Nonprofits And Data Breaches

July 1, 2007       Mark Hrywna      

Scott Ksander compares the evolution of IT security to that of bank security. Whether it’s the Wild West or the 21st century, people still rob banks, despite the advancements in things like vaults and video surveillance. The big difference might be that banks don’t have 5 million records a month being breached.

If information from the Privacy Rights Clearinghouse (PRC) is any indication, you might think data breaches have reached epidemic proportions, particularly at colleges and universities. The San Diego-based consumer information and advocacy nonprofit lists a chronology of data breaches on its Web site, www.privacyrights.org, dating to 2005. Incidents listed on the site from January 2005 through early June of this year total 155,048,651 records containing sensitive personal information that have been involved in security breaches. That’s an average of almost 5 million per month.

With everything going online these days  — including donor records and other organizational data — nonprofits must be careful to take precautions when expanding into the World Wide Web.

PRC lists only breaches that put personal data at risk that can lead to identity theft, with the majority of cases being exposed Social Security numbers, said Director Beth Givens. Still, the list includes breaches of personal data on a semi-weekly, at times daily, basis within the private and public sectors, whether it’s a hacker, a lost or stolen laptop, or an inadvertent Web posting.

“There’s some merit to the argument that the university environment for information technology is wide open. That’s the nature of academic life, not only is it wide open but it’s decentralized,” Givens said. “Universities of course want to provide maximum access to information technology for students and faculty, staff, researchers of all types. These are much less controlled environments than corporate environments.”

The chief information security officer and executive director for IT networks and security for Purdue University, Ksander said tech security in some ways is following a somewhat similar, if accelerated path as bank security. “We had a time when we had fairly weak protection, mainly pre-Internet. The network has added another dimension to security.” There’s lots of work to do and many institutions are doing a considerable amount, he said, but “even when we get to where we want to be, we would be incorrect to imply that’s a 100-percent solution.”

Some colleges are getting out of the habit of using Social Security numbers as a means of student identification, specifically because of the threat of identity theft.

As a result of human error, not hackers or laptop thieves, Stony Brook University on Long Island inadvertently displayed Social Security numbers of nearly 90,000 faculty, staff, students and others this past April. The information was part of a process to reconfigure a university Web site, only an older file was never removed, according to Patrick Calabria, university media relations officer for Stony Brook.

“We’re also making sure that file, and files like it, such as those residing in a dead place, have been eliminated,” he said. “This incident certainly raised the consciousness of not using Social Security numbers as identifiers,” Calabria said.

“There are areas of the university where there is a perceived need to use them, and we’re making sure that perception is real.”

Organizations are using a variety of methods and procedures to ensure that private data doesn’t go public, or fall into the hands of identity thieves.

About four years ago, Purdue suffered a data breach that included nearly 80,000 names. The West Lafayette, Ind., school has since launched a four-pronged effort to keep its data safe, said Ksander.

The first step, obviously, is the standard technology solutions, such as firewalls, antivirus programs and intrusion protection. Second, policies, procedures and best practices must include a varied and well-delineated set of data handling rules that are required and documented for those who handle data. Third is the remediation aspect, to go back and get rid of things that aren’t necessary, such as data that were sensitive several years ago but haven’t been disposed of yet. “If you don’t have it, it can’t be breached,” Ksander said.

Finally, awareness and training is a regular and constant initiative, Ksander said, reminding people of proper procedures and being diligent.

The University of Colorado, which is listed multiple times in PRC’s chronology, has revised its IT security standards and policies to include an annual asset inventory, said IT Security Director Dan Jones. The goal is to require all departments and other units within the campus network to review and document what data they have, he said, in terms of criticality to a particular server, and whether it’s essential to business or campus operations.

With a network of 6,000 systems campus-wide, Jones said it’s important to segment the network to protect things internally. “From there, it’s a matter of vulnerability scanning from the central IT point of view,” he said, to identify systems that are vulnerable. “A network our size, you always have something occur.”

Data encryption

Encrypting data is the most common answer to the question, how do you keep your data safe? “Our chronology wouldn’t exist if sensitive data were encrypted,” said PRC’s Givens.

David Friedland, vice president of business development for CoSort, a Melbourne, Fla.-based data transformation company, said that while encryption is the magic word, it can be overkill. He suggested encrypting data but only where it needs to be, down to the field level if necessary, which is faster and more useful than hiding entire records or files. The company already does field-level manipulation of data, and recently announced its field-level protection product this past spring.

Encrypting a laptop’s data is not a bad idea, except it cuts off access to everything, he said, not allowing manipulation of data or access to non-sensitive data. “If you had data encrypted during the process, it wouldn’t matter.

“By preventing, you don’t have to go through the pain and expense of overprotecting,” Friedland said.

Encryption isn’t the only answer for organizations, Friedland said. Anonymization removes the individual characteristics of data so what’s stored in the original field can’t be identified. And there are different types of it, that are recoverable or non-recoverable, he said. Pseudonymization is similar but it also allows the data to remain individualized and followed through different departments and identified again, if necessary.

Have a plan

Organizations should have a plan in case data gets compromised, Givens said. If that’s occurred, a data breach must be analyzed to “plug holes” before an announcement is made, she said, but a group’s reputation will take a hit if they wait too long to notify people. “Affected individuals will lose faith in that nonprofit if they wait too long.”

Once a breach occurs, Givens suggested an organization provide information on what individuals can do to prevent identity theft, and other types of harm, such as establishing a fraud alert or how to contact the three major credit bureaus. “Give them a road map as to what they need to do to reduce the risk of identity theft and other types of fraud,” she said.

An important early step in the development of a data breach plan is coming up with an inventory, analyzing the personal information an organization has and determining how sensitive it is. If a nonprofit does not collect Social Security or credit card numbers, they may actually not have a need for this kind of breach plan, Givens said. But for some nonprofits, names and addresses might be considered sensitive information.

Givens also suggested an analysis of sensitive personal information that organizations possess. Some organizations may never have done an inventory of all data they hold on individuals. “They might be surprised,” she said.

It’s just as important in that analysis for a nonprofit to examine whether it really needs to gather certain categories of information. “The best protection against a security breach is not having the data in the first place,” Givens said.

Part of the issue is tracking down data that’s sensitive, a chief information officer’s responsibility. Data at risk can be considered at rest or in motion. “Thumb drives, emails with data attached, that’s data in motion. Someone’s got to get a handle on that,” Friedland said.

“How to find stuff when it’s already out there is tougher than if you had protected it in the first place.”  NPT