Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security and Privacy: What Nonprofits Need to Know

432 views

Published on

The adage says, "You can't have privacy without security, but you can have security without privacy." What does that really mean, and how can you proactively address both for your organization? With privacy scandals and data breaches grabbing headlines daily, even the smallest organizations must take responsibility for lawful custodianship and protection of personal information. In this 60-minute webinar with Michael Standard, senior corporate counsel at Symantec, we will cover the key elements of privacy and security programs. You will learn

- How privacy and security concerns intersect and differ
- Risks to assess when evaluating your privacy program
- The definition of "personal information"
- Key privacy laws that may impact your organization
- The top three privacy and security threats and how to mitigate them

Published in: Education
  • Here's How YOU Can Stake Out Your Personal Claim In Our EIGHT MILLION DOLLAR GOLDMINE... ♣♣♣ http://ishbv.com/goldops777/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Security and Privacy: What Nonprofits Need to Know

  1. 1. Security and Privacy: What Nonprofits Need to Know August 6, 2019
  2. 2. Using ReadyTalk Chat to ask questions All lines are muted If you lose your Internet connection, reconnect using the link emailed to you. You can find upcoming and past webinars on the TechSoup website: www.techsoup.org/community/events-webinars You will receive an email with this presentation, recording, and links Tweet us @TechSoup and use hashtag #tswebinars
  3. 3. A Global Network Bridging Tech Solutions and Services for Good Where are you on the map?
  4. 4. Acclivity Adobe Alpha Software Asana Atlas Business Solutions Atomic Training Autodesk Azavea BetterWorld Bitdefender Blackbaud Bloomerang Box Brocade Bytes of Learning Caspio CauseVox CDI Computer Dealers Cisco Citrix CitySoft CleverReach ClickTime Closerware Comodo Connect2Give Dell Dharma Merchant Services Digital Wish Dolby DonorPerfect Efficient Elements FileMaker GoDaddy GrantStation Guide By Cell Headsets.com Horizon DataSys HR Solutions Partners Huddle Idealware InFocus Informz InterConnection Intuit JourneyEd Litmos Little Green Light Mailshell Microsoft Mobile Beacon NetSuite Nielsen NonProfitEasy O&O Software Quickbooks Made Easy Reading Eggs ReadyTalk Red Earth Software Sage Software Shopify Simple Charity Registration Skillsoft Smart Business Savings Society for Nonprofit Organizations Sparrow Mobile Symantec Tableau TechBridge Tech Impact Teespring Telosa Tint Ultralingua Western Digital Zoner
  5. 5. Explore our Nonprofit Tech Marketplace For more information, please visit www.techsoup.org/get-product-donations "We are an all-volunteer organization with limited professional skills. Adobe's donated technology is helping us present our story to the public and to lenders in the format of a much larger organization. With Adobe, we are able to knock off a few of the "rough edges" so that our story is front and center instead of our technological limitations. Thank you, Adobe!” - Richard de Koster Constitution Island Association, Inc
  6. 6. The Symantec Security and Antivirus Donation Program For more information, please visit techsoup.org/symantec-catalog ● Symantec Endpoint Protection. Admin Fee $6 ● Symantec Endpoint Protection, Small Business Edition. Admin Fee $4 ● Symantec Norton Small Business ● Symantec Norton Security Deluxe
  7. 7. TechSoup Solutions for Nonprofits
  8. 8. Presenters Michael Standard Senior Corporate Counsel Symantec Kirsten McMullen Global Privacy Compliance Manager Nicole Jones Dir. of Communications TechSoup Assisting with chat: Zerreen Kazi, TechSoup Kirsten McMullen Global Privacy Compliance Manager Zerreen Kazi Communications Project Coordinator, TechSoup Nicole Jones Dir. of Communications, TechSoup Michael Standard Senior Corporate Counsel, Symantec
  9. 9. Privacy & Data Security Do’s, Don’ts and Why it Matters Michael Standard August 6, 2019 Senior Corporate Counsel – Privacy and Data Security
  10. 10. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only 2 Why it Matters: Losing Brand Trust
  11. 11. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only Security & Privacy Missteps Save the Children: International charity was hacked twice by malicious scammers in 2017. Criminals created false invoices and related documents. The organization was tricked into transferring nearly $1 million USD to a fake business entity in Japan. The funds could not be recovered. 3 Source: https://www.insurancebusinessmag.com/us/news/non-profits/nonprofits-are-a-target-for-data-breach-165039.aspx https://www.zdnet.com/article/save-the-children-foundation-duped-by-hackers-into-paying-out-1-million/
  12. 12. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only Security & Privacy Missteps (continued) MacEwan University: A “spoofed” email appeared to come from a vendor, requesting the school’s accounts receivable team reroute payments for ongoing construction to a new National Bank of Canada account. A supporting letter attached to the email appeared to have been signed by the company’s chief financial officer. The university made three payments to the new account, totaling more than 11.8M USD. The email was a fraud, which was not discovered until 2 months later. 4 Source: https://www.thestar.com/edmonton/2018/10/09/how-a-fraudster-got-12-million-out-of-a-canadian-university-they-just-asked-for-it.html
  13. 13. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only Security & Privacy Missteps Health and Human Services v. Affinity Health: Affinity Health accidentally disclosed the protected health information of over 300,000 individuals when it failed to erase the data on copier hard drives when it returned the copiers at the conclusion of the lease. Affinity paid a $1,215,780 fine to HHS. There is no report of costs for individual claims. 5
  14. 14. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only Security & Privacy Missteps (continued) FTC v. Aaron’s et al.: Aaron’s franchisees and several other “rent-to-own” retailers and a computer software company used computer programs to spy on consumers who rented computers from those companies. The program captured screenshots of confidential and personal information, logging their computer keystrokes, and in some cases taking webcam pictures of people in their homes, all without notice to, or consent from, the consumers. This cost Aaron’s at least $25 million to settle with the CA attorney general and they entered into a 20 year consent decree with the FTC; not to mention extensive legal fees. Source: https://www.ajc.com/business/aaron-settles-spying-complaint-with-ftc/N4zLeQHVhQnDnzysFFjFEK/ 6
  15. 15. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only Poll Time! How would you rate the maturity level of your privacy and security programs? • Documented and regularly reviewed • Documented but not reviewed or tested • Informal with some documentation • Ad hoc 7
  16. 16. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only 8 Security vs Privacy You can have security without privacy, but you can’t have privacy without security. Privacy is how an organization processes Personal Data to comply with laws, regulations and perhaps most importantly, customer expectations. Security is the technical methods used to protect that data. Privacy Notice/Consent Limiting data collected How used When shared How stored When archived When destroyed Security Availability Keeping information safe Protection from loss or theft Access Confidentiality Integrity
  17. 17. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only • Safeguarding of data • Protecting data from erasure, theft, unauthorized access and unauthorized changes • Stopping bad guys – internal and external Security Security vs. Privacy Privacy • Safeguarding of identity • Setting the rules for when, how and why personal data is processed, and by whom • Handling personal information appropriately & responsibly 9 • Appropriately limit the disclosure of and access to information (confidentiality) • Maintain the accuracy and comprehensiveness of the data (integrity)
  18. 18. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only Personal Data means any information related to any identified or identifiable natural person and, soon to come, data related to a household. Data Subjects What is “Personal Data”? Personal Data Examples Sensitive Personal Data Examples • Employees • Clients/Customers • Patients • Donors • Research Subjects • Volunteers • Names • Address • Phone Number • Email • IP Address • Advertising Identifier • Cookie ID • Internal Identifiers • Social Security Number • Driver’s License Number • Credit Card Information • Health Information 10
  19. 19. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only * Fair Information Practice Principles (FIPPs) • Transparency - ensures no secret data collection; provides information about the purpose and use of personal data to allow users to make an informed choice • Choice - gives individuals a choice as to how their information will be used • Data Minimization - only collect that personal data that is necessary for the stated purpose • Information Review and Correction - allows individuals the right to review and correct personal information • Information Protection - requires organizations to protect the quality and integrity of personal information • Accountability - holds organizations accountable for complying with FIPPs 11 Example: PIPEDA – Schedule 1: https://laws-lois.justice.gc.ca/eng/acts/P-8.6/page-11.html#h-417659
  20. 20. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only Top Three Threats to Nonprofits Phishing Malware Website attacks Social engineering Lack of training/ awareness Improper use of assets (cloud, email) Poor security practices (e.g. simple passwords, password re-use) Vendor security Limited visibility and control Subcontractor exposure Contractual protections/ Limits of liability Bad ActorsOrganizational Vendors 12
  21. 21. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only Avoid the most common exploitations Spoofing Social Engineering, Phishing, Spoofing Phishing Malware • Emails appearing to come from a friend, vendor or boss • Attempts to gain access to systems by tricking people • Can happen via phone, email and in-person • Computer viruses that demand payment • Often uses fear and intimidation • Ransomware 13
  22. 22. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only DO Do’s and Don’ts to Counter Your Risks 14 Assess your risks: Assess your exposure; the likelihood of harm; worst-case damages to your organization and brand 1
  23. 23. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only DO Do’s and Don’ts to Counter Your Risks 15 Assess your risks: Assess your exposure; the likelihood of harm; worst-case damages to your organization and brand Train your team on privacy and security 1 2
  24. 24. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only DO Do’s and Don’ts to Counter Your Risks 16 Assess your risks: Assess your exposure; the likelihood of harm; worst-case damages to your organization and brand Train your team on privacy and security Implement information security best practices: e.g. Prohibit password sharing and re-use, access authentication and limits, encrypt where possible 1 2 3
  25. 25. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only DO Do’s and Don’ts to Counter Your Risks 17 Assess your risks: Assess your exposure; the likelihood of harm; worst-case damages to your organization and brand Train your team on privacy and security Implement information security best practices: e.g. Prohibit password sharing and re-use, access authentication and limits, encrypt where possible Assess your vendors and hold them accountable. Use privacy and security questionnaires 1 2 3 4
  26. 26. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only DO Do’s and Don’ts to Counter Your Risks 18 Assess your risks: Assess your exposure; the likelihood of harm; worst-case damages to your organization and brand Train your team on privacy and security Implement information security best practices: e.g. Prohibit password sharing and re-use, access authentication and limits, encrypt where possible Assess your vendors and hold them accountable. Use privacy and security questionnaires Implement Privacy by Design basics (internal questionnaires, privacy assessments, etc.) 1 2 3 4 5
  27. 27. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only DO Do’s and Don’ts to Counter Your Risks 19 Assess your risks: Assess your exposure; the likelihood of harm; worst-case damages to your organization and brand Train your team on privacy and security Implement information security best practices: e.g. Prohibit password sharing and re-use, access authentication and limits, encrypt where possible Assess your vendors and hold them accountable. Use privacy and security questionnaires Implement Privacy by Design basics (internal questionnaires, privacy assessments, etc.) Account for Employee Data 1 2 3 4 5 6
  28. 28. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only DON’T Do’s and Don’ts to Counter Your Risks 20 Ignore your risks 1
  29. 29. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only DON’T Do’s and Don’ts to Counter Your Risks 21 Ignore your risks Keep more data than you need for longer than you need (i.e. avoid the “we keep everything forever “in case we need it” syndrome”) 1 2
  30. 30. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only DON’T Do’s and Don’ts to Counter Your Risks 22 Ignore your risks Keep more data than you need for longer than you need (i.e. avoid the “we keep everything forever “in case we need it” syndrome”) Use default passwords that come with your devices; always create new complex passwords 1 2 3
  31. 31. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only DON’T Do’s and Don’ts to Counter Your Risks 23 Ignore your risks Keep more data than you need for longer than you need (i.e. avoid the “we keep everything forever “in case we need it” syndrome”) Use default passwords that come with your devices; always create new complex passwords Ignore your own privacy policy. This is your promise to your customers; if you can’t abide by your policy, change it (on a going forward basis!) 1 2 3 4
  32. 32. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only DON’T Do’s and Don’ts to Counter Your Risks 24 Ignore your risks Keep more data than you need for longer than you need (i.e. avoid the “we keep everything forever “in case we need it” syndrome”) Use default passwords that come with your devices; always create new complex passwords Ignore your own privacy policy. This is your promise to your customers; if you can’t abide by your policy, change it (on a going forward basis!) Ignore Employee Data 1 2 3 4 5
  33. 33. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only Implementing the Do’s and Don’ts: Establish a Privacy Program 1. Map and know your data. What do you have and where is it? 2. Identify threats and legal obligations 3. Establish privacy and security policies and controls • Implement an effective Privacy by Design Program • Customize your privacy policy to your organization (write what you do, not what you “hope to” do…) • Vendor Due Diligence • Information Security - design, implement, verify 4. Establish compliance capabilities (incl audit & verification) • Who will actually implement your program and how 5. Awareness and training 25
  34. 34. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only Assessment of Personal Data Processing and Security Simple Privacy/Security Questionnaire 26 • What personal data do you collect? Why? • Is it consistent with our privacy policy? • Are you transparent with how you are using the data? • Who needs access to it? • Internal employees • Vendors • Where will it be stored? • How will we protect it? Consider - On-premise, cloud, encryption, transfer, back-up, etc • How long do we need it? And, why? • Who is responsible for the data lifecycle and destruction? • Who is the responsible manager/department?
  35. 35. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only Know Your Vendors and Service Providers Vendor Privacy/Security Questionnaire 27 • Who is the Vendor? • Type of entity and, if applicable, where incorporated; • Funding (public/private) and ownership; • Where is the Vendor located and where will they process your Personal Data? • What types of Personal Data will they process and how? • Are they insured against cyber-crimes and/or security breaches? • What Security Certifications do they have? Third party audit reports? • Obtain their written security policies and practices • Period Re-assessments, Audits and Annual Questionnaires • Breach History • Identify sub-contractors / sub-processors • Evaluate contractual promises, indemnification and limits of liability
  36. 36. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only Privacy Laws – Can Anyone be 100% Compliant? • GDPR, PIPEDA, LGPD (Brazil), etc. • HIPAA, GLB, Telecom Act, etc. • CCPA and the emerging U.S. patchwork of laws • What’s next? 28
  37. 37. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only What Questions To Test Your Nonprofit? 29 • When testing for privacy rights: Be the ultimate privacy champion user and test your technology • Where do I find the privacy literature? Links, please. • Can a non-lawyer understand my privacy notice? • Without reading the privacy notice, would I be surprised at how my data is being used? • When signing up for emails is it clear that’s what is happening? • Can I correct my information if it’s wrong? • When testing for security: • Who has access to data and how do they get it? • How do we protect ourselves from bad actors? • What tools do we use to protect our data?
  38. 38. Thank You! …Questions?
  39. 39. Share and Learn Chat in one thing that you learned in today’s webinar. Please complete our post-event survey. Your feedback really helps. Follow TechSoup on social media (FB, Instagram, Twitter, LinkedIn) Visit the TechSoup Blog at blog.techsoup.org
  40. 40. Join us for our upcoming webinars. 8/15 Public Good App House: Voting Apps Demo 8/27 Raise More Money By Automating the Right Message at the Right Time Archived Webinars: www.techsoup.org/community-events
  41. 41. The Symantec Security and Antivirus Donation Program For more information, please visit techsoup.org/symantec-catalog ● Symantec Endpoint Protection. Admin Fee $6 ● Symantec Endpoint Protection, Small Business Edition. Admin Fee $4 ● Symantec Norton Small Business ● Symantec Norton Security Deluxe
  42. 42. Thank you to our webinar sponsor! Please complete the post-event survey that will pop up once you close this window.

×