Do you recall the old television public announcement that posed the question: “It’s 10 o’clock, do you know where your children are?” The announcement was not really an admonishment, but rather a reminder of the importance of oversight and active engagement. If you are a parent, you know that it requires you to be on duty 24/7. I argue that a similar approach is called for when it comes to protecting your donor data.
The fact is that with each passing year, the number of data breaches grows, and the financial cost along with it. The big breach at Sony Pictures vividly demonstrates just how costly and how much damage data breaches can inflict. In my experience, while the importance of information security and data protection grow, most nonprofit organizations are not keeping up with the vital need to protect their data. There are many steps that are integral to a responsibly managed information security program. But let’s begin with an essential question: where is your data? Although a seemingly simple question, answering it is a useful first step to better safeguarding your data. For starters, it’s quite likely that a good portion of the personal data that you collect is stored in-house. Also ask yourself, is it in digital or tangible form? Perhaps both? Who has access to the data? Some employees certainly do, but how about consultants and volunteers?
It turns out that a good portion of data breaches are caused by employee, consultant or volunteer negligence, and can be avoided with a bit of due care. For example, if the data is sometimes taken off the premises, ascertain if that is truly necessary for operations. In addition, your organization should have written policies in place that clearly informs employees, consultants and volunteers what they are, and are not, permitted to do with the data, and wherever possible, restricts access. In addition, regularly providing training to staff on information security expectations and practices will better ensure that those policies are understood and adhered to.
Another increasing cause of data breaches are vendors. If yours is like most organizations these days, much of the personal data collected is stored in the “cloud” and hosted by third-party vendors. Again, there are some essential questions to ask. Who are the vendors and do you have signed agreements with each of them? Has a professional who understands the nuances of such agreements negotiated or reviewed the terms? Have you required a requisite level of physical, administrative and network security precautions? Are vendors able to subcontract out their responsibilities (often a default provision in many cloud agreements) and if so, are the subcontractors also required to meet the contractual obligations imposed on your vendor? In the case of breach, will your vendor promptly notify you, and pay for all costs and damages, including costs related to donor notification and credit monitoring? If you end your relationship with the vendor, does the contract specify how and when your organization’s data is deleted?
If truth be told, in contrast to the world of commercial enterprises, nonprofits generally have not made data privacy and information security a priority. The nonprofits are in dire need of catching up. Hackers are increasingly realizing that smaller organizations – including nonprofits – are prime targets for attacks because they tend to store valuable data without the level of security of their for-profit brethren. Remember, the cost is the same regardless of your tax-exempt status. While better safeguarding your data does require a variety of steps and an ongoing organizational commitment, you can easily get started by asking the threshold question “where is my data”. It’s the first step to better securing your data today!