Originally published at www.informationsecuritybuzz.com
Not for profits (NFPs) are an integral part of society and have vast economic contributions to the United States GDP. According to The Independent Sector, non-profits account for 5.5% of the GDP – the equivalent of $805 billion. NFPs have the arduous job of overseeing and assisting some of the most vulnerable adults, children, and animals – and even Mother Nature herself. According to the National Center for Charitable Statistics (NCCS), there are 1,549,296 NFP organizations in the USA. A considerable number, if not all, of these organizations rely heavily on the generosity of the public through donations and grants. In 2013, public charities had revenues of $1.74 trillion, of which 21% was from personal donations. This is certainly a significant amount of money, and in grossing it a significant amount of personal and sensitive information is accumulated as well. The continued upsurge in charitable giving is largely attributed to the ease and efficiency of participation. Charities are in constant pursuit of discovering and introducing innovative ways to facilitate donating via online, mobile, or text solutions. Social media campaigns, like the #GivingTuesday Twitter campaign, are also very popular solutions. Presenting convenient and enjoyable digital donating experiences ultimately strengthens an NFP’s message and grants it a farther reach, but also poses significant privacy risks.
Not Different Than Other Data
The information being shared with NFPs is no different than the information shared with typical e-commerce sites and financial institutions, therefore the privacy aspects of the NFP industry are much the same as for these other industries. NFPs receive, store, transmit, discard, and communicate personal and financial data online and offline, thereby acting as custodians and, at times, data-owners of Personally Identifiable Information (PII). In and of this role, NFPs should require strict regulations on how data is utilized. They have as much of a duty to respect privacy as large enterprises; in several cases more so. For example, some donors may not want, for personal reasons, to have their name associated with a charitable donation. NFPs must implement processes, procedures, and supporting technologies to allow for the anonymity and protection of their donors’ PII. The Association of Fundraising Professionals is working on a ‘Donor Bill of Rights,’ which outlines a number of assurances an NFP should make to their donors, and high on the priority list is donor privacy rights.
Not Selling to Third Parties
Not Having Breaches
In the U.S., there are federal laws in 47 states that require data breaches to be publically disclosed, regardless of whether the breach occurred in a profit or non-profit organization. There is a federal campaign to make this a national standard, but so far this has failed to come to fruition. However, U4ID has reviewed and documented a guide to the sectoral and state-specific laws in the in the U.S. and identified how an NFP would need to adhere to a myriad of laws that their for-profit counterparts are mandated to obey.
In the last two years, the number and types of breaches show that NFPs are on the rise as a target for data theft. Based on the breach list by Privacy Rights Clearinghouse, in 2014 and 2015 there were over 55,000 personal records breached at NFPs, however there may have been more; this list is only based on reported incidents . The Utah Food Bank was one from which over 10,000 donors’ data, including their email addresses and credit card details, were stolen. Even the charity hub, NCCS, was recently breached, resulting in a loss of over 700,000 accounts associated with charities that use NCCS services for filing taxes.
Not a Drop in the Bucket
The financial repercussions of a breach are damaging. Reports show that the average breach costs around $720,000. This estimate doesn’t even take into account the brand impacts and the outcomes of donations that will be affected because of a concern with the privacy and security of donors’ data. Keeping trust and confidence while also enriching the donor relationship is key for an NFP.
NFPs must be as rigorous in their privacy and security practices as large enterprises because their processes directly collect users’ personal data, including PII and financial information, a primary target for cybercriminals. NFPs need to assess internal privacy policies and how user data is handled, implement strong technology protocols, and provide training and awareness for all employees. Protecting valuable donor information is the key to protecting the valuable donor relationship.
About the Author
Avani Desai is a Principal and the Executive Vice President at Schellman. Avani has more than 15 years of experience in IT attestation, risk management, compliance and privacy. Avani’s primary focus is on emerging healthcare issues and privacy concerns for organizations. Named as one of the 2017 Global Leaders in Consulting by Consulting Magazine she has also been featured and published in the ISSA Journal, ITSP Magazine, ISACA Journal, Information Security Buzz, Healthcare Tech Outlook, and many more.More Content by Avani Desai