Tech Privacy: Navigating a New Digital World
Written by Eric Bandurski, Director, Data Services Group, One & All
Recent corporate ransomware attacks including those on Colonial Pipeline and JBS Foods have made headlines and sent jitters down the spines of governments, companies, and consumers alike. Infrastructure attacks and supply chain disruptions are real and massive threats, but less sensational hacks remain a risk to us all. Nonprofits, often smaller and more local than corporate clients, may think they’re immune to such cyber-attacks. They’re not. As the keepers of the prized personal information necessary to court and maintain donors, social good organizations must up their InfoSec and data privacy games to protect both their supporters and their organizations.
In early 2020, a ransomware attack on social-good CRM provider Blackbaud affected some 200 nonprofits and universities that use the system to fundraise. The breach went undetected for a full three months. In the meantime, hackers ran rampant in cyber crevices, gaining access to the names, addresses, and banking information of financial supporters.
And that was before COVID. Since the pandemic, cybercrime has increased by a whopping 63 percent, with human error accounting for most of it. As workers moved from the office to the home, organizations had to contend with less secure private networks and passwords encrypted on Post-it notes. With staff dialing in remotely, security controls were necessarily relaxed, making software systems very attractive targets for online predators.
The numbers are staggering. According to the FBI Internet Crime Center, complaints have nearly quadrupled from about 1,000 a day pre-COVID to between nearly 4,000 now. The latest data shows this trend is only getting worse. Global cybercrime losses nearly doubled to almost 1 trillion dollars in 2020. If the global economic impact is so great, then just imagine what it means for individual organizations.
Along with security concerns, rapidly changing data privacy regulations have further complicated the social good space. While Europe introduced its blocwide GDPR (General Data Protection Regulation) in 2018, backing up its data protection and privacy regulations with real teeth (Google was fined $57 million a couple years ago by French regulators for falling afoul of the GDPR), the U.S. is likely years away from a similar national policy. Legislation is slowly winding its way through both houses of Congress, but only three states—California, Colorado, and Virginia—have so far have enacted data privacy legislation.
Keeping abreast of and compliant with piecemeal and ever-evolving legislation is challenging. Colorado, for instance, holds nonprofits accountable under its Colorado Privacy Act (CPA), meaning if you’re an NGO based in Oklahoma soliciting donations from a Denver-based resident, you could be in breach of the state’s CPA despite having no presence there whatsoever. Not only are you responsible for your organization’s data security and compliance with wider privacy regulations, but you must ensure that the for-profit agencies you hire to share the load are doing the same.
At One & All, we’re investing significant time and money on information security and data initiatives, including engaging leading data privacy experts, adopting a “privacy by design” approach to data privacy, and implementing multi-factor authentication across the One & All network. Over the past year, we’ve spent nearly half a million dollars on security and data privacy-related technology and initiatives, while our parent company Omnicom’s recent partnership with InfoSum demonstrates our forward-thinking approach to business in today’s fluid data privacy and security world.