States Push To Encrypt Personal Data
November 15, 2008 Michele Donohue
Fred Schultz, CEO and founder of the Foundation for Positively Kids (FPK) in Las Vegas, deals with a lot of confidential information in his program for medically-dependent children. The organization stores names, addresses, medication, family information and donor credit card information.
A good portion of that information arrived via email. That system now must be overhauled to accommodate a new Nevada law which requires personal information transmissions to be encrypted.
"We are trying to take care of sick and dying kids – why do I have to worry about a new Nevada encryption law?," Schultz asked rhetorically.
Nevada is not alone. A data security measure becomes law on January 1 in Massachusetts and it is being talked about in several other states.
FPK’s information technology (IT) support implemented a new program that would require recipients to have a password to access sensitive emails. "It’s the law, and whether it has teeth behind it or not, there has to be an effort made by nonprofits large and small to try to abide by what the new statute would be," Schultz said.
The Nevada law, which falls under Nevada’s Miscellaneous Trade Regulations and Prohibited Acts, states that personal information cannot be transferred through electronic transmission outside a secure system unless it’s encrypted.
Both Nevada and Massachusetts define personal information as: "a natural person’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted: (1) Social Security number, (2) Driver’s license number or identification card number, and (3) Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account."
The Nevada statute holds organizations financially accountable for security breaches, which could include civil law suits from affected parties.
Schultz, who is also the Nevada Association of Nonprofit Organizations (NANO) board chair, said even though the law went into effect October 1, nonprofits leaders haven’t been talking about it and the topic didn’t even make NANO’s last newsletter. But Schultz said the compliance stress should take a backseat to accountability. "I think you should try and put yourself in the situation of the person whose personal information is floating through the waves."
Movement on privacy at the state level is a positive, according to some nonprofit leaders. "I’m glad something is happening on the state level and I think it’s really critical for the nonprofit sector because we are about data now all the time," said Holly Ross, executive director at NTEN in Portland, Ore. Ross explained that nonprofits are becoming more technology savvy, and need the data security to match. "We have data swimming around everywhere so we need to start becoming much more careful about how we collect and store and use that data."
Organizations shouldn’t breathe a sigh of relief just because they live outside Nevada or Massachusetts state limits. Organizations that use credit card information should check if they are in compliance with the Payment Card Industry Data Security Standard (PCI DSS) developed by PCI Security Standards Council (PCI SSC) members – American Express, Discover, JCB, MasterCard and Visa. PCI SSC developed measures intended to mitigate security risks with any business or organizations processing the credit cards from PCI SSC members, which are considered merchants accountable for self-assessment or independent assessment from the payment card branches.
"It looks like from these laws that the trend will be moving away from just Web site information into any personally-identifiable information, potentially like addresses and phone numbers. We might all have to start thinking about increasing the security and our Web site whenever we are taking information from our stakeholders." said Ross.
She suggested nonprofits discourage donors from sending credit card information via email. Instead, donors should be directed to Web sites secured with secure socket layer (SSL), which browsers encrypt credit card information to safe sites.
Peter Campbell, IT director at Earthjustice in Oakland, Calif., recommended nonprofits invest in a donor management system – even if managers are hesitant about spending the money.
Having all donations go through the Web site means they are going directly where they need to go and there is less handling – it’s more efficient in the long run," said Campbell. "The automation can do things to remove some grunt work that some poor, over worked person in fund development is doing typing credit card numbers from email, and it can secure the whole thing for the donor."
Craig Shapero, senior vice president at McLean, Va.-based Sage Payment Solutions, said some nonprofits might not realize they have compliance issues, but laws can trigger awareness. Vendors with PCI-compliant software have tried to explain the benefits of secure data transmission to nonprofits for years.
"Effectively, me saying it’s a good idea is not reason enough maybe to make the transition, but reading that you are actually breaking a commerce law makes it a little bit more real," said Shapero. Cardholder data protection under PCI compliance includes trashing information such as PIN numbers, card verification codes, and authentication data and protecting cryptographic keys. And while organizations should follow PCI compliance requirements, Shapero believes that "when [a requirement] becomes statutory, it’s that more real."
Mark Levitt, senior director of creative services at New York City-based CardPartner, Inc., which deals with Visa affinity credit cards, said that nonprofits using those affinity cards wouldn’t be affected by the new Nevada legislation. All credit card transactions are handled by UMB, a bank in Kansas City, Mo., which "doesn’t share with our groups any information about card holders," said Levitt. Nonprofits using the affinity cards receive information on how many credit cards are in use and the retail charge volume compensation, but no personal information on which members are using the card or purchase amounts.
And securing personal data should not begin and end with data encryption, according to Kami Razvan, Ph.D., founder and chief executive officer of Click & Pledge in Blacksburg, Va. "Security is by design — security is not an action," said Razvan. "The highway system is not the problem — it’s the driver. The highway system by itself does not cause accidents."
He explained that maintaining donor information should be a part of a comprehensive security plan. Organizations that spread information through Internet platforms, like email, or list credit card numbers on insecure Microsoft programs, like Excel or Word, need an overhaul. "Let’s say that this nonprofit organization receives this Excel spreadsheet and encrypts it — are the donors any safer than if that data wasn’t encrypted? It’s already compromised — you are only as secure as your weakest link," said Razvan.
With the Nevada law in force and with Massachusetts ready to go, other states are expected to soon follow. A bill in the Michigan state senate introduced this past January would require personal information to be encrypted and, in the event of a security breach, credit card companies affected would be able to bring a civil suit against an organization, including any refunds or cost for replacement cards. A state senate bill in Washington State would require organizations using personal information to comply fully with PCI regulations. "Nonprofits should be getting ready now," said Campbell of Earthjustice. "If your donor management system is a Word document or an Excel spreadsheet – you have a longer way to go." NPT