Protect Donor Data When Working with Third-Party Vendors

High-profile data breaches in recent years show just how vulnerable some organizations can be to attacks from outside. Protecting your nonprofit’s data is crucial, no matter who you work with. Data privacy gets even trickier when you’re dealing with a third-party vendor, whose systems and storage methods might leave you at higher risk. 

Ultimately, it’s up to you to make sure your organization’s data is secure ― and the stakes are high. A 2016 study showed an average cost of $7 million to companies that experienced a data breach that required their victims to be notified. This number doesn’t include non-numerical costs like loss of trust and reputation which, for many nonprofits, is the most important asset of all.

Building relationships with your donors takes time. Those relationships, based on trust and empathy, can be shattered in an instant with a data breach that exposes their personal information. As a nonprofit, good stewardship of your donors’ money and information yields long-term rewards. Protecting your donors’ information saves money and reputations in the short and long term. 

How can you protect donor data while you’re working with third-party vendors, then? As an IT professional who’s worked with nonprofits for many years, I have some simple recommendations that will keep you and your donors safe from increasingly sophisticated cyber attacks.

Update, Update, Update

It’s the simplest, but most important step you can take. Update your organization’s perimeter protections, your frontline defenses and make sure you’re keeping up on them. This includes performing regular malware scans, updating your antivirus software and keeping up to date on payment for your protection programs. 

You’ll also want to appoint one person or department to keep a regular schedule of updates and virus scans. For larger organizations with IT departments, it should be a regular part of the department’s activities. Smaller nonprofits will want to designate one person to coordinate updates for every computer and every software product that deals with data.

Train Your Staff

Your employees and volunteers can be your best resources, but they can also be your greatest weakness. We recommend that all nonprofit clients hold regular training sessions or, at the very least, send regular updates to staff and volunteers about the latest malware, ransomware, and phishing schemes. 

Consider providing online courses in scam detection for anyone who might work with sensitive donor data. Make sure everyone knows federal and international privacy regulations and is in compliance with the most recent changes. At the very least, make sure you’re hosting an annual IT security awareness training session.

Don’t assume that everyone dealing with donor data has the same level of breach awareness that you do. Provide your staff with detailed descriptions of the different types of cyber-attacks possible.

Finally, test their tech-savviness with drills. Send out a fake phishing email to employees every once in a while. Ask your vendors to do the same. This will help identify who could use more help and who needs more information. You might be surprised, too, by who takes the bait: sometimes it’s a higher-level exec who’s always in such a hurry that they’ll click anything in front of them. 

Establish Clear Rules of Engagement with Your Vendors — And Stick to Them

It’s a great idea to set up a questionnaire for each of your third-party vendors. This will help you establish areas of particular data vulnerability. You’ll want to know several things, including: 

  • How much do they know about federal privacy requirements?
  • What kind of security protocols are in place on their equipment and their networks?
  • Do they carry their own professional liability insurance and if so, how much? 
  • If they will have access to printed donor data, what physical precautions are they taking to secure the storage and transfer locations of that printed data?  

Establish a point person for each vendor’s data security. Make sure they agree with you about the importance of protecting donor data. Conduct frequent check-ins with your vendors to make sure they’re still compliant. 

Secure Your Connections

A recent catastrophic data breach is thought to have been accomplished because a third-party vendor employee took a work laptop with access to their client’s sensitive HIPAA-regulated data to a coffee shop. From there, it was frighteningly simple for spyware to infiltrate the employee’s computer, access all that sensitive data, and wreak havoc. Hundreds of thousands of patients had their medical data compromised because one employee chose to work from a coffee shop on a Wi-Fi connection that wasn’t secure. 

Make sure your staff knows the difference between a secure and a public Wi-Fi connection. And make sure that any equipment with access to donor information — including telephones, and equipment belonging to vendors — is working on secure connections at all times. 

Be Accountable

At the end of the day, the loss of money, trust and reputation caused by a data breach will devastate you and your vendors. Be accountable to each other. Conduct self-checks consistently, remain in communication and compliance, and your treasured relationships with both vendors and donors, just like your data architecture, will stay secure.

———

Founded in 1987, Phoenix Innovate is Detroit’s only marketing firm guaranteeing results. We focus on understanding, finding and keeping audiences. The results are transformative and sustainable. Our immersive approach harnesses a powerful combination of research, data, vision and creativity to build emotionally-engaged, lasting relationships for our non-profit and for-profit clients. We call this Authentic Marketing.

Mike Spalding

Chief Technology and Compliance Officer, Phoenix Innovate. Mike brings over 30 years of experience in Information Technologies Operations Management, including systems design and engineering, policy and process implementation and security and compliance leadership. Mike was previously responsible for managing a team of more than 55 IT professionals in 14 locations across North and South America, and managing seven data centers hosting 100s of applications and sites for customers in the entertainment, automotive, health care and pharmaceutical industries around the world. Additionally, he led the process required to receive and maintain certifications for ISO, SAS70, PCI, SAE16 SOC1 and HIPAA compliance. In addition to playing an important role in our client technology and data related solutions, Mike will be leading our efforts in becoming HITRUST Certified.

May 1, 2020

You May Also Enjoy

Become a Member

Whether you’re with a large team or a solo entrepreneur looking to start the next great cause, we have a membership package that will help you grow your network and your cause.