With all the talk about social media, Web 2.0, and cloud computing, it can be easy to get caught up in the allure of the promise of how new technologies can empower nonprofit missions. While I love to write about these opportunities, this blog is more of a back to basics on IT Security. In particular, I'll address issues data leakage and how best to protect against it.
Potential Big Issues with Data Leakage
- The US Health Insurance Portability and Accountability Act (HIPAA) - By now, most health service nonprofits have brought themselves into compliance with the comprehensive privacy legislation. However, subcontractors who are not targets of HIPAA law may still be subject contractually to follow privacy regulations. Many smaller subcontractor organizations may be subject to HIPAA and not realize or be prepared for its implications.
- New technology requires new processes and procedures -IT Security was a popular part of technology planning in the early part of this decade, but very little has been adapted to new models of technology delivery. For example, think about how email has changed. Many nonprofits have moved from a client-server office environment where email was largely accessed on the office network to cloud based network with employees accessing email on the office network, from home and from mobile devices. These various touch points at the edge of the organization's network, increasing the probability or at lease the ease of which data can become available to others. What will you do if a laptop with client data gets lost or stolen? What if an employee tweets about a client interaction?
- Protect the weakest links on the network...you end points Make sure all the PCs and laptops up to date with their virus definitions and latest security patches on the operating system. Some IT Managers choose to automate this process at the client level, while others are more cautious about applying patches right away. Either way, make sure you have a procedure in place so that it gets done.
- A sensible acceptable use policy is necessary for utilization of organization resources. For example, no personal email, phone calls and use of the web seems a bit draconian to me (although some organizations choose this path). I think its more important to have a policy that limits personal use and more importantly provides guidance as to what is appropriate to share or not share with others.
- Never store credit cards numbers unless you absolutely must. Over the last few years we've seen corporations heavily fined for losing millions of credit card numbers. Don't join this group. If taking donation information over the phone, ensure that credit card number destruction is part of the process.
- A legal review of your policies and procedures is recommended, especially if you are subject to HIPAA regulations.