Donny Shimamoto, IntrapriseTechKnowlogies

Highlights from recent media coverage of privacy-related incidents and trends shows increased risk for the nonprofit sector related to privacy. Many nonprofit leaders aren't prepared to deal with this issue and that could mean dire consequences should the proper safeguards not be in place and a breach or theft occur.

Have you mitigated your privacy risks?

"Data Theft Creates Notification Nightmare for BlueCross" (March 1, 2010, CIO.com). The BlueCross' original breach occurred in October 2009, but five months, $7 million and 110,000 work hours later, they are still dealing with the issue. Imagine what your donors and constituents would say if they saw your name in that headline. Would they still be willing to provide their credit card or personal information to you? How much would you have to spend to verify what records were lost and notify all the affected people or companies?

"Wanted: Defense Against Online Bank Fraud" (February 8, 2010, Wall Street Journal). Many small businesses, a category which many nonprofit organizations fall into, think that they are not important enough to be a target of hackers. Recent trends in hacker activity, however, indicate that small businesses are actually starting to becom specificall targeted by hackers because the businesses themselves aren't as tech-savvy, so aren't as well protected. The smaller banks that small businesses tend to work with also aren't as sophisticated in detecting and preventing fraud as larger banks. Even if working with a larger bank, smaller nonprofits may also not receive the same level of service as the bank's larger customers, so may still be at risk. Have you taken the steps necessary to protect your organization? What is your bank doing to protect you?

"Banking laws leave business customers vulnerable to Internet fraud" (March 21, 2010, Los Angeles Times). Thirty-two percent of small business owners surveyed had been a victim of Internet fraud -- of those, 50% had been victimized more than once. What many businesses (and nonprofits) don't realize is that Federal law doesn't protect commercial accounts the same way it protects personal accounts. Banks are not required to reimburse business for fraud losses. The business itself must absorb the loss, which can sometimes be as much as the entirety of the business' checking or savings account balances. Could you absorb a loss like that? What would you do if you suddenly didn't have any cash in the bank--could you continue to operate?

All of this has led many state governments to start enacting stricter laws and regulations requiring ANY organization that holds its residents' personal information to adequately protect the information, and levies harsh penalties for not doing so. Massachusetts' updated privacy regulations went into effect of March 1, 2010, so if you have a MA donor on your fundraising list, you are also subject to this law. The MA law is also seen as a herald of what's to come from other states as the privacy threat continues to grow.

The Payment Card Industry (PCI) has also taken strong action in requiring merchant account holders (yes that includes you processing credit card donations) and service providers to start following best practice security standards for protecting both PAPER and electronic cardholder information. Noncompliance with these standards include potential fines of up to $500,000 and reimbursement of the affected cardholder for all fraud losses incurred from the use of compromised account numbers.

If you're scared by now, you should be.

Privacy risk is very real and its impact upon your organization is even more serious. The business environment is changing and the threat posed by either the theft of your donor, constituent, and also employee data, or even the theft of your own organization's data can have devastating impact upon your operations. The likelihood of the threat materializing continues to increase and the cost, should it occur, can be great. But luckily, mitigating your privacy risk doesn't have to be expensive.

Follow a simple risk assessment methodology to deal with this issue:

• Inventory places in your organization with PII (Personally Identifying Information); check both electronic files/database and physical files as most regulations require compliance for both forms of information.
• Indentify the safeguards in place; how are you currently protecting that information?
• Identify the applicable security requirements; a good strategy here is to focus on complying with the strictest requirements you are subject to, compliance will the lesser requirements will usually be inherent.
• Determine the compliance gap; perform a gap analysis to determine where you are not compliant and what it would take to become compliant.
• Assess the risk of non-compliance; determine the impact of non-compliance and likelihood of risk occurrence--use this to help prioritize your compliance efforts.
• Develop a risk remediation plan; this should be a combined effort between both the "business" and IT. Apply electronic safeguard when possible (or required, like encryption), but also don't discount the need for building safeguards into a business process.

The American Institute of CPAs provides some great FREE guidance on how to begin looking at this issue and a variety of resources in understanding privacy requirements at: http://www.aicpa.org/privacy. Its Generally Accepted Privacy Principles provides a good framework that can be used to structure your organization's privacy program--and it was developed with input from the people who would potentially be coming in to audit you.

If you still feel overwhelmed by all of the privacy issues, don't be afraid to reach out and seek expert help. Privacy touches many different aspects of an organization, from business processes and internal controls, to data encryption and network security. Just be sure that whatever consultant or advisor you hire has experience in dealing with both the business-aspects of privacy as well as the technology-aspects of privacy.

You must be proactive in addressing your organization's privacy risk. It is largely a non-technical exercise in identifying the privacy requirements you are subject to, conducting a privacy risk assessment, and determining the acceptable level of risk for your organization. Follow-up by developing an organizational privacy policy and enacting a privacy program to help mitigate both business and technical risks. Being proactive can both protect you from having a breach occur, and save you from the massive headache and cost of having to clean up after a breach.

Privacy matters for your organization!

Donny is the founder and managing director of IntrapriseTechKnowlogies LLC, a CPA consulting firm committed to helping nonprofit organizations leverage strategic technologies, proactively manage their business and technical risks, and enable balanced organizational growth and development. Donny also works with larger organizations as a trusted business advisor, facilitating organizational strategic planning and execution, IT governance and planning, enterprise architecture, information architecture and assurance, business process improvement, and business intelligence initiatives.

Donny's nonprofit clients include: Catholic Charities Hawaii, Hawaii Community Foundation, Moiliili Community Center, the Episcopal Church in Hawaii, the Roman Catholic Church in the State of Hawaii, and the American Institute of CPAs.

Recognized as one of Hawaii's Top High Tech Leaders by the Pacific Technology Foundation and the Technology News Network, Donny was also the first Certified Information Technology Professional (CITP) in the State of Hawaii, and was named to CPA Technology Advisor's "40 Under 40" list in 2007 and 2009.

Donny welcomes comments and feedback via e-mail at donny@myitk.com or reach him by phone at (808) 735-8324.