It’s been more than a year since it became enforceable, and we’re all still watching and waiting to see how the General Data Protection Regulation (GDPR) will ultimately impact. While some of the world’s biggest tech giants were hit with $8.8 billion in lawsuits on day one and other companies were feverishly reporting data breaches, we’ve yet to really see what the impact is on smaller players based in the United States. But if the California Consumer Privacy Act (CCPA), which takes effect January 1, 2020, is any indication of what lies ahead widespread GDPR-like policies seem inevitable.
You shouldn’t need a data breach to move the topic to the top of your list. Data security and privacy concerns are now on everyone’s radar. Congressional hearings, new regulations at the state level, and high profile breaches have catapulted this issue forward and its visibility to the public has never been higher.
Frankly, it's hard to imagine a more destructive event than a major data breach for an association, which is why executives need to take this threat seriously. Beyond the financial implications (that absolutely still apply to nonprofits), the reputational damage could have catastrophic implications when members consider whether or not to trust their personal information to an association.
Associations and Nonprofits represent attractive targets for criminals. Their data on members and prospects is extensive. Often criminals are not even interested in hurting the association, they’re just gathering information to go after a more lucrative target. The personal information of members can be leveraged to attack larger organizations such as their employers or used to commit identity fraud on a massive scale.
Summer can be a traditional lull period for many organizations. While things are a bit slower it’s a great time to focus energy and resources to make sure that you’re ready to address data privacy concerns.
Four Best Practices to Help You Get Started
Reduce the Obvious Risks
Data breaches often happen after a series of bad decisions around technology policies and procedures. Consistent application of best practices is a proactive step you can take without breaking the bank. Sit down with your IT staff to review and update documents like the patching plan, acceptable use policy, and change control policy. If you don’t have these kinds of documents, now is a great time to build them.
Make sure you educate your staff too. The 2015 Major League Baseball hacking scandal happened as a result of a password being reused. Why does this keep happening? Passwords aren’t a people friendly solution and people get burned out and lazy. Education about the risks coupled with tools to help reduce those risks are proactive steps you can take to reduce your risks.
Get an Objective Opinion
If you’ve never had an outside assessment of your IT systems, now is the time to budget for and schedule one. With their limited capacity and expertise, it’s difficult for a small IT staff to gain the deep expertise or deploy the automated tools that security experts have available. Find someone who can give you a snapshot and leverage that information to build a remediation strategy. You’ll never be able to mitigate every risk, but you should at least be aware of the ones that are out there and understand which ones you’ll have to accept if they can’t be fixed.
Review Your Processes
Technology is only one part of the puzzle when it comes to data privacy. You need to consider how your processes work too. Do you have a way to handle users who opt out? Are you keeping data that you shouldn’t be? In many organizations there is no single source, or data map, that identifies what member information is stored, where, or for how long. That makes it very hard to understand where issues may arise.
Don’t Forget About Your Vendors
Pop quiz time… who was the vendor that was blamed for the Home Depot data breach? Odds are pretty good that you don’t know this because they are too small to make an interesting story when compared with the millions of stolen credit cards from a major retailer. The same thing would happen with an association. Members won’t blame it on the vendor, they’ll blame it on the organization that brought them in. Vendors are often overlooked when it comes to data security but if they have access to your data, they’re putting you at risk.
Want to make sure that your summer vacation memories aren’t hijacked with stories of how you were hit with a lawsuit or data breach?
Reach out and let us know you’re interested in learning how SAI has solved these problems and more for other associations and nonprofits.
Please note that this blog post is for informational purposes only and should not be relied upon as legal advice. We encourage you to work with legal and other professional counsel to determine how data privacy laws and regulations might apply to your specific organization.