Lately you’ve seen many news stories relating to data breaches and personal information being hacked, and you may be wondering, “How can I protect my nonprofit organization?” The advent of the internet world in many ways have been a blessing and a curse. Data is now in a format that if accessed, can be copied in mere seconds. However, accessing the data isn’t the only issue. The nature of the data is what is most important. So what information might be stored in your donor management software and what do data thieves want?
Name & Address: Although a good starting spot, this really is of little value to the thief. Alone this information amounts to little more than folks could get out of the White pages (or nowadays whitepages.com).
Donation History: Again, of little value. Other than the obscure data analytics organizations such as Cambridge Analytics, this information doesn’t hold much value for a thief. Cambridge used all the information from Facebook to try and develop a profile of an individual to determine their politically leanings. Once that was established, the information was used to target those folks with specific ads. Social media is where the bulk of this information comes from and it is all being obtained with the approval of your vendor.
Phone Number/Email: Of little value. This information is all over everyone’s social media accounts and readily sold by reputable organizations (Experian – yes the credit checking organization will sell you this information).
Credit Card Number/Bank Account and Routing: This is the jackpot. With this information they can purchase items, do ACH withdrawals, etc.… Hackers are in the business of making money for themselves. To do so, they need to access information that can generate actual money.
Passwords: Hackers really like this information. Why, because people tend to reuse the same password on all their sites. The Yahoo breach years ago still lives on in the dark web as the user ID and password associated with the Yahoo accounts are still being sold for folks to try to exploit.
So how does DonorSnap and hopefully all online donor management software approach the security of your data? First, we have controlled physical access to our data servers. You can’t just walk in to our hosting facility and plug in a flash drive. In addition, we use firewalls, scanning software and limit access to our database to only DonorSnap programs. More importantly, through our terms of service, we do not allow the storage of driver’s license numbers, social security numbers, bank account numbers and credit card numbers. Without this data, the overall risk to donors having their information being compromised is minimal. If this information is not in your nonprofit organization’s database, then if your data is ever compromised, there is nothing of real value for the hacker to exploit.
So, with the precautions that your online donor management software has taken, there is still one big vulnerability. It is your username and password. Almost all data breaches are accomplished by accessing the data through approved channels. Make sure you have a unique password for every user, inactivate all users when they leave your organization, and consider requiring password changes periodically. (OK we know almost no one likes to do this, but it really does help. If you don’t follow this practice, at least use a password that is hard to guess and not used for your other internet accounts.)
So, if you take the above precautions, are you being a good steward of your donors’ information?
One of the oldest practices in the nonprofit world is the custom of copying a donor’s check to save along with the other donation information. It is easy to pass the check from the accounting department to the development department (or vice versa) so everyone knows what needs to be entered into the system. There also is a feeling of comfort that by having a copy of the check, we can go back and correct errors or research data entry errors more easily. In days gone by these copies were stored in a file folder for that donor. With the advent of the internet, they may still be in your paper file folder or they may now be scanned into your computer.
However, if one stops to think about it… the check represents a far more critical piece of information floating around in your office or computer than say a list of your donors and the amounts of their donations. The check copy contains all the information needed to perpetrate identity theft and fraudulent activity. It doesn’t take a computer genius to make up and pass fraudulent checks or do automatic ACH withdrawals from an individual’s account. Having an accurate name, bank routing and bank account is really all you need. This is the basis of the Nigerian oil minister scheme where they are reaching out to you to help them move excess money out of the country. All they are requesting is your bank account and routing number. Instead of finding a large windfall in your bank account, you find that your account has been drained through an automated withdrawal.
So, if you do want to keep copies of the checks, you should cover up the account and routing number on the bottom of the check prior to photocopying. This now is a harmless document that has someone’s name, address and the amount the donated. You owe it to your donors to protect their data!