The Convio security breach is in the news again, this time in the New York Times, just in time for the holiday giving season. NTEN members Beth Kanter and Allan Benamer are both quoted, and both raise really important issues that you need to consider.

“This wasn’t the best time for this to happen,” said Beth Kanter, a consultant and blogger. “It’s a matter of donor stewardship, and while it’s not an emergency, you need to treat it as if it was one.”

Beth's right. The holiday giving season is upon us.  Even if your organization was not affected by this breach, you need to let your stakeholders know what you're doing to protect their data, and proactively help them protect it themselves. Remind your stakeholders about good password policies. Let them know you're looking out for them.

Convio's GetActive platform suffered a security breach a couple of weeks back that resulted in the compromise of some users' passwords.  If you'd like in-depth information, check out Allan Benamer's blog for a blow-by-blow account, but for most users the issue is simple: How can I make sure my password is safe?

In the case of something like the GetActive breach, the simple answer is, you can't. 

The Nonprofit Times has a good story today about the potential perils of Cyber-squatting, and how better domain management can help protect you. This probably applies more to the larger nonprofits out there, the kind who generate enough web site traffic to warrant the investment this kind of fraud takes. But, it could happen to anyone.

More importantly for most orgs, it raises the general issue of managing your domain wisely. Even if your organization is not likely to fall victim to cyber-squatters, not knowing where your domain is registered or who is listed as the contact is an issue for any organization.

PIR, the Public Interest Registry, launched a campaign this year to ProtectYour.org. They cite key 5 steps to protecting your domain:

1. Verify registration of your .ORG domains
2. Verify and update .ORG administrative contact information regularly
3. Check that email contact information is valid
4. Consolidate .ORG domains names with one registrar
5. Register your .ORG domain name for the maximum time

I just got back from the Legal Service Corporation Technology Initiative Grant Conference in Austin. (Nice work Joyce!) Legal Services folks are the ones who are out there on the front lines helping low income folks with their legal problems. One of the issues they face every day is keeping their client's data safe and secure. The problem is - they're a bunch of lawyers!

But non-techies should take heart! Data security is not an issue just for techies. There are lots of simple things that the geek-averse amongst us can do to protect our client information!

Gavin Clabaugh, Charles Stewart Mott Foundation

In 480 B.C. some 300 Spartans, led by King Leonidas, managed to delay a hostile force numbered in the tens of thousands, some even say hundreds of thousands. They did this by blocking the pass at Thermopylae - the only road available to Xerxes the Great and his invading Persian forces. The Spartans were eventually defeated, but not before they secured the retreat of the other Greek forces and, thus, laid the foundation for Xerxes' defeat the following year at the Battle of Plataea.

To be honest, there are days when I feel just a little of what Leonidas must have felt - him and the 300 - facing overwhelming odds with only sword and shield. In my case, of course, the weapons are mouse and firewall. For me it's not thousands of Persians. Rather it's a never-ending onslaught of Trojans...and worms, and spyware, and spam - malware of all variety. The price of defeat, while not as deadly, is still dire.

Nowadays everyone's heard at least a story or two about how a lost laptop or a cracked firewall put thousands or even millions of people's personal information into the wrong hands. That kind of loss can be disastrous for the individuals affected and for the organization behind it.

As nonprofits and advocacy groups continue to gather more and more information about their constituents, we all need to be aware that along with collecting and analyzing this data, we need to protect it. But figuring out how to do this well and cost effectively can be a challenge. Tomorrow we're hosting a webinar that will outline the steps every organization needs to take to secure the data they collect and how they can foster an environment that takes security seriously. You can register here.

With its Healthy and Secure Computing Campaign, TechSoup is doing a lot to help nonprofits crack down on the data they collect and has some great resources to help organizations set up a secure technology infrastructure. Read on for an article about the campaign, reprinted with permission.

Katrin Verclas, NTEN Executive Director

Happy New Year, NTEN Community!

To start the year off right, our January issue of NTEN Connect focuses on privacy and security - issues that affect every nonprofit and that are only becoming more important as we move more data and information about clients, employees, funds, and services online. 2006 was a fairly quiet year for big security glitches - no Nimda, no Katrina. Of course the press reported widely on the privacy glitches chronicled on sites like the Privacy Right Clearinghouse, where many nonprofit educational institutions litter this hall of shame. But sadly, privacy breaches are almost a matter of course these days. So to help you NOT be listed there, read on to find out how you can improve your security and maintain your constituents's privacy. And the best way to do this is through good people management and creating policies that are a part of organizational culture, not just words on a website.

The recent AOL security lapse has me thinking about data protection and privacy more and more lately. Case in point, the entrenched Executive Director who still takes a backup tape home with him. Of course, on a daily basis, we all do things that put us risk of identity theft. According to NPR, there may be a guardian angel out there for all of us.