What measures does your nonprofit take to ensure your supporters’ and participants’ private information is safe? How often do you discuss the issue of privacy in relation to both your clients and your supporters? In today’s guest post, David Schulz provides a sobering reminder of what can happen if we aren’t making privacy an issue. Tomorrow, David will provide some tips on what to do about it. ~Kivi
Guest Post by David Schulz
“Few values so fundamental to society as privacy have been left so undefined in social theory” – Dr. Alan F. Westin, Professor Emeritus, Columbia University
Privacy discussions collapse easily under their own weight.
It’s a right so broad that its application sanctifies first class mail, justifies access to birth control, and protects us from search and surveillance (maybe). Privacy rights are intensely personal, evolving as people, technology and social custom change.
If individuals give it much thought, it’s generally in terms of self defense, preserving our own privacy and identity. But taking on responsibility for protecting others’ privacy seems remote. And for those involved in nonprofit enterprises, it’s certainly less pressing than cultivating a major gift or preparing for a board meeting.
This way lays disaster. For a nonprofit, and especially its development staff, to ignore privacy’s demands can lead to a crisis as certainly as leaving the front door open and the cashbox unlocked. Submitted for your review, here are a few recent examples from a time-frame with which you are sure to identify.
Remember November? Gift officers getting fired up for holiday visits and the end-of-year push? Annual Fund in top gear? Last board meeting of the year, closing outstanding pledges? Scheduling holiday receptions, all hands on deck to cultivate donor generosity? I hope we all recall it as a time of high energy and high spirits.
Not so much for these folk: they suddenly had other distractions. Each was sending breach disclosure notices, letters that “unfortunately your personal information was put at risk” (into the hands of felons, miscreants and possible terrorists, feared the recipients). During one week in November,
– Virginia Commonwealth University exposed files with information on 176,567 employees and students of Virginia Commonwealth University and employees of VCU Medical Center inRichmond;
– the University of Texas-Pan American announced that private information on the more than 19,000 students was available online for two months due to human error;
– Warren County Community College disclosed that an employee from the College’s Office of Financial Aid lost a laptop and the social security numbers of thousands of students were accidentally made public;
– Brownsville Independent School District disclosed the Social Security numbers of employees enrolled for disability insurance on a site accessible to the public; and
– Pennsylvania Public School Employees’ Retirement System announced the names and Social Security numbers of about 2,000 members of the pension fund were accessible to the public.
That’s just early November. Still before Thanksgiving 2011, these organizations disclosed personal information breaches: Sutter Medical Foundation (4.2-million patient records lost); Bright Directions (Social Security numbers printed on more than 36 thousand envelopes sent to participants of a college savings program in Illinois); Parkland Memorial Hospital (investigating the theft of thousands of patient records allegedly by a former employee); YMCA of Metro Atlanta (a computer containing their financial information has been stolen); and the Blairsville School District (two students in the Blairsville School District were able to hack into the school’s computer system and gain access to teachers’ personal information). Happy Turkey Day, indeed.
These aren’t anomalous: breaches continue, day in and day out. Nonprofits are at particular risk. We rely on the trust of our clients and our donors. And since few organizations can afford the type of IT security and equipment defined in best practices, we are the very definition of a soft-target. It is as existential a threat for us as for any business. Few institutions can easily survive the crisis of confidence and the costs associated with an information breach, averaging between $2- and $4-million per incident.
But you can take action lowering your organization’s risk. All it takes is examining your own organization’s practices from a slightly different perspective. It means looking through a prism that can reveal the hidden hazards so common in the information age. Comfort with the privacy prism helps your organization function better and help you redefine yourself and your institution as field leaders in respect for clients and donors. It is the essence of extreme stewardship.
Today’s post and tomorrow’s provide the prism. But light passes both ways, and I ask for your perspective in response. And, it is to be hoped, that in making our own organization’s more privacy sensitive, we strengthen our communities as a whole.
David Schulz, CIPP/US, is a privacy professional who has been a nonprofit manager and director for thirty years, initially in marketing and media relations, then fundraising and leadership. Currently serving as Commissioner on the Texas Commission of Holocaust and Genocide, Mr. Schulz has been a director on the Plano Symphony Orchestra Board and the UT-Dallas Arts and Humanities Advisory Council. He lives in San Antonio with his wife Ann, a field leader in cyber security and a certified ethical hacker: their pillow talk, though dull, is encrypted and password protected.