Not For Profit Shouldn’t Mean Not Safe

October 4, 2016 Avani Desai

Originally published at www.informationsecuritybuzz.com

Not for profits (NFPs) are an integral part of society and have vast economic contributions to the United States GDP.  According to The Independent Sector, non-profits account for 5.5% of the GDP – the equivalent of $805 billion. NFPs have the arduous job of overseeing and assisting some of the most vulnerable adults, children, and animals – and even Mother Nature herself. According to the National Center for Charitable Statistics (NCCS), there are 1,549,296 NFP organizations in the USA. A considerable number, if not all, of these organizations rely heavily on the generosity of the public through donations and grants.  In 2013, public charities had revenues of $1.74 trillion, of which 21% was from personal donations.  This is certainly a significant amount of money, and in grossing it a significant amount of personal and sensitive information is accumulated as well. The continued upsurge in charitable giving is largely attributed to the ease and efficiency of participation. Charities are in constant pursuit of discovering and introducing innovative ways to facilitate donating via online, mobile, or text solutions. Social media campaigns, like the #GivingTuesday Twitter campaign, are also very popular solutions. Presenting convenient and enjoyable digital donating experiences ultimately strengthens an NFP’s message and grants it a farther reach, but also poses significant privacy risks.

Not Different Than Other Data

The information being shared with NFPs is no different than the information shared with typical e-commerce sites and financial institutions, therefore the privacy aspects of the NFP industry are much the same as for these other industries. NFPs receive, store, transmit, discard, and communicate personal and financial data online and offline, thereby acting as custodians and, at times, data-owners of Personally Identifiable Information (PII). In and of this role, NFPs should require strict regulations on how data is utilized. They have as much of a duty to respect privacy as large enterprises; in several cases more so. For example, some donors may not want, for personal reasons, to have their name associated with a charitable donation. NFPs must implement processes, procedures, and supporting technologies to allow for the anonymity and protection of their donors’ PII. The Association of Fundraising Professionals is working on a ‘Donor Bill of Rights,’ which outlines a number of assurances an NFP should make to their donors, and high on the priority list is donor privacy rights.

Not Selling to Third Parties

NFPs’ actions pertaining to transferring or selling data to third parties was recently brought into sharp relief in the United Kingdom. There was a series of high profile cases that made national headlines when NFPs were found selling the PII of donors to unaffiliated third parties without donors’ consent. One case resulted in an 87-year-old man being defrauded of $50,000 by global rogue companies who had bought his PII from an NFP. This is not a common occurrence for NFPs, and as such not a typical concern of donors considering philanthropy.  Large organizations such as Facebook and Google are well known for selling information to third parties, and consumers usually agree to a privacy policy clearly stating that fact. Some may question these large organizations’ attitude toward privacy, but there is no shortage of consumers using Google and Facebook because of their ubiquitous online presence – and the value they have bestowed on the population. However NFPs do not have this luxury. They cannot afford to lose current and prospective donors’ trust and confidence due to dubious data safeguarding techniques. NFPs need to hold PII securely and in very high regard, and tout to the donors their commitment to privacy and security. Otherwise there is a risk of losing donor support altogether…after all, people don’t have to donate.

Not Having Breaches

In the U.S., there are federal laws in 47 states that require data breaches to be publically disclosed, regardless of whether the breach occurred in a profit or non-profit organization. There is a federal campaign to make this a national standard, but so far this has failed to come to fruition.  However, U4ID has reviewed and documented a guide to the sectoral and state-specific laws in the in the U.S. and identified how an NFP would need to adhere to a myriad of laws that their for-profit counterparts are mandated to obey.

In the last two years, the number and types of breaches show that NFPs are on the rise as a target for data theft. Based on the breach list by Privacy Rights Clearinghouse, in 2014 and 2015 there were over 55,000 personal records breached at NFPs, however there may have been more; this list is only based on reported incidents . The Utah Food Bank was one from which over 10,000 donors’ data, including their email addresses and credit card details, were stolen. Even the charity hub, NCCS, was recently breached, resulting in a loss of over 700,000 accounts associated with charities that use NCCS services for filing taxes.

Not a Drop in the Bucket

The financial repercussions of a breach are damaging. Reports show that the average breach costs around $720,000. This estimate doesn’t even take into account the brand impacts and the outcomes of donations that will be affected because of a concern with the privacy and security of donors’ data. Keeping trust and confidence while also enriching the donor relationship is key for an NFP.

NFPs must be as rigorous in their privacy and security practices as large enterprises because their processes directly collect users’ personal data, including PII and financial information, a primary target for cybercriminals.  NFPs need to assess internal privacy policies and how user data is handled, implement strong technology protocols, and provide training and awareness for all employees.  Protecting valuable donor information is the key to protecting the valuable donor relationship.

About the Author

Avani Desai

Avani Desai is a Principal and the Executive Vice President at Schellman. Avani has more than 15 years of experience in IT attestation, risk management, compliance and privacy. Avani’s primary focus is on emerging healthcare issues and privacy concerns for organizations. Named as one of the 2017 Global Leaders in Consulting by Consulting Magazine she has also been featured and published in the ISSA Journal, ITSP Magazine, ISACA Journal, Information Security Buzz, Healthcare Tech Outlook, and many more.

More Content by Avani Desai
Previous Article
To the Man Who Has But a Rowhammer
To the Man Who Has But a Rowhammer

In 2014, researchers with Carnegie Mellon University and Intel discovered a potential attack aga...

Next Article
Navigating the Federal Compliance Space - FedRAMP vs FISMA
Navigating the Federal Compliance Space - FedRAMP vs FISMA

Even if you aren’t selling to a government agency, it’s important to understand government regul...

×



Subscribe now
to receive content updates once a week

First Name
!
Success
Error - something went wrong!