Monday to Thursday, 10am-4pm, EST
1.855.281.5499 (toll free)

By: Cheryl Biswas, Threat Intel Consultant

How Nonprofits Can Secure All That Data!

We are awash in a sea of data, and we’re not handling it well. Literally. Nonprofits, like every other organization or corporation, are taking in more information than ever before, and more than we know how to handle. 

We handle personal and financial information on a daily basis, and we are putting clients and ourselves at risk. When it comes to the safe handling and storage of data, ignorance is not bliss. 

All nonprofits must collect data to ensure their success and effectiveness, and sometimes this information can very sensitive. Your nonprofit has a mandate to safeguard the data you’ve collected, but often this responsibility isn’t fully understood until after something goes wrong.  

 

“Most nonprofit leaders admit knowing too little about the risks and consequences of failing to adequately protect personal information collected from employees, volunteers, clients and donors.”  - The Nonprofit Times

 

What Are the Danger Zones

Where are you storing the data you collect? The usual places are filing cabinets, network servers, and cloud storage. However, if that data is going places it shouldn’t, you can get into trouble.  As a nonprofit conducting business online and offline, here are some danger zones:

  • Collecting credit card data and processing payments online
  • The transfer and storage of personal data for employees, clients or donors via email
  • Storing personal information on laptops or smartphones
  • Granting access to personal information to third parties like vendors without proper safeguards
  • Storing personal information on cloud servers or systems, or physically unsecured sites (eg. unlocked filing cabinets)

Your Obligations When a Breach Occurs

A hacking attempt has serious consequences, but so does the loss or destruction of data. Laptops and smartphones holding sensitive data can be lost, damaged or even stolen, potentially putting your data in the wrong hands. Are you aware of your obligations? 

The PCI Security Standards Council enacted the Payment Card Industry Data Security Standard that requires organizations to follow ‘information security best-practices’ if the organization handles major credit cards, such as Visa and MasterCard. Organizations who fail to comply with these standards can be penalized with substantial fines.

There are other data security regulations in Canada, such as Ontario’s Personal Health Information Protection Act (PHIPA) that your nonprofit must comply with if you handle protected health information (PHI). These regulations are subject to change, so it’s important to stay up-to-date.

Personally Identifiable Information 

What makes up personally identifiable information (PII)?  The definition can vary by province, but under the Personal Information Protection and Electronic Documents Act (PIPEDA), personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:

  • age, name, ID numbers, income, ethnic origin, or blood type
  • opinions, evaluations, comments, social status, or disciplinary actions
  • employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).

According to PIPEDA: “Organizations covered by the Act must obtain an individual's consent when they collect, use or disclose the individual's personal information. The individual has a right to access personal information held by an organization and to challenge its accuracy, if need be. Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, consent must be obtained again. Individuals should also be assured that their information will be protected by appropriate safeguards.”

What You Need to Have In Place

Have you asked yourself what you would do in the event of a breach? Do you know whom you would call first? You need to have a plan in place specific to your business. It needs to lay out procedures, identify whom to contact and have all the pertinent contact information available.

Businesses now need cyber liability coverage; this is no longer an extra expense.  And the cost of premiums is nothing compared to the retainer required for a lawyer in the event of a breach. One upside is that in the course of applying (yes, applying) for this insurance, you will have to review your current security provisions. This is an excellent opportunity to improve areas of exposure.  You need to have coverage not only for losses you may incur, but against claims from losses suffered by third parties like donors or clients. Some costs you might incur include:

  • Content liability
  • Data breach liability
  • Regulatory investigation expense
  • Crisis management 
  • Notification expenses 

Handling Data with Care

 We have to be more aware of how we transfer data between storage spaces and devices. The Law expects corporations and businesses to safeguard this data regardless of where it is stored: paper, networks, mobile devices, personal devices, or stand-alone systems.  When we think of “security” in this context, it can be defined as the “confidentiality, integrity & availability of data.” Privacy, however, is about “the appropriate use of data”.

What can you do to better secure the data you handle? It comes down to employing best-practices that have been around a long time.

  • Ensure you have a patch management program in place to protect the tech you use. These security updates are an excellent first line of defense.
  • Practice strong encryption. Lock down laptop hard drives and secure all mobile devices with passcodes and VPNs. Encrypt sensitive data. If possible, do not store PII on mobile devices.
  • Engage in regular training sessions with your employees. Build a security culture so that employees care for the data, instead of  just watching a video once a year.
  • Have a Bring Your Own Device (BYOD) policy. If employees are allowed to use their own devices, establish clear guidelines around access and authorization regarding personal information. 

Know the Letter of the Law

While Canada’s privacy laws do not have any rules against using the cloud, the CRA requires that certain records be kept in Canada. If done right, cloud storage is a secure option for most nonprofits.

It’s also important to know how the US and Europe differ from Canada regarding privacy and data storage. Since last October when the Safe Harbour agreement between the US and Europe ended, new provisions are being put into place regarding data and privacy that will have a global impact. 

There are some excellent and secure cloud storage options. For example, SpiderOak is a popular Dropbox alternative with similar features to Dropbox - some of which are offered for free.  SpiderOak is distinguished by its offer of a "100% Zero-Knowledge Guarantee", which means you’re in total control of the “digital keys" to the files you put on SpiderOak; nobody at SpiderOak can unlock them or look at them. In other words, SpiderOak cannot know anything about your data.

How do you work with third parties like vendors? Put your terms in your contracts. It’s a reasonable expectation that vendors will have errors and omissions coverage to protect you. Have a frank discussion about what liability the vendor is prepared to take on and how they will do so.

Have A Privacy Policy

Do employees, trustees, and volunteers understand what information not to share or release? Here are the recommendations for acceptable use and dissemination of constituent information by the Association of Fundraising Professionals Code of Ethical Principles and Standards:

“Members shall not disclose privileged or confidential information to unauthorized parties; Members shall adhere to the principle that all donor and prospect information created by, or on behalf of, an organization or a client is the property of that organization or client and shall not be transferred or utilized except on behalf of that organization or client.”

 Your privacy policy should include a brief statement that the organization protects the personal privacy of constituents by maintaining confidentiality of all constituent information. As well, there should be a statement that outlines how and when information will be released, such as addresses, phone numbers, and email addresses. Lay out the process to manage third-party requests for information and what staff are permitted to say. 

As data continues to grow exponentially, we need to adapt and handle it better; and be prepared to do things differently. Nonprofits must be as dedicated to the cause of safeguarding their data as they are to the causes they serve.

 

Learn more:


About the Author

Cheryl Biswas is a Threat Intel Consultant in Toronto, Canada.  She holds a specialized honours degree in Political Science, and has many years experience in IT. She is ITIL designated, researches and delivers InfoSec briefings, and advises on Disaster Recovery and security processes for clients. She is active on Twitter as @3ncr1pt3d, blogs, and enjoys giving talks on her favourite subject - security.