Let’s assume your non-profit has built a sound reputation for being effective and enjoys solid donor support. Your team is planning for an annual event that provides a significant percentage of the financial resources you need to operate. A key staff member decides that there is work to be done on the donor list and decides to take a copy of the database home to get caught up over the weekend. Unfortunately during the course of the weekend his car is burglarized and the laptop is stolen. If sensitive information like credit cards, social security numbers, or accounts were in the database, your organization has just suffered a serious data breach.
A recent (2011) Ponemon Institute survey revealed that 90% of the organizations in the study had suffered at least one breach in the past 12 months. The Ponemon Institute reported that in 2010, the estimated cost of a general data breach was $214 per compromised record. However the cost of the data breach involving laptop computers or other mobile devices was 20% higher.
If you believe the example above is an exaggeration, it isn’t. An Idaho nonprofit organization has the dubious distinction of being the first entity fined by the Department of Health and Human Services (“HHS”) for a data breach involving fewer than 500 patients. In June 2010 Hospice of North Idaho (“HONI”) lost a laptop that contained sensitive personal information for about 441 patients. The laptop was stolen from an employee’s vehicle. The thief was apprehended, but the laptop was not. There was no evidence that any patient information had been abused or compromised, but HHS fined the hospice $50,000 for the violation, primarily because the laptop was not encrypted. HHS wanted to send a “strong message” to the healthcare industry that any entity covered by HIPAA will be held accountable for safeguarding patient health information. Not only did HONI have to pay $50,000 to HHS out of its operating budget, it also bore the cost of notifying patients that their personal and health information could have been compromised, and providing credit monitoring to the patients whose information was on the stolen laptop.
Many organizations don’t realize the importance of safeguarding this information, or how to do so effectively. Verizon reports that 97% of the 855 data loss or breach incidents in 2011 were avoidable through simple or intermediate controls. In fact, 63% of controls were considered “simple and cheap” such as easily guessable administrative passwords and inadequate firewalls.
The following 10 Tips will help you strengthen your data loss or breach prevention.
- Perform a risk assessment. Know what personal information you have in your files and on your computers, and who can access it. Keep personal or sensitive data in your system only as long as you have a business reason for doing so.
- Limit access to documents, files, and electronic storage devices to employees with a legitimate business need, and keep documents and devices under lock and key.
- Encrypt sensitive information when sending it via the Internet and when storing it on computer networks or portable storage devices.
- Make sure laptops are encrypted.
- Run up-to-date antivirus and anti-spyware programs on individual computers and servers.
- Require strong passwords such as using a combination of letters, numbers, and characters without using words that can be found in the dictionary. Require password changes every 45 to 60 days.
- When deleting sensitive information from a laptop, copier or printer, use a “wiping” program that overwrites data, or shred the hard drive.
- Encrypt transmissions from wireless devices to your computer network and limit the wireless devices that can be connected to your network.
- Train employees on your organization’s confidentiality and security standards for handling sensitive data, and how to prevent data breaches. Then do it again, and again. Create a “culture of security” through regular employee training and updates.
- Shred paper documents that contain sensitive information, and make sure employees who take documents off-site do the same.
A nonprofit’s reputation is its lifeblood. Any negative publicity can damage your organization’s reputation and threaten its ability to fulfill its mission.
The attached checklist can help you heighten your organizations level of protection and reduce the risk of data breach. HR and Hiring Fraud Self-Assessment Checklist
Any “no” response may be a red flag and should be closely evaluated.