The Questions Every Nonprofit Should Ask About Sensitive Data

Submitted by Brett on Wed, 04/28/2010 - 8:51am
Like what you read?

Stay current with nonprofit technology

Jake Marcinko, Blackbaud

These days, big data breach headlines are becoming almost blasé. We've grown so accustomed to such incidents that the mere threat of a data breach no longer carries the weight and urgency that it once did.

Many privacy experts argue that the recent decline in reported data breaches (498 in 2009 versus 657 in 2008 (PDF)) is not due to an improvement in data security practices, but rather that fewer organizations are publicly reporting such breaches. It is even more difficult to determine the total number of individuals affected by data breaches in 2009. The Identity Theft Research Center estimates that approximately 222 million records were compromised as a result of data breaches in 2009. That statistic becomes meaningless, however, when you consider that 52% of all data breaches that were publicly reported in 2009 did not state the number of records exposed. Therefore, no one really knows how many Americans have--or could--become victims of identity theft as a result of these incidents.

The lack of greater public outcry regarding the volume of data breaches is perplexing when you consider recent poll data from Gallup and Unisys. According to an October 2009 Gallup poll, 66% of all U.S. adults worry "frequently" or "occasionally" about being the victim of identity theft. The issue of identity theft ranks higher among poll participants than the issues of terrorism, burglary, sexual assault and murder. In fact, according to the latest Unisys Security Index, Americans are more concerned about identity theft than they are about H1N1 or even their ability to meet their financial obligations.

So why isn't more being done and what does this have to do with nonprofits?

I think the most logical answers to these questions can be found when you consider the relationships between organizations and individuals.

Despite the fact that government entities and businesses accounted for 68% of all data breaches, people are still continuing to do business with these organizations. "Why?" you may ask. Because the nature of their relationships with these organizations compels them to.

Consider this: would you stop shopping at your local grocery store because the grocery chain's credit card processor accidentally gave your credit card number (along with 100 million others) to a group of savvy criminals? Would you deny your veterans benefits because the U.S. Department of Veterans Affairs lost your SSN? The likely answer to both questions is "no". Your relationship with these organizations is impersonal and largely based on need. You'll likely continue to do business with these organizations because you have to in order to obtain specific services or goods.

The relationship between a donor and most charitable institutions is different.

Charitable business transactions aren't about buying or receiving, they're about "giving". There is no tangible need compelling donors to give to nonprofits. Additionally, donors tend to make personal investments -- whether that be in time or money -- into a charity's mission, so the relationship between the donor and charity is a far more personal one that the consumer/vendor relationship.

It is for these reasons that nonprofits need to make a special effort to ensure sensitive donor data is protected from unauthorized disclosure. According to a study conducted by Javelin Strategy and Research, 55% of participants said that they would trust an organization less with their personal information after a breach, and almost 30% of those polled said they would stop donating or sponsoring the institution altogether. It's hard enough keeping your existing donors engaged. How damaging would it be to your bottom line if 30% of your donors simply went elsewhere?

So, how do nonprofits address data security and privacy concerns with limited technical resources?

While technical solutions such as firewalls, intrusion detection systems, anti-virus and encryption can be employed, the easiest and most cost effective way to approach these issues is by evaluating your "CAUSE" (Collection/Communication, Access, Use, Storage, and Eradication/Education) with respect to donor data:

Collection & Communication

  • What sensitive data do you collect from your donors?
  • Do you really need this sensitive donor information to perform your mission?
  • Does your donors' contact information become sensitive simply by association with your organization?
  • Do your donors understand why you are collecting their information?

Only collect information that you absolutely need. Over 61% of data breaches in 2009 involved SSNs (PDF), yet very few organizations have a legitimate need for collecting SSNs. Also, ensure your donors understand the purpose for which you are collecting their information.

Access

  • Who in your organization has access to your donor information?
  • Do those with access absolutely need it to perform their job/volunteer duties?
  • Is your donor information publicly available?

Make sure you limit access to your donor information to only those who absolutely need it--preferably as few people as possible--and do not allow donor information to be placed in view of all staff or publically on your website.

Use

  • Are you using your donor information in a manner that is compatible with the purpose for which it was collected (and communicated to your donors)?
  • If your use differs from the purpose for which the information was collected, have you received consent from the donor?

Put yourself in your donors' shoes. Would you want your sensitive information used for purposes you never intended and without your consent? Only use the information you collect for the purposes in which it was collected. If circumstances change, it's best to be transparent to your donors.

Storage

  • Where is your donor data stored?
  • Is the stored information protected by some access control mechanism?
  • Does sensitive donor information exist in multiple formats?

It's difficult to protect sensitive information if you don't know where it is stored. Keep an inventory or all storage locations for donor information, the fewer locations the better. Also make sure you capture the formats in which the information is stored, including paper documents. Paper breaches constituted 26% of all data breaches in 2009 (PDF). Lastly, make certain those locations employ some access control measure such as a locked door or cabinet for mobile media and paper documents, or logical access controls such as network folder or file permissions.

Eradication & Education

  • How long do you keep donor information?
  • What do you do with donor information--or media containing such information--you no longer need?
  • What methods do you employ to eliminate unwanted documents and media?
  • Are your employees/volunteers aware of your policies and practices regarding donor information?

Sensitive documents and media containing donor information should be destroyed once the information has fulfilled the purpose for which it was collected. Appropriate destruction methods such as shredding, burning, pulverizing, or melting should be employed to dispose of sensitive data. Finally, make sure your staff and your donors are aware of your policies and practices regarding sensitive donor information.