While the sheer numbers are startling, a few other aspects of the list should give most nonprofits pause. The first is that just by glancing at the list, it's clear that data thieves don't discriminate between for-profits and non-profits: hospitals and educational institutions have data security problems that are as serious as those elsewhere.
The second is simply how mundane the data thefts are. There's some, but not a whole lot, of high-tech wizardry going on. A representative sampling of reasons for data breaches or exposure:
accidentally posted online;
stored on a laptop computer stolen from a city office;
discarded ... in an unsecured dumpster;
stolen by a former department temporary worker;
Occasionally, there's a high-profile heist: in late 2007, many nonprofits became the target of hackers who found their way into Convio's GetActive servers and gained access to personal information of thousands of donors. On Nov. 1, when it discovered the breach, Convio immediately took steps to close the security hole and notified clients, advising them to let their constituents know that their email addresses and passwords may have been compromised.
It seemed like a typical Internet database security problem, good guys vs. bad, with the good guys eventually shutting the door and limiting damages.
But the incident also exposed a few of the donor data security issues that continue to plague nonprofits. Allan Benamer, who covered the story extensively on his Non-Profit Tech Blog, pointed out two of them that were particularly disturbing: 1) some nonprofits, despite clear instructions from Convio on how to do so, did not inform constituents about the security breach; and 2) many nonprofits that rely on third-party vendors to process and/or host data have little or no knowledge about vendors' security measures.
In other words, some organizations acted as if they didn't care about the security of data -- which often includes social security and credit card numbers -- that donors entrust them with on a regular basis. This isn't to say they don't care. "Most organizations are concerned about security of data, and they are taking measures that they believe actually increase the security" says Ted Hart, a co-author of Nonprofit Internet Strategies and People to People Fundraising. "And in fact in most cases it does not."
While firewalls and data encryption techniques continue to improve, data breaches increased an alarming 69 percent in the first half of 2008, with "hacking ... the least-cited cause of data breaches," the Washington Post reported.
Often, the most fundamental steps are missing from nonprofits' security playbooks, "There's a lack of awareness of what kinds of security breaches are possible, because lots of organizations haven't had a breach. So they assume that the risk isn't there. But the risk is fairly high."
Hart says the biggest security holes at nonprofits are often visible at the most basic levels -- starting with the organization's locally-hosted databases. "The biggest security problem that most nonprofits have is on their server, in their office, in their database. It has nothing to do with the Internet. Most organizations have a computer database and a computer system. They may even have a network, and may even back up that data.
"But the server itself is not secure," Hart adds. "It would not be difficult for someone who wanted to steal data to walk into most any development office after hours, gain access to the office, and to download a copy of their database. Anyone who wanted to and knew how to do that could probably do that in the vast majority of development offices or nonprofit organizations."
In other words, Hart says, "Much more data is at risk, sitting right in the organizations' offices, than is really at risk at any time via the Internet."
This isn't to say that there aren't online risks. Nonprofits process many credit card transactions, either directly or through a third party. And many of these transactions are recurring donations that are automatically charged on a monthly basis, which requires ready access to credit card information. "Recurring gifts are a big part of charities' ability to raise money," says Bucky Wall, Blackbaud's director of corporate readiness. "You have to have a way to consistently charge against that."
Blackbaud, provides both hosted and local software for nonprofits in areas such as fundraising, constituent relationship management, and financial management. One of its major initiatives is to help its nonprofit clients get in compliance with the Payment Card Industry Data Security Standard (PCI DSS). This set of technical security standards is gradually being instituted by the credit card industry, and by July 1, 2010, adherence to PCI will be required of all organizations that process credit card transactions. Blackbaud is a member of the PCI Security Standard Council, provides Webinars and many other resources concerning PCI, and even maintains a PCI blog.
Blackbaud is, like most other companies that provide services which involve the processing of clients' personally identifiable information (PII), places a great emphasis on data security, simply because it's part of their core business. And because of this, the company is able to keep track of what Jake Marcinko, Blackbaud's information security manager, describes as the "always changing legal landscape" of data security.
"I think there are two big issues for nonprofits" regarding PII, says Marcinko. "One is knowing which laws are relevant to their business practices, and the second is understanding what information is applicable to those laws -- and how and why the nonprofits keep that information, and where they keep it."
Most nonprofits, Marcinko adds, simply don't have the resources to deal with the multitude of state, federal, and international laws concerning personal information and credit card data, especially considering that laws and requirements are becoming increasingly technical in nature.
"In the case of PCI compliance, it is such an onerous and difficult process to comply with this myriad of requirements, your average nonprofits -- 90 percent of nonprofits can't physically deal with that," says Marcinko. "They don't have the expertise, they don't have the time, they don't have the resources."
In addition to providing PCI-compliant software and making a concerted effort to educate nonprofits about PCI compliance, Blackbaud, says Marcinko, has "eliminated a lot of the storage of sensitive information from our products. We're designing and redesigning a lot of new products that take a lot of these regulatory requirements under consideration."
While Blackbaud is doing what it can on the technical side, the company is well aware that security issues are many, and are often not technical in nature. "First and foremost you need to identify what [data] you're collecting and why you're collecting it," says Marcinko, suggesting that many organizations will find they have lots of sensitive data they simply don't need -- and can therefore dispose of. Another major step "is knowing where data exists within your organization, whether it's in paper or electronic format, and to try to limit the number of places it's stored. And then you can start talking technical controls."
What to do
Hart agrees that security measures should begin with a review of the nonprofits' most fundamental business practices. Among the steps that Hart (and many other security experts) advise:
- Begin with a top-to-bottom review of all sensitive or confidential information that's in-house;
- Assess what data must be kept, what can be stored in (and easily accessed from) a remote location, and perhaps most important, what can be discarded; Determine who needs access to the data and why, and provide only those people with password-protected access to the data;
- Make sure that the data you do have is backed up on a regular basis in a secure, remote location;
- If your organization can afford it, hire an independent security expert to review your data security policies and procedures. ("It never fails to surface things that never really were an issue to anyone," says Hart.)
- Don't store complete credit card information on site;
- Limit physical access to servers;
- Be aware of what confidential and sensitive information is on printed (paper) files, and make sure that all such files are kept secure at all times; Make certain that your Web site complies to fundamental, industry-standard encryption and security measures in the processing of personal information.
Perhaps most important, says Hart, is for nonprofit organizations to review data security "in a way that's not alarmist. There's a lot they can do themselves. It's common sense. It's not being lazy in the way data is handled. It's just paying attention. Remain vigilant." Last modified on Sunday, 19 May 2013