KEEPING SENSITIVE DATA SECURE

Several years back Campbell Rinker needed a simple list from a client's donor database: nothing fancy – donor IDs, gift amounts, gift dates and such for several years of giving history. Instead, the person in charge of the database exported a surprise package, containing every piece of donor information in the database, including credit card numbers and other highly sensitive information.

Hearing this type of story should make any donor cringe. Do donors expect charities to protect their personal information? You bet! Finding out that a charity was reckless with personal data is like discovering that the vandal who crushed your treasured lawn gnome is a favorite uncle! In fact, donors might hold nonprofits to an even higher standard than they do for-profits.

Data security is a vast and vital subject. Given the continuing increases in the volume of data exchange and collection, its importance cannot be overstated.

This article is a starting point for your company to create an effective data security plan.

Quite simply, a charity's development department should know the law, have a system in place to protect “personally-identifiable information ” (PII), and have a plan of action ready in case something should go wrong.

PII refers to information that can be traced to a specific individual (e.g. name, address, telephone number, Social Security number, etc.). Securing your donor PII is vital to an effective security strategy. Regulations apply to organizations depending on their type of business and the type of information they collect. For example, financial institutions must follow the rigid requirements of the Gramm-Leach-Bliley Act.

Most of the laws applicable to nonprofits deal with what is required if there is a security breach related to PII – things like providing proper notification when records may have been accessed unlawfully. In addition, some laws require organizations to take steps to protect PII and to permanently destroy PII when disposing of documents and related materials such as hard drives.

If your group collects personal information from individuals or other organizations, you might consider having a formal security plan. Consider the following recommendations published by the Federal Trade Commission…

“When setting up a security program, your business should consider all the relevant areas of its operations, including employee management and training; information systems, including network and software design, and information processing, storage, transmission and disposal, and contingencies, including preventing, detecting and responding to a system failure. Although the security planning process is universal, there's no ‘one size fits all' security plan. Every business faces its own special risks. The administrative, technical, and physical safeguards that are appropriate really depend on the size and complexity of the business, the nature and scope of the business and the sensitivity of the consumer information it keeps.”

When creating a plan, consider who you need to protect data from, such as…

• Hackers
• Employees that should not have authorization
• Former employees who should no longer have access
• Contractors that should not have access
• Recipients of information-storing hardware that is sold or donated by your organization
• Individuals that inadvertently receive or purposefully intercept information that is transmitted or shipped by your organization

Furthermore, identify the ways in which each group could come into contact with PII. Be creative; the real world is full of surprises. The last thing you want is for your organization to grab headlines because of stolen donor files.

As part of your protection plan, your organization should establish rules and systems to eliminate each risk. Try to use broad solutions that eliminate more than one risk or may eliminate risks that you did not consider. Whenever possible, avoid solutions dependent on the actions of employees. Most problems are caused by human error.

Finally, create systems to ensure that new threats and regulations are addressed promptly. This will keep your plan from becoming obsolete. Establish procedures for regularly monitoring and testing safeguards. If there are holes in your plan it is better if you to discover them before criminals do.

If you provide PII to third parties (e.g. service providers, business partners, etc.), be sure to verify their information handling practices. Consider creating a standard confidentiality agreement for third-parties to sign which outlines their responsibilities in regards to how they handle, store and dispose of the information you provide them.

If your organization does not have the technical expertise to evaluate and resolve security threats, be sure to solicit the expertise of someone that does. Internet technology expertise is especially critical: According to Vincent Weafer, a senior director of Symantec Security Response, 70% of vulnerabilities are found in Web technologies — principally browsers.

If your organization ends up in a firestorm of bad publicity (heaven forbid!), get advice from a seasoned public relations pro. Michael Shepherd of The Shepherd Group advises charities to identify a singular spokesperson, gather the facts, develop key messages – and always tell the truth. Don't try and “spin” your way out of a tough situation.

With enough planning and commitment, any nonprofit can excel at properly protecting personally identifiable data and avoiding the glare of media lights.

The following links are wonderful resources for helping you implement the steps discussed in this article.

The 20 most commonly exploited vulnerabilities in Windows and UNIX, as reported by the SANS Institute and the FBI >>>CLICK HERE

The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. A variety of security experts from around the world have shared their expertise to produce this list >>>CLICK HERE

This introduction to Internet security in the workplace from techsoup.com covers password selection, cookies and using discretion in e-mail messages >>>CLICK HERE

A Business Guide to Information Security >>>CLICK HERE

Book about establishing and managing an information protection program >>>CLICK HERE

MAPPING OUT RESEARCH OBJECTIVES

Venturing into the realm of marketing research requires thoughtful planning and preparation. And as with any trip, you need a good road map – a clear idea of where you plan to start and where you expect to end. In the world of research, your research objectives are your road map.

The more clear and manageable the research objectives, the more rewarding and useful your research project will be. Below are some tips to help you write effective research objectives, particularly for survey research.

1. Chart your destination. Before starting your trip, you want to know where you're going. Simply put, where do you want to end up? Or, why do you want to conduct the research? You should be able to clearly state the overall objective in two to three sentences or less. For many organizations, there is a specific primary issue, event, or concept that they would like to learn more about or test. For others, the main objective is more general – who are our donors, members, constituents, why do they support us, what do they want from us, etc. Either pathway is perfectly legitimate: Your organization just needs to have a clear notion in advance of why it is conducting the research.

2. Decide who is along for the ride: Aunt Bertha always wanted to join us, but the rule was “immediate family only” when we went on vacation. Your organization can avoid problems on the road if there is clear advance direction about which staff members may provide input to the project.

3. Plan for Sight-seeing. This can get a bit messy. Remember when you were traveling across the country and your parents wanted to see the Jackalope museum and you wanted to stop at the giant ball of string? Like families, many organizations begin to get lost at this step. Differing agendas come sharply into focus. Therefore, it is crucial to identify your secondary objectives. It is important to remember that too many side trips take time, cost more and divert you from your final destination. Here are some helpful ways to stay on track.

a. Brainstorm: Whether you want to gather information about a specific issue or just general knowledge about your constituents, get the team involved. Pull everyone on the trip together and have each person describe the information he or she feels is most useful and helpful. Two main purposes: First, this can open your eyes to relevant issues and ideas that you hadn't considered. Second, it helps get others “on board” early on, helping to ensure that they are less likely to discount the results later.

b. Breathe: Take a little pit stop to stretch your legs and get a Slurpee. Technically you're not even out of the driveway, but go ahead and enjoy yourself at this stage... and prepare for the next step. It's probably the hardest.

c. Prioritize: Rank all the items raised during the brainstorming that should be covered in the research. Determine what you need to know versus what you would like to know. Some results may be interesting, but not very actionable. If you're not sure, ask yourself, “What would we do if we knew the answer to this?” If the answer is foggy, it's probably a low priority item. But keep these on the list anyway – it may just turn out that there is time and budget to take that little side trip after all.

4. Map out the route : Write down your objectives. Now that you've created your road map, write down your primary and secondary goals. Pass it around so that all your travel partners have a copy. Keep it handy as you move from stop to stop on the trip. This document not only helps you determine where you're going, but a whole host of related questions as well, such as who you will talk to, how you will talk with them, what you will ask them and what to do with their answers.

We'll save that little adventure for another time. Happy trails.