We need donors – financial investors – to fulfill our mission. And while it is always a challenge to recruit new investors, keeping a loyal donor base requires something additional – it requires trust! Imagine the effect on long-time Society investors if they learned that their credit card details or cancer history were released by the Society into the wrong hands.
This article provides three very real life, plausible examples of recent data breaches at other organizations, and provides you tips on how to avoid making the same mistakes within our American Cancer Society. By understanding the types of information that need to be protected and by following existing processes and procedures for protecting our constituent information, you can reduce our data breach risk.
Ransomware breach because of phishing email
What happened: In 2017, a nonprofit organization in Indiana (whose mission is to reduce the financial and emotional burdens of cancer and promote cancer prevention) experienced a data breach because a staff member accidentally downloaded malware. Hackers got into the nonprofit's server and held client files for ransom. When the organization refused to pay, the hackers posted on Twitter private letters that the organization sent to grieving families who lost a loved one to cancer. In addition, because of the lost files, the organization lost funding because it did not have the information it needed to apply for grants.
How to prevent this at ACS: This story is not unique, but you can help to prevent a similar occurrence at ACS. To avoid being fooled by a phishing email, consider the source and be skeptical – while you may not be tricked into opening email from a stranger, consider what would you do if the phishing email appeared to be sent by a co-worker or vendor? If the request appears out of context, pick up the phone to your colleague or vendor to verify the request.
Unauthorized disclosure of employee personal information
What happened: While sophisticated, high-profile hacks make the headlines, for most nonprofits, it's the day-to-day employee activities that lead to lost or stolen data. In 2017, an Excel spreadsheet containing the personal information of YMCA employees was inadvertently sent over email to other YMCA employees (who did not have a "need to know" of the information). The employee information (which was contained in the second tab of a larger spreadsheet) included sensitive data such as Social Security numbers and salary information.
How to prevent this at ACS: You can avoid this type of mistake. It is essential that you familiarize yourself with our current ACS standards for protecting categories of information and that you double check the email recipients and ensure that they authorized to view all the data included in the attachments. In addition, you should apply the "minimum necessary" standard when sending reports. Consider redacting (deleting) unnecessary excel fields before forwarding the data.
Vendor or supply chain data breach
What happened: In 2017, Hyatt hotels experienced a data breach that was caused by the insertion of malicious software code from a third party onto certain hotel IT systems. Similarly, the 2014 Target breach was caused by lax security at an HVAC vendor.
How to prevent this at ACS: While you cannot always control what occurs with our vendors, you can reduce the Society's risk of a data breach by ensuring that any vendors who process or otherwise handle personal information have been vetted by our Information Security and Privacy teams, and that contract terms include provisions for notification and other assistance in the event the vendor experiences a data breach.
Protecting the privacy of our constituents' personal information is essential to maintaining the trust of our donors. By reading this article, you are taking the time to understand our privacy and security procedures. If you have questions about how our policies apply to you, please contact the Privacy office at firstname.lastname@example.org.