to shoulder by deciding to implement this technology (RFID Journal, n.d.). Specifically, the security and privacy issues associated with the adoption of this technology by Padgett-Beale involve data disclosure and leakage, phishing attacks, location monitoring, and tracking, theft, misplacement, and access by third parties.
Analysis
At the top of the proposed use cases of customizable RFID wristbands at Padgett-Beale is the application of this technology invalidating the identification of persons attending various events, such as music festivals, especially in instances where proof of age is a legal requirement for the consumption of local alcoholic drinks. According to Bowler (2017), using this technology, attendees can scan their RFID wristbands “to do things like pay for food or drink, get access to VIP areas, or even upload posts to social media.
The bands will allow for the collection of data, which can later be used to sell, promote, the brand further, find sponsors, and much more.” As such, event organizers and managers will have real-time data on when the expected attendees are coming or leaving, their movement patterns once in an event, the type of interactions happening, how certain products are being consumed, and how to deploy resources on a need-basis (Bowler, 2017).
Based on this use case, Padgett-Beale will have to collect, store, process, and transmit private data. According to Chu (2017), one of the central aspects of FIRD wristbands is their storage capacity with the largest passive ones having a storage of up to 3.72 kilobytes of data. Chu (2017) adds that even though such storage capacity might appear small, it has enough space to store the users’ “names, address, credit card numbers, date of birth, and whatever identifying information the local administrator wants to track.”
Further information that could be stored in such devices includes social media information, contact addresses, such as emails, and location data. In addition, the users’ date of birth has to be divulged in the process of verifying his or her age as part of the legal requirements before allowing the consumption of alcoholic drinks (Anonymous, 2013).
One of the leading concerns with the use of RFID technology in various applications is the issue of privacy. People have the right to privacy, but RFID tag embedded chips collect and store personal data, and thus if leaked, it could have serious privacy ramifications (Jung & Lee, 2015). Therefore, it suffices to argue that the use of RFID technology at Padgett-Beale raises genuine privacy concerns because the wristbands will collect private information.
For instance, hackers and scammers could easily gain access to the wristbands if adequate security measures are not put in place, which ultimately leads to unwarranted exposure and access to personal information by unauthorized third parties. In addition, information related to credit and debit card accounts could be used for fraudulent practices. Similarly, hackers could use personally identifiable information to orchestrate stalking and identity theft among other related illegal activities (Meingast, King & Mulligan, 2007). Data leakage could occur due to the poor handling and storage of information after it has been collected. Additionally, exposure and access by third parties could occur during data processing and transmission due to improper handling of the data.
The major security-related issue arising from the use of RFID technology is that it is prone to hacking and tampering by third parties. For instance, RFID system hackers commonly deploy a strategy that involves the use of rogue RF readers by wildcat parties. Normally, hackers are interested in anything that can be of value to them, such as personal data, which is ultimately used for illegal activities. In this case, using the rogue RF readers, hackers could gain access to private data stored on the RFID wristbands subtly without the knowledge of Padgett-Beale and the wearers. This could occur through two popular ways – skimming and eavesdropping.
According to Meingast, King, and Mulligan (2007), skimming occurs when “the data on the RF transponder is read without the owner’s knowledge or consent using an unauthorized reader.” On the other hand, eavesdropping is the “opportunistic interception of information on the chip while the chip is accessed by a legitimate reader. While similar to Skimming, eavesdropping may be feasible at longer distances, given that eavesdropping is a passive operation” (Meingast, King, & Mulligan, 2007).
In addition, the fact that third parties have to access and use data collected and stored via the RFID technology raises additional privacy concerns. First, the wearers of these wristbands might not be aware that their data is being exposed to third parties, which amounts to privacy violations. The proposed case use of RFID wristbands at Padgett-Beale is that the service will be cloud-based, which is offered by a third party. Therefore, this third party could gain backend access to the collected data before analyzing and using it without the knowledge of both the users and Padgett-Beale. As such, the relationship between the cloud-based service provider and Padgett-Beale should be fully disclosed to events attendees. On the one hand, Padgett-Beale might be compliant with security laws governing the collection, storage, processing, and transmission of private data.
On the other hand, the third-party service provider might not be following these rules. Therefore, Padgett-Beale should be reminded that even if a security risk is due to a third party’s lax security, in the mind of the customer it will be the main organization that bears responsibility” (UpGuard, 2017). The arising issues from data misuse are legal and Padgett-Beale carries the associated liability responsibilities.
The second major concern with the deployment of RFID wristbands in events management is the aspect of tracking and monitoring guests in attendance. For instance, some attendees may be against the idea of having their location being tracked or their interactions and purchasing habits being monitored by third parties, such as event organizers. The problem with the RFID wristband is that it is designed to allow the embedded chip to respond to the reader’s query anytime. According to the Chu, “Most RFID wristbands use passive tags that operate at high frequency, they cannot track wearers actively, however, a wearer’s last known location can be tracked and recorded.” Khattab, Jeddi, Amini, and Bayoumi (2016) concur that such devices are designed in a way that allows for identification of the physical location of the wearer, thus making it easy for the user to be tracked. Therefore, some of the affected attendees could see this unsanctioned tracking of their location as a violation of their privacy.
The last problem associated with the RFID wristbands is that they could be stolen or lost. In this case, a misplaced or stolen device could be accessed by hackers leading to privacy and security issues for the user. While the loss of such devices might not be problematic because they can be replaced easily, the main concern is with the exposure of the personal data that they carry to third parties. Hackers could exploit such devices to perpetuate a host of criminal activities, such as identity theft and fraud, in case the wristbands are not deactivated immediately (Intellipay, n.d).
Various data security and privacy laws will affect the proposed implementation of the RFID wristbands as part of events management by Padgett-Beale. First, the wristbands will collect and store personal data that should be protected and kept confidential according to the relevant laws. In the US, the Federal Trade Commission (FTC) is the body mandated with the regulation of consumer privacy and security for personal data.
According to Jolly (2007), the FTC has brought various charges against different companies for failure to comply with the laid down data privacy and security regulations leading to exposure of personal information to unauthorized parties. In the US, the FTC has the legal authority to address a host of issues surrounding consumer privacy and security for personal data usage, including arising issues associated with the emergence and development of new technologies. In the European Union (EU), as in the US, many data protection laws regulate how personal data should be collected, stored, processed, and transmitted.
Archer and Salazar (2005) argue that the EU data protection laws require “fair and lawful processing, retention of personal data for only as long as necessary and collection of data which is relevant and not excessive for the purposes it has been collected.” Additionally, under the informed consent provision, Padgett-Beale will be required to disclose and clarify to the users of the RFID wristbands how the technology will function and the related data that will be collected and used.
In addition to the data protection laws, Padgett-Beale will be required to observe the Payment Card Industry Data Security Standard (PCI DSS) regulations. According to Rouse (2009), the PCI DSS is a global data security standard that requires any business entity involved in the use of payment cards to comply with certain specifics when collecting, storing, transmitting, and processing cardholder information. The purpose of this standard is to ensure that customers’ data concerning their cards are protected.
Additionally, Padgett-Beale should be aware that different states in the US have varying state-level regulations that would be expected to affect the implementation of the proposed RFID wristbands. For instance, in Hampshire, the HB-203 law was passed and it requires “warning labels on consumer goods and identity documents containing RFID tags or other tracking devices, as well as regulating the use of RFID for tracking individuals and establishing a commission on the use of tracking devices in government and business” (RFID Journal, n.d).
Recommendations
Based on the issues raised and discussed in this paper, Padgett-Beale needs to consider some recommendations to mitigate the underlying risks before the implementation of the proposed RFID wristband technology as part of its event management strategy. The following are some of the recommendations that should be considered.
- Encryption – Data encryption is a strategy used to protect data in RFID devices to ensure privacy and confidentiality. The Federal Trade Commission (2005) notes that even if hackers access the data stored in such devices, they will not be in a position to understand the message. Therefore, the data stored in the proposed RFID wristbands should be encrypted. Padgett-Beale should ensure that every time information is being retrieved from the devices for decryption, passwords are required. This security measure will ensure that personal data is always protected even in cases where the wristbands are misplaced or stolen because information cannot be accessed without inputting the correct password.
- Informed consent – Padgett-Beale must keep users of this technology informed about the nature of the data collected and how it will be stored, processed, and transmitted. Additionally, the firm should get informed consent from all users to collect such data and indicate the parties that will have access to the collected data like in the proposed case use. Therefore, Padgett-Beale should have detailed user agreement terms that every wearer should read and agree to before the start of use. This way, the firm will be protected from litigious suits that could result from the lack of informed consent from the users of this technology.
- Due diligence – According to DataFlows Dimensions, Inc. (n.d.), before implementing any form of technology, due diligence should be conducted even in cases where such technology is mature because this practice brings rigor to business and at the same time it helps in reducing the associated risks. In some cases, doing business with third parties creates an avenue for various risks and data compliance loopholes. For instance, cloud storage by third parties is vulnerable to data access by unauthorized entities, and thus Padgett-Beale needs to understand the underlying risks before the implementation of the proposed technology. UpGuard (2017) adds that it is recommended that companies understand how data stored by third parties will be handled in case such a business relationship is terminated or upon the expiry of a contract. As such, Padgett-Beale should have a clear understanding of all terms and conditions involved when doing business with the cloud services provider proposed in this case use.
- Usage policy – The applicable usage policy in the proposed RFID technology at Padgett-Beale should cover both authorized and unauthorized uses of the wristbands. For instance, in the usage policy, Padgett-Beale should detail the nature of data and how it will be collected, stored, processed, and transmitted. There should be clear information concerning this usage policy to ensure that the management clearly understands what is expected of it so that it can determine how to deal with employees tasked with handling such data, in case they violate the set rules.
- Employee training – The way data is handled could be a major cause of data security and privacy breach. Therefore, Padgett-Beale should ensure that its employees are trained thoroughly to be competent when handling the data collected through the RFID wristbands. Employees should be in a position to identify a breach and report it immediately to the concerned authorities for appropriate measures to be taken (Karygiannis, Eydt, Barber, Bunn & Phillips, 2007). Therefore, all data administrators in the company should receive the requisite RFID security training to mitigate all underlying risks when handling guests’ data.
Summary
The three major operating teams at Padgett-Beale are supporting the implementation of a new cloud-based event management technology involving the use of RFID chips on wristbands worn by attendees. However, this technology has various concerns surrounding the privacy and security of the personal data collected through this system. RFID wristbands are prone to hacking and access of data by unauthorized third parties. Additionally, the tracking and monitoring of attendees could cause a host of problems as discussed in this report. Therefore, Padgett-Beale should follow the highlighted recommendations to ensure that the users’ personal information is protected by the law and the existing industry standards.
References
Advancing Identification Matters. (2018). Radio Frequency Identification (RFID) 101. Web.
Anonymous. (2013). Wristbands for beer festivals. Web.
Archer, Q., & Salazar, G. (2005). RFID: A threat to privacy? Web.
Bowler, J. (2017). RFID wristbands: The good, the bad and the ugly. Web.
Chu, W. (2017). How RFID Wristbands Work, Decoded. Web.
DataFlows Dimensions, Inc. (n.d.). The Dataflows approach to RFID due diligence. Web.
Federal Trade Commission. (2005). RFID report: Applications and implications for consumers.
Intellipay. (n.d.). Snowbombing cashless FAQ’s. Web.
Jolly, I. (2017). Data protection in the United States: Overview. Web.
Jung, K., & Lee, S. (2015). A systematic review of RFID applications and diffusion: Key areas and public policy issues. Web.
Karygiannis , T., Eydt, B., Barber, G., Bunn, L., & Phillips, T. (2007). NIST SP 800-98, guidelines for Securing radio frequency Identification (RFID) systems. Web.
Khattab, A., Jeddi, Z., Amini, E., & Bayoumi, M. (2016). RFID security threats and basic solutions. Analog Circuits and Signal Processing RFID Security, 27-41.
MartĂnez-Cabrera, A. (2012). Privacy concerns grow with the use of RFID tags. Web.
Meingast, M., King, J., & Mulligan, D. K. (2007). Security and privacy risks of embedded RFID in everyday things: The e-passport and beyond. Web.Â
RFID Journal. (n.d.). Are there laws governing the use of RFID? Web.
RFID4U. (n.d.). Event Management case study. Web.
Rouse, M. (2009). What is PCI DSS (Payment Card Industry Data Security Standard)?. Web.
Stabile, R. (2015). Are RFID chips ruining festivals? Web.
UpGuard. (2017). Five things to know about third party risk. Web.