Donor Data: 4 Ways to Keep It Safe

Trust is an essential component in any relationship.  As a nonprofit your donors trust you and respect the good work of your organization.  Protecting this relationship starts with guarding their personal information.  At this point you could stop reading and say, “Yeah, we’re good here…”  But I encourage you to keep reading because there is a clear shift in the tactics that cyber-criminals are employing.  It’s not just about credit card information anymore (although this is a biggie) it’s also about long-term identity theft.

Below are 4 ways to protect your donors’ information.  Are you following these best practices?


1. Think Twice Before Writing That Card Number Down

When a donor calls to make a donation over the phone don’t write down their card number.  Rather, with the donor on the phone, key their card number into your point of sale solution (i.e., virtual terminal, physical terminal, etc.) and process the transaction.  This process allows you to inform the donor whether their transaction was successful and you don’t have any card data to destroy.

Now, is this to say you can never write down a credit card number?  Of course not, but you must be smart about it.  Outline this process in your organization’s Security Policy so everyone is following the same best practice for if/when card data should be written down as well as how/when it is to be destroyed.

Check Out: 3 Ways Your Nonprofit Can Prepare for PCI 3.0


2. News Flash: Email Is NOT Secure

Email is not just restricted to you and the intended recipient(s). There are four basis places where email can be compromised: your device, the network, the server, and the recipient’s device.

While servers are out of sight and out of mind to most users, this is where your email messages are stored. Anyone with access to the mail server (authorized or not) can read all email messages including deleted items.  This is why you should never email credit card data.

In the event you receive card data via email you must securely delete that message from your device, the mail server, and then delete that message from the deleted items folder.  This also applies to the sender of the message and would include deleting it from their sent items and then their deleted items folder.


3. Computer Security: It’s a Non-negotiable 

All computers within your organization need to have antivirus software installed and enabled.  Antivirus software is a basic essential to owning a computer and is all about prevention.  It actively works to prevent viruses from being downloaded to your computer.  Should a virus be found active on your machine the antivirus software works to quarantine the suspected virus for review and deletion.

Many antivirus programs also have malware protection.  Malware can be downloaded to your computer by clicking on a bad URL when surfing online or opening a virus-infected attachment to name just a few.  Malware removal addresses active viruses that may get passed the antivirus software-check and works to safely remove them.

If you are not currently running antivirus or malware software there are many solutions out there.  Kasperksy, MacAfee, and Norton are three of the top security software providers which have solid solutions for your protection.


4. Securing Sensitive Information

What sensitive information does your organization retain?  The following questions should be answered in order to shape an effective Security Policy for your organization:

  • Identify what sensitive information you have by taking an inventory of your assets (think of the data you have which could be used to facilitate identify theft).
  • Who has access/permission to that information?
  • How is your sensitive information secured and what policies do you have in place to protect this data?

Once you have answered these questions you can make decisions to limit your liability and protect the information you need to retain.  Obviously, if you don’t have a legitimate business need to keep the sensitive data, destroy it and consider updating your Security Policy to no longer retain this type of information.  Next you can restrict employees’ access to sensitive information which is not required for their job function.

Security is everyone’s job.  No one expects fraud or a data breach to happen to them.  If you or your team have yet to have a conversation about the items in this article, or security in general, call a meeting and begin the conversation today.