Trust, but Verify

The recent announcement from Blackbaud of the cyber-attack on their servers rocked the non-profit sector. We trust our CRMs to house the sensitive information entrusted to us. Finding out that the venerable Blackbaud was vulnerable was surprising – but it shouldn’t have been.

Unfortunately, cyber-thieves are crawling the web. Like insects, they test the boundaries to look for vulnerabilities. This creepiness shouldn’t make us jettison what we have and go back to paper files. Cloud-based CRMs are still the best tool. A breach does give us the jolt to review internal practices of what to keep in your database.

Financial Information

Even if your CRM is not processing payments directly, it is required to encrypt account data. Gifts made online filter into your database without full credit card or bank account numbers. Even if you process a gift by entering the numbers in manually, as soon as you click to process, those numbers are gone. But that is only if you are processing the gift. Credit card and bank account information should never be kept anywhere else in your database, especially not in notes. Similarly, I strongly suggest that Social Security numbers never be kept in your fundraising software. If your software has a link to education/enrollment software, consider disabling the function that transfers SSNs.

If you are attaching documents to a record, or even keeping them on your internal computer servers, make sure account information, driver’s license information, and SSN are totally redacted before storing.

Personal Medical Information

HIPAA requirements are quite clear about what can be shared from a healthcare provider. They are less clear about what can be stored in fundraising software, especially if the organization raising funds is not directly affiliated with the medical facility. Advice from a HIPAA compliance officer is strongly recommended.

Security Across Platforms

Now is an excellent time to review security measures taken by all software providers you use, not just your donor database. OneCause, VolunteerHub, RunSignup, Eventbrite, to name just a few, are all custodians of your constituent data. Although not all deal with financial data, they may ask for other highly personal data like birthdates.

Ultimately, we have to trust the companies that create the vital software we use. We need to ensure, however, that their protocols for data safety are dynamic and sound. In addition, we have to make sure internal procedures are clear, concise and carried out. We owe it to the donors who trust us.