Data Security – Don’t Let Perfect Be the Enemy of Good

The digitization of nearly everything has opened our organizations to new possibilities in how we fulfill our public service mission and communicate with donors. It has also made us incredibly vulnerable to attacks and data breaches that could quickly undermine all the hard work and time we’ve put into building donor and community trust.

“Ultimately, our work as nonprofits is to empathize with our clients and understand how they might be feeling about the information out there. We also need to do our best to make sure that those who don’t understand the risks are taken care of.” Shared Jordan McCarthy, Infrastructure & Security Lead at Tech Impact, a Philadelphia-based nonprofit technology consulting and support organization.

It’s imperative that, as a good steward of your donors’ personal information, you ask the right questions and get help finding the answers you need to understand where the strengths and vulnerabilities lie within your station/organization. So, where to begin?

Effective security is about respect, balance, and people.

At a minimum, begin to understand and confirm the basics of what you need to keep donor data safe:

1. 1. Collect, store, and share the absolute minimum amount of data necessary – Take stock of what data you’re collecting from donors. Is it necessary? Are you still collecting and storing sensitive payment data internally even though you don’t need to? Map out all of the places where your donors’ data is accessed and look for ways to tighten up vulnerabilities and decrease the volume of information you share.
      
      
   2. Control, segment, and log access to all constituent data – Who has access to sensitive donor information? How much access do they have? It’s likely that, for security purposes, someone processing gifts and creating contact lists has more access than even senior managers in the organization. Also, make sure that all of your systems create logs that document the users who accessed the data and any changes or updates they make. This will provide a record in case of an attack, breach, or system failure.
      
      
   3. Thoroughly vet all vendors that handle constituent data – It’s critical to understand what security framework your vendors have in place, including credit card processors, CRM or membership management systems, and any other vendors who have access to your data. Use our new questionnaire to find out more about your vendors.
      
      
   4. If your organization doesn’t have one yet, craft a strong policy framework and publish clear disclosures of what you collect, why, and what rights your constituents have over that data. Look at examples from other stations and non-profit organizations or from your University.
      
      
   5. Most importantly, don’t freak out. Just get to work gathering information and making improvements where necessary. Perfect security isn’t possible. Security implementation is an ongoing process, not an achievement that is accomplished in just one effort. Talk to other stations and find out what they’re doing. If you’re affiliated with a College or University, reach out to the Information Security Office. Look for examples of strong policy frameworks online (Sans Institute is a great place to start). Reach out to organizations like Tech Impact or other local security specialists to help.
      
      To learn more, check out our recent webinar, How to Better Protect Your Donors’ Data, and our Greater Public CRM/Database Security Survey to find out what information to be asking your vendors. If you work with Allegiance and MemSys, you can already view their completed surveys.