Protecting Donor Privacy

Raymond K. Cunningham, Jr. CRM, CA, CIPP

University of Illinois Foundation

Higher Education Institutions account for more security breaches than any other industry including financial institutions.

–Information Security News

We are all subject to information breaches

• Security and Privacy

• Privacy and the Law

• Implementing a Privacy Program

• Credit Card Industry Security

Security and Privacy – What is the difference?

• Security is a process - you implement security to insure privacy

• Security is action• Security is a strategy, privacy is the

outcome• Enterprise privacy and security

management must be integrated• Security maintains confidentiality and

privacy

Information Security – it is not a technical issue

• Often Security is viewed as a technical issue

• Many information breaches occur in the paper world

Information Privacy – it is not a Legal issue

• Often viewed as a legal issue handed to legal counsel as a compliance issue

• While many privacy officers report to legal, it is not strictly a legal issue

• Privacy is a concern of all and should be a priority of any fundraising organization

Navigating the Alphabet SoupPrivacy and the Law

Changes in Information Policy

Federal

State

Ethics

Trends

• Information Management Law is moving from the general to the specific

• What was formerly ethical is now being required by law

• Penalties are being strengthened and cases of theft/misuse are higher profile

• The ethics of information management are evolving

Information Management Laws

FERPA

FERPA - 1974

• FERPA – Family Education Rights and

Privacy Act• Directory Data, Degree Data and Non-

Directory Data• FERPA block –all data disclosure including

alumni database

Information Management Laws

GLB

FERPA

Gramm-Leach-Bliley Act 1999

• FTC has ruled that Universities are covered under GLB Affiliated Orgs (2003)

• Trust operations – issuers of Charitable agreements

• Financial Planners

• CPAs

Gramm-Leach-Bliley Act 1999

• GLB provides for the protection of personal financial information – similar to FERPA

• Records containing financial information are to be protected.– Financial Institutions are to make

disclosures regarding their privacy policies and release to third parties

– Criminalizes certain practices of data collection services: obtaining financial and personal information by misrepresenting their right to such information

Gramm-Leach-Bliley Act 1999

• Financial Privacy Rule – governs the collection and disclosure of personal financial information. It applies to those who receive such information.

• Pretexting Provisions – covers using false pretenses for obtaining personal financial information

• Safeguards Rule – requires all financial institutions to design, implement and maintain safeguards to protect customer information

GLB - Privacy

• GLB protects consumers’ non-public information. Private information (PI) includes “personally identifiable financial information”

• Student Financial Aid and Loan information is protected under GLB

• Federal financial aid

ORGANIZATIONAFFILIATE

AGENCY

GLB Pretexting

GLB Safeguards Rule

• The Safeguards Rule requires financial institutions to develop a written information security plan that describes their program to protect customer information. – Designate one or more employees to coordinate

the safeguards– Identify and assess the risks to customer

information relevant to the company’s operation

GLB – Safeguards Rule Compliance

• Select service providers that can maintain appropriate safeguards

• Evaluate and adjust the program in light of relevant circumstances including changes in business or the results of security testing

• Customer data stored at any off-site location

GLB – Safeguards Rule Compliance

• Check references on employees before hiring who have access to customer information

• Sign a confidentiality agreement or NDA• Limiting access to customer information

based on business need• Develop specific policies for the appropriate

use of laptops, PDAs, cell phones

GLB – Safeguards Rule Compliance

• Confidentiality training is required• Encrypting information when it is transmitted• Reporting suspicious attempts to obtain

customer information• Dispose of customer information according

to the FTC Disposal Rule

Comparison of Legislative Mandates

Mandate Processes and Risk

Management

Records Management

Data Security and Privacy

Training

Sarbanes-Oxley

X X X X

HIPAA X X XCalifornia Bill 1386

X X

Gramm-Leach-Bliley

X X

FOIA X XUSA Patriot Act

X X X

Information Management Laws

GLB

FERPA

SOX

FACTA

FACTA – Fair and Accurate Credit Transactions Act of 2003

• FACTA is directed by the FTC and mandates that employers and financial institutions subject to GLB are also subject to FACTA

• Information is to be disposed of so that said information cannot be read or reconstructed - destroy or erase electronic files or media

• Opt-Out for Marketing• Conduct due diligence and hire a document

destruction contractor

State Personal Information Laws

• HB 1633 (PA 94-36) Effective January 1, 2006

• Personal information is defined as: SSN, driver’s license number or State ID card, account number, credit card number

• Breach of security should be made in the most expedient time possible without delay

Illinois State Law

• Customers must be provided notice in writing or electronic notice provided it meets with electronic records and signatures for such notices

Illinois State Law

• Illinois law more broadly applicable than California statute – data collectors provisions are more broad – includes public and private corporations, universities, financial institutions.

• Violation of the law is Consumer Fraud under Deceptive Business Practices Act

Implementing a Privacy Program

Six steps for creating a Privacy Program

• Information Asset Inventory

• Risk Assessment

• Policy Review

• Develop Policies and Practices

• Conduct training

• Monitoring

Asset Management

• Understand your information assets - inventory

• Locate and identify what is to be protected

• Differentiate between the “owner” and “user”

• Record Retention Schedules – business need or regulatory requirements

Asset Classification

• Assets should be evaluated as to sensitivity and confidentiality, potential liability, intelligence value and criticality to the business

• Classify assets – Confidential, Proprietary, Internal Use Only, Public

Map the Organizational Data Flow

• Map points of data collection – examine web forms, email collection, call centers, POS, Contests, Surveys, chat rooms, marketing lists

• How does data move through the system?• Is the data held in-house or is it outsourced?• Is any PII collected from outside the US?

Risk Assessment

• What are the risks with your storage practices?

• What are the physical storage requirements?

• Are personnel tasked with the protection of the information?

Conduct a Policy Review

• Develop the principles that will guide your strategy

• Involve stakeholders, senior management and legal – Get Everyone on Board!

• This is not an IT Problem

• Review all applicable regulatory requirements particular to your industry

Elements of a Good Privacy Policy

• Commitment to Privacy• Information Collected• How Information is Used• Commitment to Data Security• Commitment to Children’s Privacy• How to Access or Correct Your

Information• Contact Information

Training

• Training is one of the most often neglected piece of the program, yet it is one of the most important

• Train your employees prior to exposure to information systems – supply handouts

• Train employees to report information breaches - contacts

• Train employees annually on your policies and compliance issues

• Develop an ethical culture

Monitor Compliance

• Conduct audits of security procedures

• Review systems annually

• Conduct incident response drills – convene your incident response team

PCI – DSS Payment Card Industry Digital

Security Standard

What should I know?

Twelve DSS Requirements

1. Install and Maintain a Secure Network2. Do not use vendor-supplied defaults for

systems passwords and other security parameters

3. Protect Stored Cardholder Data4. Encrypt Transmission of Cardholder Data

Across Open, public networks5. Use and Regularly update Anti-virus

software6. Develop and Maintain Secure Systems and

Applications

Twelve DSS Requirements

7. Restrict Access to Cardholder data by business need-to know

8. Assign a unique ID to all users9. Restrict physical access to cardholder data10. Track and monitor all access to network

resources and cardholder data11. Regularly test security systems and

processes12. Maintain a policy that addresses

information security for employees and contractors

PCI – DSS Payment Card Industry Digital

Security Standard

• Merchants must comply with the standards• Should a breach occur the fines are

substantial, up to $500,000 per incident (VISA)

• Audit through self-assessment• Most organizations are outsourcing a part of

this process – vulnerability scans

Conclusions

Ray’s Recommendations

• Gain the Support of Senior Management

• Encourage a culture of confidentiality

• Have a policy in place and enforce it

• Be specific on roles within the organization

• Have mechanisms in place to sign on and sign off users efficiently

• Train all users before log-on in confidentiality and security

Ray’s Recommendations

• Monitor users

• Create an incident response group and provide a way for employees to report data loss

• Tell donors what you are doing with their data

• Allow donors to opt out

• Dump SSNs where not needed

• Monitor Third Party Contracts

Resources

• International Association of Privacy Professionals IAPP www.privacyassociation.org

• EDUCAUSE Information Technology and Security 2003

• Kahn, Randolph Privacy Nation 2006• ISO 17799 International Organization for

Standardization www.iso.org• PCI www.pcisecuritystandards.org

Contact information

• Raymond K. Cunningham, Jr. • Manager of Records Services• University of Illinois Foundation• Urbana IL 61801• cunningham@uif.uillinois.edu• 217 244-0658