Security and Privacy: What Nonprofits Need to Know

Security and
Privacy: What
Nonprofits Need to
Know
August 6, 2019

Using ReadyTalk
Chat to ask questions
All lines are muted
If you lose your Internet connection, reconnect
using the link emailed to you.
You can find upcoming and past webinars on
the TechSoup website:
www.techsoup.org/community/events-webinars
You will receive an email with this presentation,
recording, and links
Tweet us @TechSoup and use hashtag
#tswebinars

A Global Network
Bridging Tech Solutions
and Services for Good
Where are you on the map?

Acclivity
Adobe
Alpha Software
Asana
Atlas Business Solutions
Atomic Training
Autodesk
Azavea
BetterWorld
Bitdefender
Blackbaud
Bloomerang
Box
Brocade
Bytes of Learning
Caspio
CauseVox
CDI Computer Dealers
Cisco
Citrix
CitySoft
CleverReach
ClickTime
Closerware
Comodo
Connect2Give
Dell
Dharma Merchant Services
Digital Wish
Dolby
DonorPerfect
Efficient Elements
FileMaker
GoDaddy
GrantStation
Guide By Cell
Headsets.com
Horizon DataSys
HR Solutions Partners
Huddle
Idealware
InFocus
Informz
InterConnection
Intuit
JourneyEd
Litmos
Little Green Light
Mailshell
Microsoft
Mobile Beacon
NetSuite
Nielsen
NonProfitEasy
O&O Software
Quickbooks Made Easy
Reading Eggs
ReadyTalk
Red Earth Software
Sage Software
Shopify
Simple Charity Registration
Skillsoft
Smart Business Savings
Society for Nonprofit Organizations
Sparrow Mobile
Symantec
Tableau
TechBridge
Tech Impact
Teespring
Telosa
Tint
Ultralingua
Western Digital
Zoner

Explore our Nonprofit
Tech Marketplace
For more information, please visit
www.techsoup.org/get-product-donations
"We are an all-volunteer organization with
limited professional skills. Adobe's donated
technology is helping us present our story to
the public and to lenders in the format of a
much larger organization. With Adobe, we
are able to knock off a few of the "rough
edges" so that our story is front and center
instead of our technological limitations.
Thank you, Adobe!”
- Richard de Koster
Constitution Island Association, Inc

The Symantec Security and
Antivirus Donation Program
For more information, please visit
techsoup.org/symantec-catalog
● Symantec Endpoint Protection.
Admin Fee $6
● Symantec Endpoint Protection,
Small Business Edition. Admin Fee
$4
● Symantec Norton Small Business
● Symantec Norton Security Deluxe

TechSoup Solutions
for Nonprofits

Presenters
Michael Standard
Senior Corporate Counsel
Symantec
Kirsten McMullen
Global Privacy Compliance Manager
Nicole Jones
Dir. of Communications
TechSoup
Assisting with chat:
Zerreen Kazi, TechSoup
Kirsten McMullen
Global Privacy
Compliance Manager
Zerreen Kazi
Communications Project
Coordinator, TechSoup
Nicole Jones
Dir. of Communications,
TechSoup
Michael Standard
Senior Corporate Counsel,
Symantec

Privacy & Data Security
Do’s, Don’ts and Why it Matters
Michael Standard
August 6, 2019
Senior Corporate Counsel – Privacy and Data Security

Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only 2
Why it Matters: Losing Brand Trust

Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only
Security & Privacy Missteps
Save the Children:
International charity was hacked twice by
malicious scammers in 2017.
Criminals created false invoices and
related documents.
The organization was tricked into
transferring nearly $1 million USD to a
fake business entity in Japan.
The funds could not be recovered.
3
Source: https://www.insurancebusinessmag.com/us/news/non-profits/nonprofits-are-a-target-for-data-breach-165039.aspx
https://www.zdnet.com/article/save-the-children-foundation-duped-by-hackers-into-paying-out-1-million/

Security & Privacy Missteps (continued)
MacEwan University:
A “spoofed” email appeared to come from a
vendor, requesting the school’s accounts
receivable team reroute payments for
ongoing construction to a new National Bank
of Canada account.
A supporting letter attached to the email
appeared to have been signed by the
company’s chief financial officer.
The university made three payments to the
new account, totaling more than 11.8M USD.
The email was a fraud, which was not
discovered until 2 months later.
4
Source: https://www.thestar.com/edmonton/2018/10/09/how-a-fraudster-got-12-million-out-of-a-canadian-university-they-just-asked-for-it.html

Security & Privacy Missteps
Health and Human Services v. Affinity Health:
Affinity Health accidentally disclosed the
protected health information of over 300,000
individuals when it failed to erase the data on
copier hard drives when it returned the copiers
at the conclusion of the lease.
Affinity paid a $1,215,780 fine to HHS.
There is no report of costs for individual claims.
5

Security & Privacy Missteps (continued)
FTC v. Aaron’s et al.:
Aaron’s franchisees and several other “rent-to-own”
retailers and a computer software company used
computer programs to spy on consumers who rented
computers from those companies.
The program captured screenshots of confidential and
personal information, logging their computer
keystrokes, and in some cases taking webcam pictures
of people in their homes, all without notice to, or
consent from, the consumers.
This cost Aaron’s at least $25 million to settle with the
CA attorney general and they entered into a 20 year
consent decree with the FTC; not to mention extensive
legal fees.
Source: https://www.ajc.com/business/aaron-settles-spying-complaint-with-ftc/N4zLeQHVhQnDnzysFFjFEK/
6

Poll Time!
How would you rate the maturity level of your privacy and security
programs?
• Documented and regularly reviewed
• Documented but not reviewed or tested
• Informal with some documentation
• Ad hoc
7

Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only 8
Security vs Privacy
You can have security without privacy, but you can’t have privacy without security.
Privacy is how an organization processes Personal Data to comply with laws, regulations and perhaps most
importantly, customer expectations. Security is the technical methods used to protect that data.
Privacy
Notice/Consent
Limiting data collected
How used
When shared
How stored
When archived
When destroyed
Security
Availability
Keeping information
safe
Protection from loss
or theft
Access
Confidentiality
Integrity

• Safeguarding of data
• Protecting data from erasure, theft,
unauthorized access and unauthorized
changes
• Stopping bad guys – internal and external
Security
Security vs. Privacy
Privacy
• Safeguarding of identity
• Setting the rules for when, how and why
personal data is processed, and by whom
• Handling personal information
appropriately & responsibly
9
• Appropriately limit the disclosure of
and access to information
(confidentiality)
• Maintain the accuracy and
comprehensiveness of the data
(integrity)

Personal Data means any information related to any identified or identifiable natural person and, soon to
come, data related to a household.
Data Subjects
What is “Personal Data”?
Personal Data Examples Sensitive Personal Data Examples
• Employees
• Clients/Customers
• Patients
• Donors
• Research Subjects
• Volunteers
• Names
• Address
• Phone Number
• Email
• IP Address
• Advertising Identifier
• Cookie ID
• Internal Identifiers
• Social Security Number
• Driver’s License Number
• Credit Card Information
• Health Information
10

*
Fair Information Practice Principles (FIPPs)
• Transparency - ensures no secret data collection; provides information about the
purpose and use of personal data to allow users to make an informed choice
• Choice - gives individuals a choice as to how their information will be used
• Data Minimization - only collect that personal data that is necessary for the stated
purpose
• Information Review and Correction - allows individuals the right to review and
correct personal information
• Information Protection - requires organizations to protect the quality and integrity of
personal information
• Accountability - holds organizations accountable for complying with FIPPs
11
Example: PIPEDA – Schedule 1: https://laws-lois.justice.gc.ca/eng/acts/P-8.6/page-11.html#h-417659

Top Three Threats to Nonprofits
Phishing
Malware
Website attacks
Social engineering
Lack of training/
awareness
Improper use of assets
(cloud, email)
Poor security practices
(e.g. simple passwords,
password re-use)
Vendor security
Limited visibility and
control
Subcontractor exposure
Contractual protections/
Limits of liability
Bad ActorsOrganizational Vendors
12

Avoid the most common exploitations
Spoofing
Social Engineering, Phishing, Spoofing
Phishing Malware
• Emails appearing to
come from a friend,
vendor or boss
• Attempts to gain access
to systems by tricking
people
• Can happen via phone,
email and in-person
• Computer viruses that
demand payment
• Often uses fear and
intimidation
• Ransomware
13

DO
Do’s and Don’ts to Counter Your Risks
14
Assess your risks: Assess your exposure; the
likelihood of harm; worst-case damages to
your organization and brand
1

DO
15
Train your team on privacy and security
1
2

DO
16
Implement information security best
practices: e.g. Prohibit password sharing
and re-use, access authentication and
limits, encrypt where possible
1
2
3

DO
17
Assess your vendors and hold them
accountable. Use privacy and security
questionnaires
1
2
3
4

DO
18
questionnaires
Implement Privacy by Design basics
(internal questionnaires, privacy
assessments, etc.)
1
2
3
4
5

DO
19
questionnaires
Implement Privacy by Design basics
(internal questionnaires, privacy
assessments, etc.)
Account for Employee Data
1
2
3
4
5
6

DON’T
20
Ignore your risks
1

DON’T
21
Ignore your risks
Keep more data than you need for longer
than you need (i.e. avoid the “we keep
everything forever “in case we need it”
syndrome”)
1
2

DON’T
22
Ignore your risks
syndrome”)
Use default passwords that come with
your devices; always create new complex
passwords
1
2
3

DON’T
23
Ignore your risks
syndrome”)
passwords
Ignore your own privacy policy. This is your
promise to your customers; if you can’t
abide by your policy, change it (on a going
forward basis!)
1
2
3
4

DON’T
24
Ignore your risks
syndrome”)
passwords
Ignore your own privacy policy. This is your
promise to your customers; if you can’t
abide by your policy, change it (on a going
forward basis!)
Ignore Employee Data
1
2
3
4
5

Implementing the Do’s and Don’ts: Establish a
Privacy Program
1. Map and know your data. What do you have and where is it?
2. Identify threats and legal obligations
3. Establish privacy and security policies and controls
• Implement an effective Privacy by Design Program
• Customize your privacy policy to your organization (write what you do, not
what you “hope to” do…)
• Vendor Due Diligence
• Information Security - design, implement, verify
4. Establish compliance capabilities (incl audit & verification)
• Who will actually implement your program and how
5. Awareness and training
25

Assessment of Personal Data Processing and Security
Simple Privacy/Security Questionnaire
26
• What personal data do you collect? Why?
• Is it consistent with our privacy policy?
• Are you transparent with how you are using the data?
• Who needs access to it?
• Internal employees
• Vendors
• Where will it be stored?
• How will we protect it? Consider - On-premise, cloud, encryption, transfer, back-up, etc
• How long do we need it? And, why?
• Who is responsible for the data lifecycle and destruction?
• Who is the responsible manager/department?

Know Your Vendors and Service Providers
Vendor Privacy/Security Questionnaire
27
• Who is the Vendor?
• Type of entity and, if applicable, where incorporated;
• Funding (public/private) and ownership;
• Where is the Vendor located and where will they process your Personal
Data?
• What types of Personal Data will they process and how?
• Are they insured against cyber-crimes and/or security breaches?
• What Security Certifications do they have? Third party audit reports?
• Obtain their written security policies and practices
• Period Re-assessments, Audits and Annual Questionnaires
• Breach History
• Identify sub-contractors / sub-processors
• Evaluate contractual promises, indemnification and limits of liability

Privacy Laws – Can Anyone be 100% Compliant?
• GDPR, PIPEDA, LGPD (Brazil), etc.
• HIPAA, GLB, Telecom Act, etc.
• CCPA and the emerging U.S. patchwork of laws
• What’s next?
28

What Questions To Test Your Nonprofit?
29
• When testing for privacy rights:
Be the ultimate privacy champion user and test your technology
• Where do I find the privacy literature? Links, please.
• Can a non-lawyer understand my privacy notice?
• Without reading the privacy notice, would I be surprised at how my data is being used?
• When signing up for emails is it clear that’s what is happening?
• Can I correct my information if it’s wrong?
• When testing for security:
• Who has access to data and how do they get it?
• How do we protect ourselves from bad actors?
• What tools do we use to protect our data?

Share and Learn
Chat in one thing that you learned in today’s
webinar.
Please complete our post-event survey. Your
feedback really helps.
Follow TechSoup on social media
(FB, Instagram, Twitter, LinkedIn)
Visit the TechSoup Blog at blog.techsoup.org

Join us for our
upcoming webinars.
8/15
Public Good App House: Voting Apps
Demo
8/27
Raise More Money By Automating the
Right Message at the Right Time
Archived Webinars:
www.techsoup.org/community-events

Thank you to our
webinar sponsor!
Please complete the post-event survey that will
pop up once you close this window.

Security and Privacy: What Nonprofits Need to Know

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Security and Privacy: What Nonprofits Need to Know

Similar to Security and Privacy: What Nonprofits Need to Know (20)

More from TechSoup

More from TechSoup (20)

Recently uploaded

Recently uploaded (20)

Security and Privacy: What Nonprofits Need to Know