Build in Security
What protections have I put around the data I’ve collected?
- Limit access to the data to those who truly need access.
- Encrypt it while you’re moving it.
- Know where you store your data and think about how best to protect that data.
A. Who has access to your data?
Access to data isn’t dependent on your management structure, it is about who needs access to use that data on a regular basis. As people change roles within an organization, their access needs may change.
Who has access to your membership data? Consider the following:
- Independent contractors
- 3rd-party platforms (payment processor, email management, events, etc.)
Dig deeper, and ask yourself the following questions:
- For each group that you checked above, does everyone in the group need access to all membership data? Often, organizations discover more people have access than actually need it.
- Can you create access controls, so that only people who need to know certain data, have access to that limited set of data?
- Do all people who have access to membership data understand the value of that data, how to protect it, whom it can be shared with, and under what conditions it can be shared?
- How much damage could a disgruntled employee – or one whose computer has been hacked – do if they walked off with a copy of all the data they have access to?
Example 1: Shared Documents
If your organization uses G Suite, Box, or Dropbox, for example, your default settings might be to share all of your documents with everyone in the organization – they might not all have default editing rights, but they might be able to search for, view, and copy everything. Sharing sensitive data isn’t about excluding members of your organization, but rather about mitigating risk so that data is not used inappropriately. For example, if an outsider with malicious intent knew that all of your staff had access to sensitive data, they could target anyone until they found a vulnerability – maybe one of your staff members doesn’t change their password as often as they should, or they sign in on a more vulnerable machine.
Limiting the number of people who have access to certain types of data keeps your organization more secure. Some organizations have multiple people with access to different sections of the sensitive data, making it much harder for malicious external actors to access the whole dataset by targeting one staff member. Moreover, it should only be the people who use this data on a regular basis who have access, which may not necessarily be decided by organizational hierarchy.
Example 2: Customer Relationship Management Services
Many organizations use various types of customer relationship management (CRM) services or software to manage their list of supporters and communicate with them effectively. Often you’ll give people in your organization access to the data in these services but then never remove that access when people move on to another position that no longer requires that access.
Check out the list of people who have access to your CRM data or to the software you use to manage contacts. The list might be longer than you think!
B. Your Security
Without adequate security, your membership data is susceptible to being compromised. The the level of appropriate security will depend on the type of data you have, where it’s located, and what your resources are. Below are some steps to consider.
Identify a Data Steward.
This is someone (or a few people) who are responsible for knowing what data you collect, where it is, and how it’s being secured. This person will lead the process of reviewing the data you have, reviewing your vendor practices, and establishing the right data practices for your organization.
- Physical access controls
- Locked doors and areas restricted to employees only
- ID cards
- Guest or Volunteer badges
- Alarm System
- Work Areas
- Passwords requirements for device access
- Data should be handled on organization equipment only.
- Documents with personal data should not be left lying around on desks
- Documents with personal data should be shredded
- System controls
- Strong passwords
- Two-factor authentication
- Audit trails, so you are notified when data is accessed without authorization
- Centralized IT management
C. Vendor Security
Do you use vendors to help you collect and use your membership data? Examples of where you use vendors might include:
- Email service provider
- Event management service
- Contractors such as email hygiene or appending services
- Mobile analytics solutions
- Payment processing
- Online surveys and petitions
Many vendors have online legal terms and privacy notices which require your agreement before you can use the service. Always review these documents in depth and make sure you are comfortable with them. Feel free to reach out and ask the vendor questions to clarify their terms, or to create a custom set of terms that incorporates your organization’s data standards. You can ask:
Use and Sharing
- Who will have access to the data, on the vendor’s side?
- Are there sub-vendors involved?
- If so, why? Are they adhering to the same or higher privacy safeguards as your vendor?
- Has vendor implemented procedures for removing data access to employees that change roles and/or leave the company?
- Are people with access to data limited to seeing aggregate reports of the data collected from your company, or will they have granular access to the raw data?
- Does the vendor have the contractual right to share or sell your data to others?
- Does the vendor have the contractual right to use your data for its own purposes?
- Will the vendor use your data to send its own promotional materials or advertisements?
Security Controls & Data Retention
- What security controls does the vendor have in place?
- Is the data encrypted when it is in transit to/from the vendor?
- Is the data encrypted at rest?
- Has the vendor implemented physical, technical and administrative controls to protect the data? What are those safeguards?
- How long is vendor retaining your members’ data?
- Can you or your members request data to be deleted?
- Does the Vendor regularly conduct security assessments?
- How often are internal security assessments completed?
- Are the results of the last assessment available for review?
- What was reviewed during the last internal assessment (ex. Code review, risk assessment, vulnerability assessment, threat modeling, penetration testing, etc.)?
- Are external security assessments completed? If so, who conducted the assessment and are results available for review?
D. Data Incidents and Notification Policies
What happens if your membership data gets compromised? This could happen in many ways, for example, if laptops with membership data on the hard drive are stolen or lost; if your employee or volunteer accidentally reveals your entire membership email list publically by forgetting to using the bcc function; or if your vendor CRM system gets hacked. Regardless of the situation, it is possible that your members would want to know what happened with their data. Review your organization’s policies by considering the following:
- Does your organization have a defined incident response process that will be followed when a breach or incident is identified?
- Do your vendors have a contractual obligation to inform you if there is a data incident?
- If not, you should feel free to ask them for this information.
- Do your employees and volunteers know how to escalate a data incident so that the appropriate people in your organization can review and respond?
- If yes, when was the last time you conducted a training or review to ensure people remember the practice?
- If no, consider creating and socializing an internal escalation process.
- Does your organization have a policy around when and how to inform affected members of a data incident?
- If no, consider creating one.
E. Subpoena Policies
You and your members are stakeholders when member data is compromised in a data incident. Another situation that is probably of interest to both you and your members is when a government agency requests personal information. This could happen if your organization, or your vendor, is served with a subpoena by a US or foreign law enforcement agency requesting information on your members.
- Do your vendors have a contractual obligation to inform you if your organization’s membership data is implicated by a subpoena? If not, you should feel free to ask them for this information.
- Does your organization have a policy around when and how to inform affected members of a subpoena request?
- If no, consider creating one.