Protecting Donor Privacy


Published on

A presentation from the Big 10 Development IT conference in Columbus Ohio

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Protecting Donor Privacy

  1. 1. Protecting Donor Privacy Raymond K. Cunningham, Jr. CRM, CA, CIPP University of Illinois Foundation
  2. 2. <ul><li>Higher Education Institutions account for more security breaches than any other industry including financial institutions. – Information Security News </li></ul>
  3. 3. We are all subject to information breaches
  4. 5. <ul><li>Security and Privacy </li></ul><ul><li>Privacy and the Law </li></ul><ul><li>Implementing a Privacy Program </li></ul><ul><li>Credit Card Industry Security </li></ul>
  5. 6. Security and Privacy – What is the difference? <ul><li>Security is a process - you implement security to insure privacy </li></ul><ul><li>Security is action </li></ul><ul><li>Security is a strategy, privacy is the outcome </li></ul><ul><li>Enterprise privacy and security management must be integrated </li></ul><ul><li>Security maintains confidentiality and privacy </li></ul>
  6. 7. Information Security – it is not a technical issue <ul><li>Often Security is viewed as a technical issue </li></ul><ul><li>Many information breaches occur in the paper world </li></ul>
  7. 8. Information Privacy – it is not a Legal issue <ul><li>Often viewed as a legal issue handed to legal counsel as a compliance issue </li></ul><ul><li>While many privacy officers report to legal, it is not strictly a legal issue </li></ul><ul><li>Privacy is a concern of all and should be a priority of any fundraising organization </li></ul>
  8. 9. Navigating the Alphabet Soup Privacy and the Law
  9. 10. Changes in Information Policy <ul><li>Federal </li></ul><ul><li>State </li></ul><ul><li>Ethics </li></ul>
  10. 11. Trends <ul><li>Information Management Law is moving from the general to the specific </li></ul><ul><li>What was formerly ethical is now being required by law </li></ul><ul><li>Penalties are being strengthened and cases of theft/misuse are higher profile </li></ul><ul><li>The ethics of information management are evolving </li></ul>
  11. 12. Information Management Laws FERPA
  12. 13. FERPA - 1974 <ul><li>FERPA – Family Education Rights and </li></ul><ul><li>Privacy Act </li></ul><ul><li>Directory Data, Degree Data and Non-Directory Data </li></ul><ul><li>FERPA block –all data disclosure including alumni database </li></ul>
  13. 14. Information Management Laws GLB FERPA
  14. 15. Gramm-Leach-Bliley Act 1999 <ul><li>FTC has ruled that Universities are covered under GLB Affiliated Orgs (2003) </li></ul><ul><li>Trust operations – issuers of Charitable agreements </li></ul><ul><li>Financial Planners </li></ul><ul><li>CPAs </li></ul>
  15. 16. Gramm-Leach-Bliley Act 1999 <ul><li>GLB provides for the protection of personal financial information – similar to FERPA </li></ul><ul><li>Records containing financial information are to be protected. </li></ul><ul><ul><li>Financial Institutions are to make disclosures regarding their privacy policies and release to third parties </li></ul></ul><ul><ul><li>Criminalizes certain practices of data collection services: obtaining financial and personal information by misrepresenting their right to such information </li></ul></ul>
  16. 17. Gramm-Leach-Bliley Act 1999 <ul><li>Financial Privacy Rule – governs the collection and disclosure of personal financial information. It applies to those who receive such information. </li></ul><ul><li>Pretexting Provisions – covers using false pretenses for obtaining personal financial information </li></ul><ul><li>Safeguards Rule – requires all financial institutions to design, implement and maintain safeguards to protect customer information </li></ul>
  17. 18. GLB - Privacy <ul><li>GLB protects consumers’ non-public information. Private information (PI) includes “personally identifiable financial information” </li></ul><ul><li>Student Financial Aid and Loan information is protected under GLB </li></ul><ul><li>Federal financial aid </li></ul>
  19. 20. GLB Safeguards Rule <ul><li>The Safeguards Rule requires financial institutions to develop a written information security plan that describes their program to protect customer information. </li></ul><ul><ul><li>Designate one or more employees to coordinate the safeguards </li></ul></ul><ul><ul><li>Identify and assess the risks to customer information relevant to the company’s operation </li></ul></ul>
  20. 21. GLB – Safeguards Rule Compliance <ul><li>Select service providers that can maintain appropriate safeguards </li></ul><ul><li>Evaluate and adjust the program in light of relevant circumstances including changes in business or the results of security testing </li></ul><ul><li>Customer data stored at any off-site location </li></ul>
  21. 22. GLB – Safeguards Rule Compliance <ul><li>Check references on employees before hiring who have access to customer information </li></ul><ul><li>Sign a confidentiality agreement or NDA </li></ul><ul><li>Limiting access to customer information based on business need </li></ul><ul><li>Develop specific policies for the appropriate use of laptops, PDAs, cell phones </li></ul>
  22. 23. GLB – Safeguards Rule Compliance <ul><li>Confidentiality training is required </li></ul><ul><li>Encrypting information when it is transmitted </li></ul><ul><li>Reporting suspicious attempts to obtain customer information </li></ul><ul><li>Dispose of customer information according to the FTC Disposal Rule </li></ul>
  23. 24. Comparison of Legislative Mandates X X X USA Patriot Act X X FOIA X X Gramm-Leach-Bliley X X California Bill 1386 X X X HIPAA X X X X Sarbanes-Oxley Training Data Security and Privacy Records Management Processes and Risk Management Mandate
  24. 25. Information Management Laws GLB FERPA SOX FACTA
  25. 26. FACTA – Fair and Accurate Credit Transactions Act of 2003 <ul><li>FACTA is directed by the FTC and mandates that employers and financial institutions subject to GLB are also subject to FACTA </li></ul><ul><li>Information is to be disposed of so that said information cannot be read or reconstructed - destroy or erase electronic files or media </li></ul><ul><li>Opt-Out for Marketing </li></ul><ul><li>Conduct due diligence and hire a document destruction contractor </li></ul>
  26. 27. State Personal Information Laws <ul><li>HB 1633 (PA 94-36) Effective January 1, 2006 </li></ul><ul><li>Personal information is defined as: SSN, driver’s license number or State ID card, account number, credit card number </li></ul><ul><li>Breach of security should be made in the most expedient time possible without delay </li></ul>
  27. 28. Illinois State Law <ul><li>Customers must be provided notice in writing or electronic notice provided it meets with electronic records and signatures for such notices </li></ul>
  28. 29. Illinois State Law <ul><li>Illinois law more broadly applicable than California statute – data collectors provisions are more broad – includes public and private corporations, universities, financial institutions. </li></ul><ul><li>Violation of the law is Consumer Fraud under Deceptive Business Practices Act </li></ul>
  29. 30. Implementing a Privacy Program
  30. 31. Six steps for creating a Privacy Program <ul><li>Information Asset Inventory </li></ul><ul><li>Risk Assessment </li></ul><ul><li>Policy Review </li></ul><ul><li>Develop Policies and Practices </li></ul><ul><li>Conduct training </li></ul><ul><li>Monitoring </li></ul>
  31. 32. Asset Management <ul><li>Understand your information assets - inventory </li></ul><ul><li>Locate and identify what is to be protected </li></ul><ul><li>Differentiate between the “owner” and “user” </li></ul><ul><li>Record Retention Schedules – business need or regulatory requirements </li></ul>
  32. 33. Asset Classification <ul><li>Assets should be evaluated as to sensitivity and confidentiality, potential liability, intelligence value and criticality to the business </li></ul><ul><li>Classify assets – Confidential, Proprietary, Internal Use Only, Public </li></ul>
  33. 34. Map the Organizational Data Flow <ul><li>Map points of data collection – examine web forms, email collection, call centers, POS, Contests, Surveys, chat rooms, marketing lists </li></ul><ul><li>How does data move through the system? </li></ul><ul><li>Is the data held in-house or is it outsourced? </li></ul><ul><li>Is any PII collected from outside the US? </li></ul>
  34. 35. Risk Assessment <ul><li>What are the risks with your storage practices? </li></ul><ul><li>What are the physical storage requirements? </li></ul><ul><li>Are personnel tasked with the protection of the information? </li></ul>
  35. 36. Conduct a Policy Review <ul><li>Develop the principles that will guide your strategy </li></ul><ul><li>Involve stakeholders, senior management and legal – Get Everyone on Board! </li></ul><ul><li>This is not an IT Problem </li></ul><ul><li>Review all applicable regulatory requirements particular to your industry </li></ul>
  36. 37. Elements of a Good Privacy Policy <ul><li>Commitment to Privacy </li></ul><ul><li>Information Collected </li></ul><ul><li>How Information is Used </li></ul><ul><li>Commitment to Data Security </li></ul><ul><li>Commitment to Children’s Privacy </li></ul><ul><li>How to Access or Correct Your Information </li></ul><ul><li>Contact Information </li></ul>
  37. 38. Training <ul><li>Training is one of the most often neglected piece of the program, yet it is one of the most important </li></ul><ul><li>Train your employees prior to exposure to information systems – supply handouts </li></ul><ul><li>Train employees to report information breaches - contacts </li></ul><ul><li>Train employees annually on your policies and compliance issues </li></ul><ul><li>Develop an ethical culture </li></ul>
  38. 39. Monitor Compliance <ul><li>Conduct audits of security procedures </li></ul><ul><li>Review systems annually </li></ul><ul><li>Conduct incident response drills – convene your incident response team </li></ul>
  39. 40. PCI – DSS Payment Card Industry Digital Security Standard What should I know?
  40. 41. Twelve DSS Requirements <ul><li>Install and Maintain a Secure Network </li></ul><ul><li>Do not use vendor-supplied defaults for systems passwords and other security parameters </li></ul><ul><li>Protect Stored Cardholder Data </li></ul><ul><li>Encrypt Transmission of Cardholder Data Across Open, public networks </li></ul><ul><li>Use and Regularly update Anti-virus software </li></ul><ul><li>Develop and Maintain Secure Systems and Applications </li></ul>
  41. 42. Twelve DSS Requirements <ul><li>7. Restrict Access to Cardholder data by business need-to know </li></ul><ul><li>8. Assign a unique ID to all users </li></ul><ul><li>9. Restrict physical access to cardholder data </li></ul><ul><li>10. Track and monitor all access to network resources and cardholder data </li></ul><ul><li>11. Regularly test security systems and processes </li></ul><ul><li>12. Maintain a policy that addresses information security for employees and contractors </li></ul>
  42. 43. PCI – DSS Payment Card Industry Digital Security Standard <ul><li>Merchants must comply with the standards </li></ul><ul><li>Should a breach occur the fines are substantial, up to $500,000 per incident (VISA) </li></ul><ul><li>Audit through self-assessment </li></ul><ul><li>Most organizations are outsourcing a part of this process – vulnerability scans </li></ul>
  43. 44. Conclusions
  44. 45. Ray’s Recommendations <ul><li>Gain the Support of Senior Management </li></ul><ul><li>Encourage a culture of confidentiality </li></ul><ul><li>Have a policy in place and enforce it </li></ul><ul><li>Be specific on roles within the organization </li></ul><ul><li>Have mechanisms in place to sign on and sign off users efficiently </li></ul><ul><li>Train all users before log-on in confidentiality and security </li></ul>
  45. 46. Ray’s Recommendations <ul><li>Monitor users </li></ul><ul><li>Create an incident response group and provide a way for employees to report data loss </li></ul><ul><li>Tell donors what you are doing with their data </li></ul><ul><li>Allow donors to opt out </li></ul><ul><li>Dump SSNs where not needed </li></ul><ul><li>Monitor Third Party Contracts </li></ul>
  46. 47. Resources <ul><li>International Association of Privacy Professionals IAPP </li></ul><ul><li>EDUCAUSE Information Technology and Security 2003 </li></ul><ul><li>Kahn, Randolph Privacy Nation 2006 </li></ul><ul><li>ISO 17799 International Organization for Standardization </li></ul><ul><li>PCI </li></ul>
  47. 48. Contact information <ul><li>Raymond K. Cunningham, Jr. </li></ul><ul><li>Manager of Records Services </li></ul><ul><li>University of Illinois Foundation </li></ul><ul><li>Urbana IL 61801 </li></ul><ul><li>[email_address] </li></ul><ul><li>217 244-0658 </li></ul>