• Working Assets
• freepress.net
• CARE
• American Museum of Natural History

I know of an additional nonprofit that doesn’t want to disclose this as well.

This is a disturbing trend and shows that nonprofits don’t understand the nature of security. You should not follow a “security through obscurity” model. This model has been broken time and again by hackers. Don’t sweep security breaches under the rug. By not disclosing publicly that your site has been breached and relying instead on e-mail to notify your constituents, it shows that you’re more worried about the effect on your organization instead of your constituents. In fact, you expose your constituents to further harm by doing only an e-mail notification. Remember, your constituents may have put your organization’s e-mail in a spam filter or were away on vacation or simply had something go wrong with their e-mail. This is a single point of failure solution — don’t go there.

I recommend that for a baseline policy that nonprofits use the California Office of Privacy Protection Recommended Practices on Notice of Security Breach Involving Personal Information. It’s a long PDF file but the most salient recommendation is the following on how to do the notification.

Means of Notification
Individually notify those affected whenever possible.

1. Send the notice by first-class mail.
2. As an alternative, notify by e-mail, if you normally communicate with the affected individuals by e-mail and you have received their prior consent to that form of notification.
3. If more than 500,000 individuals were affected, the cost of individual notification is more than $250,000, or you do not have adequate contact information on those affected, provide notice using public communication channels.

• Post the notice conspicuously on your Web site, AND
• Notify through major statewide media television, radio, print), AND
• Send the notice by e-mail to any affected party whose e-mail address you have.

If you’re a smaller nonprofit, you should do this anyway even if less than 500,000 individuals were affected or the cost of notification was lower than $250,000. Imagine the heaping of scorn you will be served if an inattentive high net worth donor who doesn’t read her e-mail finds out her accounts were penetrated due to your organization’s insufficient notification efforts.

In that light I have to give Working Assets a “B-” rating on the way they handled this disclosure and Convio a “B”.

Working Assets set up an notification process quickly and notified their users via a Web site and their staff were all over the Web answering questions. Eileen Bayers, Working Assets’ VP of Customer Relations deserves some kudos for that. She was responsive to the comments thread here. That’s a good process. It could have been even better if they had provided a link to the security breach notice and made that conspicuous on the front page. There was also no press release.

UPDATE (11/16/2007): Originally, Convio received a “C-” for the late disclosure and for not doing due diligence properly on their GetActive acquisition. I’m upgrading them to a “B” as I see that they have finally updated their Web site to show in a conspicuous fashion the online security alert. It’s enough to serve as a model for notification of constituents for other nonprofits. Dave Crooke did a decent job of answering technical questions regarding the breach despite the fact that he did it on an e-mail list when he should have done it on the Convio site itself. However, Tad Druart, Convio’s Director of Corporate Communications, did a good thing by not only alerting the press but also the blogosphere. It was a calculated decision to be sure, but Tad probably tamped down on the level of blogging cattiness by the likes of yours truly and others.

The rest of the organizations are so far receiving failing grades — the dreaded “F”. They should at least implement a public notice on their Web site’s home page detailing the breach. All it takes is one constituent getting really hurt by the whole situation and I believe nonprofits will start to be more forthcoming with their security breaches.

Just in case you missed this on Friday, Convio “announced its second annual client conference, Convio Summit 2007, October 17-19, in Austin, TX.” The most important part of the annoucement was this:

In addition to interactive educational sessions and presentations on new ideas and technologies, the 2007 Summit will provide sessions specific to Convio’s native and GetActive platform clients. The “Getting Active with Convio” sessions will focus on the needs of clients who have joined the Convio community as a result of the recent successful acquisition of GetActive Software, Inc. All participants will have the opportunity to participate in networking, share success stories and lessons learned.

That’s six months away. Am I to assume that any integrations won’t be complete even at that late date? Anyone have any word about this? I have to admit I haven’t followed this issue too closely lately but even for me six months seems to stand out.

I got an e-mail response from GetActive. Check it out:

GetActive and Convio have given a lot of thought to client migrations and have begun discussing plans and ideas to make these as smooth as possible for our clients. It is our explicit goal that clients will pay no fees for their migration to the Convio eCRM platform and that we are able to minimize the disruptions to their important work. However, given the potential for unknown variables and the likelihood that clients may want to take this opportunity to implement Convio features previously unavailable from GetActive, there are some atypical scenarios which may require fees.

Ok, so no migration fee unless you’re “atypical”. I wonder what that means. Any GetActive or Convio clients want to comment? Send it to me at abenamer['at']nonprofittechblog.org. If you want anonymity on this issue, you have my word on it.

Oh man, there’s a possibility of fees being charged:

Will there be a fee to migrate?
A migration plan will be made available to all customers by March 30, 2007. Any costs associated with migration will be addressed in this plan.

Nothing like getting charged to move to an unintended vendor. Folks, if this isn’t enough reason to ask for an open API, I don’t know what is.

UPDATE: Beth is asking me to take a look at the ramifications. I don’t know if anything will change. There are still quite a few CRMs out there or CMS tools that have CRM-like capabilities. After all, GetActive didn’t exactly have a large install base with regard to the one million nonprofits in the US and UK. Frankly, I don’t see any kind of monopolistic activity forming any time soon. In fact, the largest corporation accused of monopoly status (i.e., Microsoft) doesn’t have significant nonprofit market share. There’s still plenty of competition and more new sales out there as nonprofits slowly adopt CRMs. However, added consolidation in the sector will probably expose nonprofits to the need for open APIs if only to act as a hedge against being the sorry customer of a vendor that ends up on the losing side of a merger.

Dynamic Community Badge – Clients can encourage key activists and donors to place an animated flash Badge on their MySpace, Facebook, Blog, or personal website to promote their support of their campaigns. The Badge lets individuals demonstrate progress towards their personal fundraising or advocacy goal by dynamically updating a graphical thermometer. Client organizations can choose which fundraising and advocacy campaigns and data to display in the Badge. This feature allows an organization to extend its online presence to any site with like-minded content contributors.

I’m wondering about the other CRM vendors? Are they doing the same thing? Anyone care to inform me and the rest of the readers?