I’m often a little behind reading my subscription to the Economist, but I keep chugging along because they have so many brainy articles on things that often relate well to nonprofits and fundraising. Their article in February on The Leaky Corporation is no exception.
If you are awake then you are likely to have heard something about WikiLeaks in the past few months. Most recently WikiLeaks is threatening to leak documents from a bank that will expose wide-spread corrupt practices. As the bankers are sweating, the Economist discussed the myriad of options out there to protect data. But ultimately the suggestion was to decide what information is most critically private and focus on protecting it.
And what is more critically private than your donors’ personal information and giving history? Universities and hospitals have regulated layers of must-have data security, but thousands of nonprofit organizations do not. And more and more donor databases are hosted online. Even so, I would argue that the threats are more mundane than hackers. It is the accidental leak that poses perhaps the greatest threat to nonprofit organizations.
What hits the news harder than a laptop stolen that contained database or spreadsheet files full of names, addresses, social security numbers and other private info? But how about the university professor who posts a spreadsheet on a public server he thinks is private? Or the staff member who emails sensitive information to the wrong email address?
In my research I have found nonprofits who posted their confidential board list – the one with cell phone numbers, spouse names and more – on their website or attached to their public IRS Form 990. Out of pity and horror I emailed one webmaster suggesting they remove the file. I did not use the private information in my prospect profile.
There are thousands of examples of accidental errors, but what can you do to prevent them? Educate! Educating your staff and volunteers and then routinely reminding them goes a long way. Open discussion about something as simple as deleting old spreadsheet exports from your servers could avert disaster.
Consider purchasing a secure, online space for board members to view important documents instead of email and discuss the safety of any documents they download.
Establish one day a year devoted to security education and data storage clean-up so that everyone is talking, cleaning up old files, and reassigning files to safer storage space – online or offline.
Whatever you do, I hope you will seriously get thinking about your data security. Every time you hire a new employee, engage a new board member, or buy a new piece of software you face a certain degree of risk.
Aspire Research Group is committed to ethical fundraising and prospect research. Why not check out our fun, 7-minute video on ethics in prospect research? Click here.