In this module we will cover the basics of data security & privacy:
Before we continue, let's cover some basic terminology around data security:
Data security refers to protective confidentiality measures that are applied to prevent unauthorized access to computers, databases and websites. Data security also protects data from corruption, also known as data integrity. Data security can also be used to refer to availability of that data when retrieved.
Data privacy is the relationship between the collection and dissemination of data.
"But I'm just a non-profit, I don't have really important data!!!"
The information that you have *is* of value to anyone who might want it.
In many cases, the financial costs are indirect, meaning commonly not due directly to loss of interest from customers or donors.
Generally this comes in the form of reputational risks, and less commonly as fines from government or lawsuits.
Reputation costs could include:
Fines for some of the following types of behaviors:
First law in the United States (2002) that made it a requirement for a company or non-profit which experienced a breach to report it to the customer / consumer.
The Australian Privacy Amendment specifies breach notification for :
It qualifies as an "eligible data breach" when there is a likelihood that the individuals who are affected by the incident are at "risk of serious harm" because their information have been exposed.
Organizations must report to the Privacy Commissioner and affected customers, businesses must include a description of the data breach, what kind of information has been compromised and steps that individuals can take to respond to the incident (such as telling customers to change their passwords on affected online accounts).
The cost of storing data and processing data is getting cheaper, as a result, we're maintaining more and more data.
Opening the opportunity for analytics and predictive modeling :
You can't manage all the data yourself - how many of you use any kind of cloud services to house your / your donors data?
Let's talk about a few types of data, and what considerations should be applied.
This is a pretty standard data type. Many of you will accept donations or other giving via credit cards. There are a few standards on how to handle this type of data.
Originally developed by VISA to curb fraud with vendors and credit card processors. The broader credit card industry got together in 2006 to have a single standard across all cards.
Personally identifiable information, or PII, or sometimes referred to as sensitive personal information (SPI), is information that can be used on it's own, or often with additional information, to identify, contact, or location a single person.
Australia's Privacy Act 1988, "personal information" also includes information from which the person's identity is "reasonably ascertainable", potentially covering some information not covered by PII.)
NIST Special Publication 800-122 defines PII as "any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information."
However, PII is a legal concept, not necessarily a technical concept.
Data Element | Identifier Type |
---|---|
Full Name (if not common) | Direct |
User Name | Direct |
National ID Number | Direct |
Passport Number | Direct |
Email Address | Direct |
Physical Address | Direct |
Job Title | Indirect |
Date of Birth | Indirect |
Gender | Indirect |
Time Zone | Indirect |
Language | Indirect |
Geolocation Data | Indirect |
This could include the Board, HR, Legal and Audit.
Security and Privacy are primarily governance issues that need to be addressed from top-down.
Where do these assets reside? Who has access to the assets? Do we need to handle them in a particular way?
Understand the level of vendor security. Request vendor data security or data privacy certifications to understand how they are working. Incorporate security and privacy language in vendor contracts.
Firewalls for perimeter, Intrusion detection systems, two-factor authentication, encryption.
Payroll, PHI or PII. Customer PII. Corporate confidential information.
PCI-DSS; National / State breach laws; Trade Commissions; European Union (EU).
Establish key teams (likely Legal); establish reporting structure, setup key relationships.
Active traffic / network monitoring. Understand who your attackers are and what they want.
There can be specified security or cyber insurance.