Wednesday, April 29, 2009

Non-Profits Can Establish an Effective Data Privacy Program

Non-profits must realize that as large corporations and online business better protect their information and systems, data thieves, hackers focus their attention towards institutions with weaker information security practices like non-profits. Non-profits are in possession of an abundance of financial & personal information such bank accounts, credit cards, date of births and social security numbers, which are very valuable in the wrong hands. Additionally, non-profits have the least amount of qualified professionals equipped to manage an effective Information Security program. Washington Post articled reported that data breaches increased a by 69% from 2007 to 2008. It's an alarming statistic e that shows no signs of slowing down.

Learn what Defines Personal Information
States like Arizona and Massachusetts have created laws to hold organizations more accountable with personal information. The guidance for declaring just what is personal information is goes like this in the States of MA and AZ; generally great guidance.


It begins with a natural/ human person's First name or First initial and Last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:

Social Security number,
Driver's license number or identification card number, and
Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account. Source: Non-profit Times - http://www.nptimes.com/08Nov/npt-081115-3.html


How to Start a Data Privacy Program
So where does a non-profit start? Start at the top!
The first thing that any organization must do to protect the confidentiality of the data they collect is to establish executive governance over it, which flows from the top down in their organization. Create a written data privacy policy that has sponsorship by its executive board that all staff MUST follow. The policy should give clear guidance regarding how all data is handled within that organization, from information that is shared with the general public, to data that is must be protected as required by laws and industry regulations. Group the organizations data by classifications levels, from most risky to least risky. The classification of the organizations data will help to determine the appropriate controls to apply to ensure confidentiality, Integrity & Availability of the information. More importantly it will demonstrate "Due Diligence" & "Due Care" by the organization in protecting the privacy of its clients, donors, members & staff.


According to Non-Profit Technology News, organizations can begin doing the following to lower the risks associated with collected data:
Begin with a top-to-bottom review of all sensitive or confidential information that's in-house;
Assess what data must be kept, what can be stored in (and easily accessed from) a remote location, and perhaps most important, what can be discarded; Determine who needs access to the data and why, and provide only those people with password-protected access to the data;
Make sure that the data you do have is backed up on a regular basis in a secure, remote location;
If your organization can afford it, hire an independent security expert to review your data security policies and procedures. ("It never fails to surface things that never really were an issue to anyone," says Hart.)


Don't store complete credit card information on site;
Limit physical access to servers;
Be aware of what confidential and sensitive information is on printed (paper) files, and make sure that all such files are kept secure at all times; Make certain that your Web site complies to fundamental, industry-standard encryption and security measures in the processing of personal information and donation collections.

No comments: