Protecting Donor Privacy

Protecting Donor Privacy Raymond K. Cunningham, Jr. CRM, CA, CIPP University of Illinois Foundation

Higher Education Institutions account for more security breaches than any other industry including financial institutions. – Information Security News

We are all subject to information breaches

Security and Privacy Privacy and the Law Implementing a Privacy Program Credit Card Industry Security

Security and Privacy – What is the difference? Security is a process - you implement security to insure privacy Security is action Security is a strategy, privacy is the outcome Enterprise privacy and security management must be integrated Security maintains confidentiality and privacy

Information Security – it is not a technical issue Often Security is viewed as a technical issue Many information breaches occur in the paper world

Information Privacy – it is not a Legal issue Often viewed as a legal issue handed to legal counsel as a compliance issue While many privacy officers report to legal, it is not strictly a legal issue Privacy is a concern of all and should be a priority of any fundraising organization

Navigating the Alphabet Soup Privacy and the Law

Changes in Information Policy Federal State Ethics

Trends Information Management Law is moving from the general to the specific What was formerly ethical is now being required by law Penalties are being strengthened and cases of theft/misuse are higher profile The ethics of information management are evolving

Information Management Laws FERPA

FERPA - 1974 FERPA – Family Education Rights and Privacy Act Directory Data, Degree Data and Non-Directory Data FERPA block –all data disclosure including alumni database

Information Management Laws GLB FERPA

Gramm-Leach-Bliley Act 1999 FTC has ruled that Universities are covered under GLB Affiliated Orgs (2003) Trust operations – issuers of Charitable agreements Financial Planners CPAs

Gramm-Leach-Bliley Act 1999 GLB provides for the protection of personal financial information – similar to FERPA Records containing financial information are to be protected. Financial Institutions are to make disclosures regarding their privacy policies and release to third parties Criminalizes certain practices of data collection services: obtaining financial and personal information by misrepresenting their right to such information

Gramm-Leach-Bliley Act 1999 Financial Privacy Rule – governs the collection and disclosure of personal financial information. It applies to those who receive such information. Pretexting Provisions – covers using false pretenses for obtaining personal financial information Safeguards Rule – requires all financial institutions to design, implement and maintain safeguards to protect customer information

GLB - Privacy GLB protects consumers’ non-public information. Private information (PI) includes “personally identifiable financial information” Student Financial Aid and Loan information is protected under GLB Federal financial aid

GLB Pretexting ORGANIZATION AFFILIATE AGENCY

GLB Safeguards Rule The Safeguards Rule requires financial institutions to develop a written information security plan that describes their program to protect customer information. Designate one or more employees to coordinate the safeguards Identify and assess the risks to customer information relevant to the company’s operation

GLB – Safeguards Rule Compliance Select service providers that can maintain appropriate safeguards Evaluate and adjust the program in light of relevant circumstances including changes in business or the results of security testing Customer data stored at any off-site location

GLB – Safeguards Rule Compliance Check references on employees before hiring who have access to customer information Sign a confidentiality agreement or NDA Limiting access to customer information based on business need Develop specific policies for the appropriate use of laptops, PDAs, cell phones

GLB – Safeguards Rule Compliance Confidentiality training is required Encrypting information when it is transmitted Reporting suspicious attempts to obtain customer information Dispose of customer information according to the FTC Disposal Rule

Comparison of Legislative Mandates X X X USA Patriot Act X X FOIA X X Gramm-Leach-Bliley X X California Bill 1386 X X X HIPAA X X X X Sarbanes-Oxley Training Data Security and Privacy Records Management Processes and Risk Management Mandate

Information Management Laws GLB FERPA SOX FACTA

FACTA – Fair and Accurate Credit Transactions Act of 2003 FACTA is directed by the FTC and mandates that employers and financial institutions subject to GLB are also subject to FACTA Information is to be disposed of so that said information cannot be read or reconstructed - destroy or erase electronic files or media Opt-Out for Marketing Conduct due diligence and hire a document destruction contractor

State Personal Information Laws HB 1633 (PA 94-36) Effective January 1, 2006 Personal information is defined as: SSN, driver’s license number or State ID card, account number, credit card number Breach of security should be made in the most expedient time possible without delay

Illinois State Law Customers must be provided notice in writing or electronic notice provided it meets with electronic records and signatures for such notices

Illinois State Law Illinois law more broadly applicable than California statute – data collectors provisions are more broad – includes public and private corporations, universities, financial institutions. Violation of the law is Consumer Fraud under Deceptive Business Practices Act

Implementing a Privacy Program

Six steps for creating a Privacy Program Information Asset Inventory Risk Assessment Policy Review Develop Policies and Practices Conduct training Monitoring

Asset Management Understand your information assets - inventory Locate and identify what is to be protected Differentiate between the “owner” and “user” Record Retention Schedules – business need or regulatory requirements

Asset Classification Assets should be evaluated as to sensitivity and confidentiality, potential liability, intelligence value and criticality to the business Classify assets – Confidential, Proprietary, Internal Use Only, Public

Map the Organizational Data Flow Map points of data collection – examine web forms, email collection, call centers, POS, Contests, Surveys, chat rooms, marketing lists How does data move through the system? Is the data held in-house or is it outsourced? Is any PII collected from outside the US?

Risk Assessment What are the risks with your storage practices? What are the physical storage requirements? Are personnel tasked with the protection of the information?

Conduct a Policy Review Develop the principles that will guide your strategy Involve stakeholders, senior management and legal – Get Everyone on Board! This is not an IT Problem Review all applicable regulatory requirements particular to your industry

Elements of a Good Privacy Policy Commitment to Privacy Information Collected How Information is Used Commitment to Data Security Commitment to Children’s Privacy How to Access or Correct Your Information Contact Information

Training Training is one of the most often neglected piece of the program, yet it is one of the most important Train your employees prior to exposure to information systems – supply handouts Train employees to report information breaches - contacts Train employees annually on your policies and compliance issues Develop an ethical culture

Monitor Compliance Conduct audits of security procedures Review systems annually Conduct incident response drills – convene your incident response team

PCI – DSS Payment Card Industry Digital Security Standard What should I know?

Twelve DSS Requirements Install and Maintain a Secure Network Do not use vendor-supplied defaults for systems passwords and other security parameters Protect Stored Cardholder Data Encrypt Transmission of Cardholder Data Across Open, public networks Use and Regularly update Anti-virus software Develop and Maintain Secure Systems and Applications

Twelve DSS Requirements 7. Restrict Access to Cardholder data by business need-to know 8. Assign a unique ID to all users 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for employees and contractors

PCI – DSS Payment Card Industry Digital Security Standard Merchants must comply with the standards Should a breach occur the fines are substantial, up to $500,000 per incident (VISA) Audit through self-assessment Most organizations are outsourcing a part of this process – vulnerability scans

Ray’s Recommendations Gain the Support of Senior Management Encourage a culture of confidentiality Have a policy in place and enforce it Be specific on roles within the organization Have mechanisms in place to sign on and sign off users efficiently Train all users before log-on in confidentiality and security

Ray’s Recommendations Monitor users Create an incident response group and provide a way for employees to report data loss Tell donors what you are doing with their data Allow donors to opt out Dump SSNs where not needed Monitor Third Party Contracts

Resources International Association of Privacy Professionals IAPP www.privacyassociation.org EDUCAUSE Information Technology and Security 2003 Kahn, Randolph Privacy Nation 2006 ISO 17799 International Organization for Standardization www.iso.org PCI www.pcisecuritystandards.org

Contact information Raymond K. Cunningham, Jr. Manager of Records Services University of Illinois Foundation Urbana IL 61801 [email_address] 217 244-0658

Protecting Donor Privacy

More Related Content

What's hot

Viewers also liked

Similar to Protecting Donor Privacy

Recently uploaded

Protecting Donor Privacy