#t4gDenver: Notes From Our Privacy & Compliance Meetup

NetSquared's picture

Thanks everyone for coming out to our meetup last week! Here are the notes from the meeting, via organizer Maddie Ganzlin.

Attendees 

  • Maddie - Boys & Girls Club
  • Tyler - Students for Sensible Drug Policy
  • Ester - Planned Parenthood
  • Ryan - Work Life Partnership
  • Jaala - Planned Parenthood
  • Cynthia - United Methodist Church
  • Greg - Tech4Good
  • Joe - Civic Corps/Tech4Good
  • Julie - Trinity United Methodist Church
  • Daniel - Collaboration Lab
  • Lou - ACD Direct/Tech4Good (PCI Compliance Expert)
  • Annette - National Foundation for Financial Education/Tech4Good
  • Kevin - Doing Good Foundation 
  • Cara  - Boys & Girls Club/Tech4Good
  • Sakia - CU Foundation (Gift Compliance Expert)
  • Melissa - Tech4Good
  • Danielle - Home Aid Colorado

NOTES

Maddie: Prodigy allows non-profits to utilize the space. Social enterprise that allows at risk youth to develop barista/service & workforce development skills. Open 2 years today.
Informal discussion/conversation today - No agenda or speaker. Many experts among the crowd. 

Cara: CHRO sent new Colorado Data Security Law - Any paper/electronic documents. SSN, Passports, military ID, student ID, etc. Need a policy on how you will secure this data.   Modified in May, goes into effect in September. Colorado Department of Revenue. HB181128.

Lou: Law is only catching up to “Best Practices” it’s a standard HR practice. Hopefully no one is freaking out about this. 

Cara: Hope that through the database, the information can be masked.

Saskia: This isn’t very different that GDPR. Should be doing this already. 

Lou: If you have this information - document how long you are keeping it, how you are securing it, how you will notify people of a data breach. How do you document & enforce the policy. Will it withstand a breach?

Daniel: PCI compliance. Overhead can be really ugly. Privacy compliance with the management, what is the liability. What is the challenge with this?

Lou: Most non-profits don’t need robust PCI compliance. Database is responsible for this compliance. Capturing card info over phone needs a process, but after it goes into the database, it’s the responsibility of the database maintainer

Joe:  Non-profits collecting CC info. Need to know how to get rid of this info.

Lou: After it’s entered, get rid of it. Don’t keep this info written down anywhere. Just input it into website immediately. 

Daniel: Network security (firewalls, etc). The risk is being pushed down to the network level from the CC processors. PCI compliance audit looks at network infrastructure. Non-compliance costs additional money in risk assessment. Square seems to offer the same service with less requirements to robust the network. 

Lou: Non-profits - Don’t store your own data! Get your info to a database vendor. Off-load the risk/responsibility. Make sure the data sync process is secure, but mitigate the risk of administering the network. 

Cara: Written policy to not do company work on personal devices. People use Macs because they don’t like the issued PCs.  You can setup rules, but if they aren’t communicated, they will be ignored. We should be doing this stuff by the best practices.

Jaala:  People are terminated if they are using their personal equipment. HIPAA audits to check for this. First offense is a warning. The organization will inform people that if there is litigation, their personal property will be confiscated as part of the process.

Lou:  Everyone works from home. They are completely remote, working on own devices & networks. Everything is managed by user end controls. Everything is very restrictive. The payroll processor, ADP, provides the user training & compliance testing. This is part of the onboarding process. All the responsibility is offloaded onto the employees. Higher insurance/liability for the organization, but saving from not running a Brick & mortar.

Daniel: You have all types of organizations. Those with robust “corporate” networks. Salesforce gives you 10 free seats. You can piggyback on their data policies. Google also offers 501c3 products at a discount, great data security, as well. Fundraising events for small non-profits - rely n Square. Its reliable and offloads the risk of the network. Can utilize any network, can revoke the certs after the event. Majority of users at these orgs are 65+ - can’t figure out the VPN technology. Has anyone experienced a data breach in a cloud-based database environment where VPN isn’t utilized?

Tyler:  Small staff. Never had a full-time IT person. Use Nationbuilder. Haven’t yet had an issue, but there is real worry. Using the product for 5-6 years. All the data is there, so it’s not feasible to move. There isn’t much comfort from the provider - there isn’t much security (like CAPTCHA) on the signups. Rely heavily on the API & web hooks for integration with the website. 

Lou: Force the vendors to prove their security when you go for contract renewal. In the contract process with vendors, force the data security requirement on the vendor. Square is great because it’s a super-east platform. If you are taking monthly recurring donations, be very careful who your payment processors are. When you move databases, you can’t assume that you will be able to get the encrypted CC info to move into the new database. Products like Sage won’t give up these CC numbers for you to do a data migration to a new DB.

Daniel:  Appropriate insurance to mitigate the risk. Breach insurance. New tools coming out to mitigate the potential risk. Smaller orgs reach a point where they have insurance, but they haven’t thought about the other parts of a data breach & how they handle PII. Don’t just push your vendors to the fire - you might just cause them to “give up” Tech4Good should look at providing a list of insurance providers around that offer this type of data management experience. 

Lou: Any good vendor should be well-versed in this space. You should be able to push them to provide proof of compliance. Give your employees PCI compliance training - get the vendors to help with the forms for this. You push the responsibility of the compliance onto your employees using the documentation from the vendors.

Danielle: We use a lot of work-arounds. We’re now “booming” at 3 people. We use Dropbox instead of VPN. We use Salesforce, partly in sandbox. A lot of data lives on the cloud. Is there something beyond SSN & CC info that we need to be worried about?

Cara: DropBox is terrible. Office365 has better security structure & is free for non-profits.

Daniel: Lots of clients use Dropbox. Lots of better alternatives. Box, which has heavy compliance. Office365. Google Drive is also a great option.

Cara: Basic level of Office365 is free. Includes OneDrive & SharePoint.

Daniel:  Office365 is great if you’re used to it. Google Drive doesn’t alleviate the need from Office licensing. Google Drive stream. Great product for desktop synching. Google backup & synch for all your desktop items. Drivestream is a clean UI. Allows selective Smart sync. Majority of documents aren’t kept on computer. Tools with Google allow to wipe a machine remotely. Using filestream means they don’t have a large amount of data on the PC. 

Danielle: Dropbox isn’t perfect, but it was a better solution that uses keeping all their data on their personal PCs & emailing files.

Daniel: When you renew, check the options. Dropbox is offering some pretty solid options. Their renewal plan is a bit disappointing, but they are providing better security with the full-version.

Danielle: We have working committees. They weren’t using anything like Office365 before. It’s very messy. We use Google hosted email & some of the Google apps. Hybrid solutions. 

Lou: Get the $10,000 Google grant to help pay for the G-Suite of products. Not just for Ad-words.

Cara:  Everyone needs to check out TechSoup. 

Lou: TechSoup offers discounts on the paid Slack. Slack just bought SnapChat.

Daniel: Google allows for the remote wipe of devices. Employees leave, you can still ensure they aren’t taking data with them. You need a policy for this documented & in place. 

Danielle: Using hotspot with a square. 

Daniel:  Have a policy for not utilizing public wifi networks. Have employees use their phone hotspot by policy instead of wifi. When not using VPN. 

Jaala: Scare the crap out of your users. We tell them about pineapples. Cheap device you can get for $100, where you can spoof a legitimate network & filter all data through your device. 

Cara:  Use your own trusted cellular provided network. You get a free hotspot & it’s $10 a month from TechSoup for a Verizon device. 

Lou: You should have a wireless policy to explain all of this.

Cara: TechSoup is a clearinghouse for getting non-profit discounts on hardware & software. (Full disclosure: Tech4Good Denver has TechSoup as a sponsor) Donation is through mobile beacon for the hotspot device.

Daniel & Cara: Also utilize C3 (Colorado Community Connection), a CO organization. They refurbish PCs & sell them cheap. With legal software. They are based in Englewood, you can call them to see what they have. It’s a cheap way to get devices that are company owned to mitigate risk of BYOD. They also sell Macs.

Kevin: Everyone mentions Square. A lot of people use PayPal or Stripe. As far as processors, what is the risk with any of these others?

Lou: Hopefully your database allows any processor. Then, it’s a matter of using a processor that gives you a good effective processing rate. Wrangle your processor to give you a good rate. Find one with a good auto-updater that helps to auto-update payment info for when a credit card expires. Payment will never decline & you won't have to re-get the info. EFT donations can process forever, whereas CC expire. Fascinating that this auto-update is available now. Consider 3 questions: 1. Can I take his out of the database. 2. Is auto-updater available? 3. What is the effective processing rate? Also, consider if there are any “gateway” fees in your POS/database system. Do you research & ask these questions early on. If you’re already locked in, use your re-negotiation to get a better deal. 

Joe: We have heard that Stripe is coming out with their own swipe device. There is a non-profit rate that is lower than the regular rate. 

Lou: You can also ask your bank. They might offer a device that can be used for CC processing & it will be secure. Good option for one-off events. 

Daniel: TechSoup offers connection for CC processors, as well.

Annette: An extension of what Lou said. You need to demand from your vendors that you are complaint. Where can we get some verbiage for how to go about this. Do you have to wait for contract renewal?

Lou: Forget PCI, just talk about data security. Ask your vendors to show your their SOC or SOC2 audit compliance. Ask for documentation on how they keep data secure. 

Tyler: If they have SOC certification, does that mean they are GDPR compliant? Yes.

Daniel: Use the insurance data breach policy as a framework to make sure your vendors are compliance.

Lou: Hand vendors your breach policy & ask them to prove they are compliant

Maddie: What is a good resource for SOC2 compliance?

Lou: I don’t know offhand, but I can send out info. You can get good info with a Google search. There are a lot vendors that you can pay to walk you through the audits & help you be compliant. They will do a penetration test & see if they can get the info. 

Daniel: Smaller orgs can’t afford/support pen testing. Smaller orgs need to keep it simple. Use Square/PayPal. It’s easier to sign a compliance form than to pay to be compliant. Keep a simple standard. Eliminate BYOD.

Cara: Password security is important, when you are using cloud resources. You can access this data anywhere. Password protected spreadsheets can’t be recovered if the password is lost.

Maddie: Use LastPass or KeePass for password management.

Lou: Password & email best practices. This was big discussion at previous Ransomware forum. Vendors can come in and train for this. 

Cara: You can have insurance, but if you have a big enough breach, you’re just out of business.

Julie: What about LogMeIn? Does it fill this need?

Daniel: LogMeIn is used for remote access, not the same as LastPass or KeePass.

Tyler: Master password is use to encrypt/decrypt list of passwords. You can configure it to MAC address, etc. You can set it up to also encrypt your Dropbox, so if that is hacked, hey would have to know your master password to decrypt/access files. 

Daniel: LastPass had a breach. Though, these companies sole purpose is to keep your passwords safe. Use the features of the programs to create long/unique passwords. 

Lou: Just use the browser features. Chrome’s save passwords is a great & secure feature. 

Daniel: LogMeIn is a remote access tool. It logs you into a remote PC. LogMeIn is solid. Ensure that any of these RDP features is a US-based company to mitigate the possibility that you are logging in to remote servers in India, etc.

Lou: Some of these remote access needs are just laziness. Better to have a dedicated laptop or use cloud-based Quickbooks instead of having a user access remotely from a home computer. 

Daniel: General consensus is that Quickbooks online is horrible. Incumbent accountants have great difficulty dealing with it. Do everything you can to mitigate remote access. LogMeIn is solid. TeamViewer has had issues. The biggest mitigation is policy. WHY are people accessing from home? 

Cara: You don’t have any visibility on who else is using the home access machines. Are there viruses? If you are issuing a laptop for something like Quickbooks, make sure that device is getting backed up. 

Jaala: Are people encrypting these devices?

Daniel: Smaller clients have a hard time with encrypting devices. Without an AD, it’s hard to get users to accept encrypting. Comes back to the original hardware plan. Using Windows 10Pro utilize BitLocker.

Cara: Why aren’t users just using the free Azure protection?


Daniel: Who manages Azure in the smaller org?

Melissa: In absence of an Active Directory structure, how do you manage the encryption keys?

Daniel: Use paper. Print out the keys. Put it in an envelope, seal it with the date & keep in off-site safe.

Lou: Use a standard for the master passwords that is unique for each user, but follows a standard.

Tyler: Users had managing the dual passwords. How do you get the users to buy-in to this? Even I don’t like it any more. 

Cara: Scare users with stories of user who have lost/compromised data. Unlocked phone left in a cab with important legal info. 

Maddie: We can definitely continue this conversation on the Facebook group. August Forum reminder. Free lunch! Get on our listserv. We will send out these notes after the meetup. We can also share the resources discussed today there. Thank you for coming & contributing to the discussion.