Protecting Donor
Data in the Cloud
Ann C. Fitzgerald, President
The ransomware hack of Blackbaud earlier this year should have scared nonprofits, reminding them that they are not immune to data breaches or cybercrimes. From criminals trying to steal financial information, to “hack-tivists” intent on exposing a nonprofit’s internal strategies and documents, there are myriad ways in which cyber-villains can attack an organization, and myriad reasons they will try.
Fundraisers should pay particular attention to these concerns, since most development offices utilize cloud-based CRMs. A breach of donor data could expose a nonprofit to lawsuits, a loss of credibility, and a decrease in donations.
In his report on protecting businesses from cybercrime, Will O’Neal, founder and president of Mid-Atlantic Computer Solutions, writes “The #1 security threat to any business is…YOU! Almost all security breaches in business are due to an employee clicking, downloading or opening a file that’s infected, either on a website or in an e-mail…”
So what are some steps YOU should take?
Conduct a risk assessment. Determine what donor information you collect, what you do with the data, how you store it, who is responsible for it, and how you dispose of it. Also, assess whether the data identifies a donor personally and what you do if the donor wants their data back.
In short, consider what you are collecting and whether you need it. Many development offices have portfolios on donors that would make the NSA jealous! Ask if you really need all of this information to cultivate the donor relationship or are you just collecting for collecting’s sake?
Establish a donor privacy policy. Develop an internal policy, train staff, and tell donors how you will maintain and use their information. Charity Navigator offers a sample donor privacy template, and there are many more examples online.
Partition data. Implement layered security so employees can only access what they need in order to do their jobs well. One of the biggest threats to donor data—next to internal security breaches—is third party vendors who access information. Review security protocols and make sure files with donor information are only transferred through secure portals—never email.
Protect donor data as if it were your own. Fundraisers know that their relationships with donors are built on trust. Treat all donor information with the respect and integrity it deserves—as if it were your own personal data.
It doesn’t help to panic about cyber security, but it won’t hurt to be a little afraid if it spurs you to act on these tips.
Ann C. Fitzgerald is Founder and President of AC Fitzgerald, using her decades of experience in fundraising, management, leadership, and sales to help nonprofits build their capacity and achieve success. She is a sought-after speaker, writer, and advisor.