Hallett Philanthropy
Serving Clients Full Circle

podcast

Podcasts

Listen to the weekly podcast “Around with Randall” as he discusses, in just a few minutes, a topic surrounding non-profit philanthropy. Included each week are tactical suggestions listeners can use to immediately make their non-profit, and their job activities, more effective.

Find “Around with Randall” on Apple, Spotify, or wherever you listen to your podcasts.

Email Randall with a show topic: podcast@hallettphilanthropy.com

Email Randall with a thought regarding a specific show: reeks@hallettphilanthropy.com

Listen on Apple Podcasts
 
 
 
 

Episode 9: Knowing About and Ensuring Data Security

Welcome to another edition of “Around with Randall”, your weekly, ten-to-12 minute podcast about making your nonprofit more effective for your community. And here's your host, the CEO and founder of Hallett philanthropy, Randall Hallett. 


Appreciate you joining me this week on the podcast. Want to delve a little bit into the compliance and legal side off philanthropy and fundraising and applicable well beyond healthcare to say the least. Maybe it's my law degree - I still love reading Supreme court decisions and dicta that comes along with various cases. But I, I have been following as many have been, the stream of data breaches that has now reached into philanthropy in a major way.


As probably you're aware or you've heard rumblings about, Blackbaud and it through its product, Raiser’s Edge, NXT and its CRM platforms had a data breach. I don't want to throw the company under the bus, there are enough people doing that already, but I think it's a really good opportunity for us to learn about the importance of compliance security and working with people who are really talented in this area within your organization, whether that's compliance, legal counsel, or someone else. 


Just a little context, but without even a shadow of a doubt, the breach of the Blackbaud online platform with Raiser's Edge NXT has been the largest breach in healthcare history. To this date, we still don't even know the amount of records that could potentially have been invaded outside of even healthcare. Obviously, Blackbaud Raiser's edge controls an enormous percentage of the market in education, social services, and other places, but in healthcare, because of the way the laws are written, it actually has more teeth in terms of damage. At least potentially, we're talking about millions and millions and millions of records, not only in the United States, but around the world. And in healthcare, we're talking about organizations, huge organizations, that are places like a Nova with million-plus records or Advent Health System could be in the multiple millions. SCL, which is out of Colorado - the Sisters of Charity of Leavenworth - is north of probably 500,000 records. It just goes on and on and on and on, and it's going to be a challenge going forward. 


The other interesting thing that's come is is that there are now lawsuits that are being pushed forward. And in fact, just recently here at the right end of 2020, the federal courts have gotten involved and started to bring a lot of these lawsuits and these filings together so they're not running in parallel jurisdictions. They're gonna probably end up with one massive case to look at this if it gets that far, but certainly in terms of negotiation. Just recently the federal courts brought these together for Blackbaud in terms of its data security practices, how people had on authorized access, the extent of what personal information was actually breached when Blackbaud should've known or did know.


What is the investigation? What kind of investigation did they do under the break and the alleged delay? If there was one, that's all kind of the legal side. I just like saying it cause I remember studying it a long time ago. At least some things like it - what it all means is is that for a number of years, particularly in health care, but I think it's applicable in education and other places, there are obviously different databases.


So in healthcare, it's the electronic health record, which is the most protected record there is. In education, it’s around the grades  where and student information is kept. That's at a little bit different level of security traditionally than the donor database or the client relations management system that foundations use. In other places, records around if you're an art collector of what, what kind of art and how, you know, things are kept in security…that’s going to be different than a donor database.


Anything dealing with social services, where you're dealing with potential private information about the people that you're serving. On all of these things include things like social security numbers in many cases. So I bring this up because we've been allowed in philanthropy to kind of run parallel, but really outside of the view of compliance and legal. I mean, they're aware we're there, they’re aware that we have a system for the most part, but they don't look at us, treat us in terms of security as they do the electronic health record or the student grades and student records or whatever database they're using, or the type of information, social services, or we've mentioned art and the security that goes along with that. We’ve been allowed to kind of operate in a little bit of a silo.


And what I'm here to tell you is, is that it's my belief that this lawsuit, and then because of COVID and a presidential election, that a lot of attention was drawn away from this. As COVID becomes more controlled, hopefully, and the election we're past that, I think state attorneys general are going to get involved with this because their citizenry was affected and we're going to have massive investigations.


What this is all going to lead to is is that the siloing or kind of the independence that philanthropy has enjoyed when it comes to databases is going to end. Quickly. And there are some things we need to get ready for. And then if you are a database manager or you're the chief development officer, or you are a leader inside the organization within philanthropy, you're going to have to get ready for some changes.


Some things that we normally think are easy are not going to be anymore. So as we try to every week, let's talk a little bit about the tactical. What are some things you can do right now to kind of get ready for this and what your organization probably is going to start pushing and asking a lot of questions about if they haven't already?


Number one is you desperately need to sit down with whomever is in charge of compliance, legal, security. And that could be a myriad of people, depending on the type of philanthropy that you're in. Compliance has its own department in healthcare. But it might be the security you have an education. Whatever it is, you need to sit down and have a conversation and say, look, this is what we do.


We want to make sure our data is secure. I've talked to and had multiple conversations with absolutely distraught clients who are now having to send out letters in healthcare. If you didn't know this, it’s required, you notify if there's a breach. They're having to send out letters to their donors saying your information might've been taken.


That is not a letter you want to send, and you can justify it by saying well, so it was somebody else's fault. It's somebody else who did it. It was a third-party vendor, but at the end of the day, the donor doesn't care, the donor is looking at you saying, well, how did you let this happen? So an affirmative step tactically, the first thing is, sit down with compliance. Talk to them about what you do, talking about compliance and how security works and things of that nature.


And the second thing is, is you need to be ready for change. You're going to probably have to look at two-part authorization. Like we think about when you log in to pay your credit card bill, they send you a six or eight-digit code via your cell phone. There probably is going to be something coming down the road like that, which you might think of as inconvenient, but legally and compliance and security is going to say, we don't care.


You're going to where and how, and who has access to data is going to change. So sitting down and being ready for change are the two biggies. And remember this and I've had my own, I don't want to call them run-ins, but my own conversations with security people and compliance people over the years, and it maybe it helps that I’m a lawyer and I know what the law is. I actually have a copy of what it is in healthcare, out of page 5,700 from the federal regulations that I carry with me as an example. 


These are good people. They're doing their very best. They don't understand what we do. And all they know is, is that they are concerned about what their responsibility is, which is by the way, a good thing about not having people have access to data they're not allowed to have. They’re coming from the right place. And if you don't be affirmative and supportive of what they're trying to do, they have the ability just to shut it all down until they can figure it out. So going in with the right attitude, asking the right questions, being willing to educate, being willing to partner is really an important, not only tactical step, but it's also important philosophically. So, there’s a one-on-one a sit down with compliance. Be ready for change. Have a good attitude. 


Number two is you're going to have to probably work with vendors. So I think the idea of how people screen data, whether that's wall screening or the other, which we've talked about on previous podcasts, the coming viewpoint of looking at likelihood is going to change. These security requirements of where data is screened and put back and uploaded and downloaded are going to be different. And so getting your vendors to be prepared for that is really important. And another piece of this is the insurance that consultants are going to have to carry or third-party vendors is going to go up, which is not cheap.


And so there may be situations where you run into a scenario where a vendor can't afford that kind of security. How are you going to handle that? If that's the vendor you really want, and I'm not just talking about screening, I'm talking about analysis. I'm talking about consultants like myself. I'd speak, begin that conversation with key people to say, look, our organization's having a lot of questions, has a lot of conversation going on discussion internally, which is appropriate. You should just be aware. I think you would help your relationship with your vendors, your consultants, and the people that support your activity to make sure you're ready for those changes.


And then finally, know what the rules are. They’re different in each part of our philanthropic segments in the industry, you know, for us it's high-tech and the changes to HIPAA in education. It's about what drives the security conversations in education. It's FERPA. And the ability for that law from the 1970s to protect data.What the rules are and what you're allowed not to have and how it needs to be secured and what the implications are of some type of breach you're taking. Because if you don't, you're already in the hole. When you're talking to compliance, you need to be at least somewhat knowledgeable about what the rules are. There's a lot of different places that you can find that information. 


The last is kind of a crazy, I'll call it coincidental parallel track to what we're talking about and that's coming out of COVID. I think that security is going to get more challenging and probably a good thing that it is because we're working remotely. What kind of security do you have on if you're working from home on your wifi? How do you get into systems at some point? My guess is there's going to be some requirements to say if you want to work from a third location, a third party location, I E your home, another office, remote learning… whatever… they're going to mandate certain requirements on something like your home wifi and your router. What kind of security do you have there? Because they need to guarantee that someone can't get in through a side door. So this is more than just downloading something, which is something very standard talked about, you know, going to an email and the phishing and you click on something and it downloads malware.


It may get more complicated than that. And so your ability to think about, okay, I've got people working on all these different locations, do they all have the type of security we need? Do they all have passwords on a particular wifi at home or wherever they are? Do they use public wifi? All things. Does someone else have access to that wifi? I mean, think about this scenario. You got two kids studying at home and your employer, all of a sudden says you gotta be on your own wifi network. We just can't allow third parties to be sharing that wifi band, Even with the right security. So there are a million things you can worry about, but these are a couple of tactical things that you might take with you.


But I really encourage you to sit down with compliance and start talking about it and trying to get out ahead of it. You'll find that there are good people trying to do the right things. 


Just a couple of quick reminders. Don't forget about the blogs on the website. That's Hallett Philanthropy. That's two L's and two T's philanthropy.com.


Two or three a week, really, just about our profession - 90-second reads. I’m not going to take a whole lot of time, kinda like the podcast, keep it short, keep it sweet. Make sure that you're directed and what you're trying to get to. 

Also, if you have a comment about this podcast or any podcast, two places you can go.


Well, first one is, if you disagree on something, my, my homage to Clark Howard and Clark stinks, I call it. Randall reeks, R E E K s@hallettphilanthropy.com. If you disagree with something or have a comment, or if you want to make a suggestion about a particular podcast subject, I'm glad to take those. That's at podcast@hallettphilanthropy.com. As I do each and every week, I want to remind you what you're doing out there in the nonprofit world is so incredibly important. It's a vocational call. Those of us who love what we do, who really don't think we go to work every day, but we go to make a difference.


You're one of those type of people, most likely if you're listening to something like this. Thank you for what you do embrace the ability for change, even though it's complicated, even though it's hard, it is so worthwhile to know you're changing your organization and your organization's affecting your community. Making a difference for a lot of people who aren't represented, not heard most of the time. 


It always brings me to my favorite quote. Some people make things happen. Some people watch things happen. Then there are those who wondered what happened. And I love that because in life we fall into one of those categories, every moment we're breathing.


And the great thing about fundraising philanthropy is that we're people who are making things happen for people who are wondering what happened. And I don't know, a better way to spend a professional career. I've looked. But this is the best. So thank you for what you're doing for your nonprofit and for your community.


And for those that you're taking care of, it is a worthwhile, worthy lifelong professional endeavor. We'll see you next week on, around with Randall and remember make it a great day.

Randall Hallettcompliance, data, security