Beyond Compliance. Protecting Donor Data and Your Non-Profit s Reputation

Transcription

1 Beyond Compliance Protecting Donor Data and Your Non-Profit s Reputation The most important compliance requirements that every non-profit needs to understand FEBRUARY Eglinton Avenue West, 4th Floor, Toronto, Ontario M4R 1K8 Telephone Fax

2 The most important compliance requirements that every non-profit needs to understand Non-profit executives and board members are being held to a higher degree of accountability than ever before For today s non-profit organizations there is an ever growing expectation of financial, privacy and information security accountability. Given the number of reports of data security breaches and identity theft in recent years, it s fair to say that public confidence in organizations ability to responsibly steward their information is at an all time low. Non-profit executives and board members are being held to a higher degree of accountability than ever before. Financial Accounting Requirements Responsible financial management requires thorough financial policies, procedures and controls. To ensure prudent financial management and minimize the risk of errors or fraud, these must clarify roles, responsibilities, approvals and the protection of assets. Since a significant part of their role is financial stewardship, boards should regularly review these policies. Non-profits are subject to significant scrutiny of both the security of their data processing as well as the integrity of their financial accounting practices. Control audits such as the CICA Section 5970 audit are used to test procedures for those organizations involved in processing donor data, including donations. These control audits include a thorough review of the safeguarding of assets, such as procedures to ensure that cash, cheque, credit card and pre-authorized payment donations are recorded properly, and deposited in the appropriate bank account. Another aspect of the audit is a thorough review of the security of an organizations database and physical documents ensuring they are protected from both technological failures and physical accidents. This audit also reviews the reliability of accounting procedures, including the receipting of donations in accordance with the provisions of the Income Tax Act (Canada) as well as the adherence to applicable privacy laws. Strict financial and data security controls are essential to protecting the long term success and reputation of your organization. Whether you manage your donation processing and data in-house or use an external vendor, you need to be able to demonstrate that strong financial and data security controls are in place.

3 Payment Card Industry Requirements (PCI) All non-profits that accept credit cards must meet the requirements outlined by the Payment Card Industry Data Security Standard (PCI DSS). While most non-profits are aware of PCI, many are unsure of its specific requirements. Often those non-profits that use a third party for donation processing and financial keying and reconciliation don t realize that PCI compliance may still apply to them. Often those nonprofits that use a third party for donation processing and financial keying and reconciliation don t realize that PCI compliance may still apply to them The PCI DSS is a comprehensive security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. The PCI security standards were developed in an effort to reduce credit card fraud claims. Created collaboratively by the major credit card companies, this single security standard is managed by the PCI Security Standards Council. The requirements are many and include the following elements: Building and Maintaining a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protecting Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintaining a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implementing Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data

4 Regularly Monitoring and Testing Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintaining an Information Security Policy Requirement 12: Maintain a policy that addresses information security Organizations that process donor information and donations should ensure that their physical facilities employ appropriate safeguards So, what are the risks of noncompliance? In the event of a security breach, you could be held responsible for the credit card company s losses or they might assess your organization higher credit card processing fees or impose other penalties. Even more importantly, you are subjecting your donors to the possibility of identity theft or fraud. If you process your donations in-house you need to question whether or not you have the IT resources to establish and maintain a comprehensive data security program. The cost of a security breach goes well beyond the compliance issue ultimately it s about maintaining donor trust. And if you outsource donation processing, you need to be sure that your vendor is PCI compliant. Privacy and Security Requirements Existing privacy laws require that organizations protect the data in their care with a degree of security that is commensurate with the sensitivity of the data. With requirements to notify donors in the event of a security breach, there can be significant consequences for organizations in the event of data loss or theft. While maintaining the security of your networks is critical to preventing this loss, often the most overlooked aspect of data security is the most obvious the physical security of your donation information and funds that come to you through the mail. Organizations that process donor information and donations should ensure that their physical facilities employ appropriate safeguards. These safeguards include passcard protected facilities, physical caging of donation forms, video monitoring of data entry and storage facilities and the use of armoured vehicles for the delivery of donation deposits. In addition, it is important for executives and board members to protect themselves by maintaining appropriate insurance coverage in order to cover the cost of security breach notification as well as any potential liability costs.

5 Beyond Compliance: Key Takeaways Today s non-profits operate under increased expectations and scrutiny To be successful, non-profits must establish comprehensive financial controls and data security practices These practices must be reviewed regularly by the most senior decision-makers in order to stay aligned with the regulatory environment and constituent expectations. Control audits need to be in place to ensure proper management of financial processes and information including donations PCI Compliance needs to be met to ensure donors valuable information is protected In-house teams and vendors need to demonstrate their ability to deliver on these protective measures and controls About Cornerstone Fundraising Services The Cornerstone Group of Companies provides prospecting and database management products and services to some of the leading organizations in North America. Our Fundraising Services unit provides fundraisers with complete back-end donation processing and database management services, as well as a variety of industry-specific web-based tools, such as online donation processing and special event registration. Cornerstone is a PCI Level 3 compliant vendor and validates its operations twice each year using an independent CICA 5970 audit.