From Kamran Razvan:
As I was reading a recent article in the Harvard Business Review I could not help but think about an interview I did with the NonProfit Times a while back. The interview was about a recent law in Nevada that mandates all nonprofits to encrypt the donor data and the interviewer wanted to know how that will impact our clients.
As far as I can see it, the “new” law is nothing new and it practically is a watered down version of PCI certification that companies such as ours have to go through on an annual basis. What I find more interesting is the notion of mandating encryption of donor “data” by the nonprofits. So I asked what the law means by “data” and at what point the data is supposed to be encrypted. I gave the following examples:
1: Donor email: The spammers have the email, so what is meant by encrypting the email that is already exposed? Who among us does not get the million dollar inheritance that our Nigerian cousin has left us and we have not yet claimed?
2: Donor mailing address: We all receive junk mail at home, office, and anywhere else that our name is associated with. Apply for a credit card and your address is exposed to the world. So is it important to encrypt the address?
3: Donations: Check any nonprofit annual report and tax filing and most of the information will be presented through the IRS or, in the case of political fundraising, by the FEC.
Let’s go back to the address - Let’s say the donor information is encrypted and is residing in the database. The organization sends solicitation letters through a mailing house and simply emails the mailing address via email to the mailing house. I am quite sure that neither the mailing house nor most nonprofits uses any type of encryption system nor most of nonprofits know how to exchange public keys to encrypt and decrypt such emails.
Any security practice is as good as the weakest link. Once the data is exposed, it makes no difference what one does with that data afterwards.
The only piece of donor information that should be encrypted is the credit card number and, by PCI standards, organizations should not save that information in any shape or form, be it on a hard drive or on a solicitation letter.
Of course the law could have made PCI certification mandatory for all nonprofits but we know very well that the cost would be so prohibitive that most nonprofits will not be able to afford it, hence making the law just a collection of words on a paper.
Security is a designed process that takes over every aspect of one’s behavior. If data is exposed, one should assume that it is compromised.
How does your organization handle donor data? What are your thoughts about security and privacy? What do you see as the difference between these two words?
As e-citizens, our definitions of privacy and our perception of our “private lives” have changed a great deal.
Excellent article... Keep up the good job Kamran!
Posted by: Acai Optimum | January 24, 2010 at 05:23 PM
The company that can afford the highest level of privacy will win on communication market. It is a fact
Posted by: writing online | October 13, 2011 at 08:18 AM