We are awash in a sea of data, and the simple fact is, we’re not handling it well. Literally. Non-profits, like every other organization or corporation, is taking in more information than they ever have before, and more than most know how to handle. Given that much of what we touch on a daily basis is personal and financial information, we are putting clients and ourselves at risk. When it comes to the safe handling and storage of data, ignorance is not bliss.
All nonprofits must collect data to help ensure their success and effectiveness, and some of this information is very sensitive given the variety of causes. There is a mandate to safeguard what has been collected and kept, but this responsibility isn’t fully understood until after something happens.
“most nonprofit leaders admit knowing too little about the risks and consequences of failing to adequately protect personal information collected from employees, volunteers, clients and donors”
What Are Your Danger Zones
Where are you storing all that data you collect? The usual places would be filing cabinets, network servers, cloud storage. But if that data is going places it shouldn’t be, you could really get in trouble. As a non-profit conducting business online and off, here are some danger zones:
- Collecting credit card data, processing payments online in the course of doing e-commerce
- The transfer and storage of personal data for either employees, clients or donors via emails
- Storing personal information on cloud servers or systems, or physically unsecured sites eg. unlocked filing cabinets
- Storing personal information on laptops or smartphones
- Granting access to personal information to third parties like vendors without proper safeguards
Your Obligations if Breached
A deliberate hack attack comes at high costs, but so too can the loss or destruction of data. How about storing data on laptops and smartphones? These can be lost or damaged. If stolen, that data can wind up in the wrong hands. Are you aware of your obligations?
The PCI Security Standards Council’s Payment Card Industry Data Security Standard requires organizations to enact information security best-practices if the organization handles major credit cards such as Visa and MasterCard. Organizations who fail to comply with these standards can be penalized with substantial fines. And given how transparent at times our border may seem, there are other federal data security regulations such as the Health Insurance Portability and Accountability Act (HIPAA) if your nonprofit handles protected health information (PHI) in both Canada and the US. These regulations are subject to change, so it’s important to consciously make the effort to stay on top of them.
In some states, the mere loss of the device with personally identifiable information is a breach under the law and triggers reporting responsibility
Let’s start with what makes up PII. The definition can vary by state or province. Under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:
- age, name, ID numbers, income, ethnic origin, or blood type;
- opinions, evaluations, comments, social status, or disciplinary actions; and
- employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).
According to PIPEDA: “Organizations covered by the Act must obtain an individual’s consent when they collect, use or disclose the individual’s personal information. The individual has a right to access personal information held by an organization and to challenge its accuracy, if need be. Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, consent must be obtained again. Individuals should also be assured that their information will be protected by appropriate safeguards.”< /p>
What You Need to Have In Place
Have you asked yourself what you would do in the event of a breach? Do you know whom you would call first? You need to have a plan in place that is specific to your business. It needs to lay out procedures, whom to contact and have all the pertinent contact information available. Something else every business needs to have now is cyber liability coverage. This is no longer some extra expense. And the cost of premiums is nothing compared to the retainer required for a lawyer in the event of a breach. One upside is that in the course of applying – yes, applying – for this insurance, you will have to review your current security provisions. This is an excellent opportunity to improve areas of exposure and shore up your defenses. You need to have coverage not only for losses you may incur, but against claims from losses suffered by third parties like donors or clients. Some costs you might incur include:
- Content Liability
- Data Breach Liability
- Regulatory Investigation Expense
- Crisis Management
- Notification Expenses
Better Care and Handling
We have to be more aware of how we transfer data between storage spaces and devices. The Law expects corporations and businesses to safeguard this data regardless of where it is stored: paper, networks; mobile devices; personal devices; stand-alone systems. When we think of “security” as it applies in this context, it can be defined as the “confidentiality, integrity & availability of data.” Privacy, however, is about “the appropriate use of data”.
So what can you do to better secure the data you handle? It really comes down to employing best-practices that have been around a long time.
- Make sure you have a patch management program in place to protect the tech you use. These security updates are an excellent first line of defense.
- Practice strong encryption. Lock down laptop hard drives and secure all mobile devices with passcodes and VPNs. Encrypt sensitive data. Better yet, if possible do not all ow the storage of PII on mobile devices.
- Engage in regular training and awareness sessions with your employees. Try to build a security culture where you are, so that employees are actively engaged in caring for the data, not just watching a video once a year.
- Have a BYOD policy. If employees are allowed to use their own devices, establish clear guidelines around access and authorization regarding personal information.
Know the letter of the law. The CRA does require that certain records be kept in Canada . And it is important to know how the US and Europe differ from Canada regarding privacy and data storage. Since last October when the Safe Harbour agreement between the US and Europe ended, new provisions are just being put into place regarding data and privacy that will have a global impact. So far as cloud privacy law and non-profits go, Canada’s privacy laws do not have any rules against using the cloud. And done right, cloud storage is a potentially more secure option for most nonprofits.
There are some excellent and secure cloud storage options. For example, SpiderOak is a popular Dropbox alternative that offers many of same features as Dropbox, some of which are offered for free. What makes SpiderOak distinctive is that it offers a “100% Zero-Knowledge Guarantee”. That means you are in total control of the digital “keys” to the files that you put on SpiderOak, and nobody at SpiderOak can unlock them or look at them.
How do you work with third parties like Vendors? Put your terms in your contracts. It’s a reasonable expectation now that vendors will have in place errors and omissions coverage to protect you. Have a frank discussion about what liability the vendor is prepared to take and how.
Do employees, trustees, and volunteers understand what information not to share or release? Here are the recommendations for acceptable use and dissemination of constituent information by the Association of Fundraising Professionals Code of Ethical Principles and Standards : Members shall not disclose privileged or confidential information to unauthorized parties; Members shall adhere to the principle that all donor and prospect information created by, or on behalf of, an organization or a client is the property of that organization or client and shall not be transferred or utilized except on behalf of that organization or client.
As data continues to grow exponentially, we need to learn to handle it better, and be prepared to do things differently. Nonprofits must become as dedicated to the cause of safeguarding the data they hold as they are dedicated to the causes they serve.
Thanks for reading and hope we helped!
Cheryl Biswas, Editor