Security | News

Donor Data Breach!

If you think it's a hassle to change your password regularly or take other measures to protect the personal data within your realm, consider the alternative.

There's nothing like a data breach involving the loss or theft of personal data to make an alumna think twice about friending your institution on Facebook or donating to the latest capital campaign. Yet Rick Wilhelm said he has seen the IT organizations within colleges and universities make the mistake of keeping advancement offices, which often control that private data, at an arm's length. Wilhelm is the chief technical officer for WealthEngine, a consulting firm that advises schools and other types of organizations on how to improve their fundraising success. Among the company's clients are Northwestern University, Duke University's Fuqua School of Business, and Washington and Lee University, among others.

Wilhelm said he believes that many of the security challenges faced by higher ed fundraising operations are a result of not being "directly connected to the IT core of the university." As he explained, "A development office might be a little bit of an island. They're doing their best to maintain security and maintain efficiencies and operations, but all universities face financial challenges these days." That means they may not get the attention of IT and cyber-security staff to the extent that other functions in the school such as the registrar's office would.

For that reason the advancement office may be viewed by black hat hackers as the "soft underbelly" of the organization, making donor databases a "known target." "People on the prowl for this sort of data are always looking for attack vectors in areas of weakness," Wilhelm said.

As a result, the exposure of donor information is an all-too recurring event. In February Central Connecticut State University informed its alumni that malware had exposed the Social Security numbers of current and former students, staff, and faculty, dating back to 1998. In March 2012 McGill University went public with a security event in which it had to shut down a Web site put up by a group calling itself "McGill-Leaks," which had exposed confidential documents about major donors. In May, the University of Nebraska Lincoln reported that its student information system, containing data on potentially 654,000 students, alumni, and applicants, had been hacked, some 30,000 of which had banking information stored as well.

Start with a Security Policy
A recent report on best practices for prospect research in higher education fundraising, available free for registration from WealthEngine, documents a number of tips for protecting donor data. The first piece of advice: to have a security and privacy policy in place. According to the report, only 67 percent of respondents to a WealthEngine survey adhere to that practice.

Wilhelm said he considers that policy important because its existence means the organization has taken steps to understand the importance of security in its environment and is putting in place measures to maintain awareness and proactively make decisions about risk management in the security arena. Contents would cover such topics as data retention policies, confidentiality rules, password and encryption rules, physical and access-related security, and document disposal.

"The security policy is an artifact that shows they've completed that journey," Wilhelm noted. "What makes it valuable is that an organization has gone through the steps of considering what should be in that security policy and then trained people and put that policy in place."

That work requires the participation of three key stakeholders, he added: technology, legal, and administration. "The technology person needs to inform and operationally develop [the policy]. The legal person helps to inform decisions about the business risks that the organization is going to assume. Then the [administration] branch needs to make business decisions about what the organization will and won't do--about how much risk the organization wants to assume."

Set Password Rules
The major consideration to keep in mind for protecting data within the department is password security. That requires continually reminding people never to share passwords and to maintain long and complicated passwords. It also means getting out of the habit of using the same password for all purposes. "If your password gets compromised, which can happen, then you've got that password leaking out all over the Internet," Wilhelm said. "If your data was just lost through LinkedIn and it had a different password from Facebook or Gmail, then you didn't sweat it."

Secure Data Transfers
The advancement office may use external services that require access to the donor database. Wilhelm noted that some companies may perform some service on the institution's behalf, while others may work with the data to help schools be more effective in their fundraising goals.

In either case, "the biggest rule is to not let your data be transmitted by email. Any sort of file transmission is preferable to email," he declared. The problem? "Email is one of those things that hangs around and is susceptible to being found and searched through. It's hard to purge from the system. Sometimes, people use that to their advantage. More often than not, it can be a way that data leaks out. If somebody's email is compromised, suddenly your file could be compromised, completely inadvertently."

He advises advancement offices to use encryption when sending data over the wire and to make sure there's a secure FTP site where the transfer takes place. That way, he pointed out, the institution never has to worry "that there's loose copies running around."

Remember the People behind the Data
Wilhelm also puts a lot of stock in preserving the integrity of the relationship an institution has with its constituents. That includes letting them know upfront how you plan to use their data. "If you're not transparent about it and you lose their trust, then that clearly impacts your mission," he observed. "We believe that it's about operating for a long term with your constituents and thinking about the long-term growth of your fundraising efforts."

Prospect researchers, foundations, and development offices already understand this intuitively, he added. But the follow-up actions they take are important too. "We very much advocate communicating with your donors on an annual basis about how you use their data." It also includes development of the privacy policy and adhering to it, "which can be challenging sometimes."

In an era of social constituent relationship management, the way in which people perceive and share opinions about the institution and its outreach practices can have a major impact on fundraising. "We all know the power of social media, and the power of people's friend-to-friend communications. We believe it has a great deal of long-term influence over how people behave," Wilhelm said.

"Things like a security breach are a lot like a forest fire. They will scorch a place and leave long-term damage. After a place has been through a breach, everything changes." And when that happens, he said, those in the advancement office may wish for a return to the simpler daily security practices that seemed like such a hassle at the time.

comments powered by Disqus