I’m very disappointed with the reaction of nonprofits to the Convio security breach. The main reason I’m disappointed with it is that out of 92 affected organizations, we know of only FOUR that have been affected. These are:
- Working Assets
- freepress.net
- CARE
- American Museum of Natural History
I know of an additional nonprofit that doesn’t want to disclose this as well.
This is a disturbing trend and shows that nonprofits don’t understand the nature of security. You should not follow a “security through obscurity” model. This model has been broken time and again by hackers. Don’t sweep security breaches under the rug. By not disclosing publicly that your site has been breached and relying instead on e-mail to notify your constituents, it shows that you’re more worried about the effect on your organization instead of your constituents. In fact, you expose your constituents to further harm by doing only an e-mail notification. Remember, your constituents may have put your organization’s e-mail in a spam filter or were away on vacation or simply had something go wrong with their e-mail. This is a single point of failure solution — don’t go there.
I recommend that for a baseline policy that nonprofits use the California Office of Privacy Protection Recommended Practices on Notice of Security Breach Involving Personal Information. It’s a long PDF file but the most salient recommendation is the following on how to do the notification.
Means of Notification
Individually notify those affected whenever possible.
- Send the notice by first-class mail.
- As an alternative, notify by e-mail, if you normally communicate with the affected individuals by e-mail and you have received their prior consent to that form of notification.
- If more than 500,000 individuals were affected, the cost of individual notification is more than $250,000, or you do not have adequate contact information on those affected, provide notice using public communication channels.
- Post the notice conspicuously on your Web site, AND
- Notify through major statewide media television, radio, print), AND
- Send the notice by e-mail to any affected party whose e-mail address you have.
If you’re a smaller nonprofit, you should do this anyway even if less than 500,000 individuals were affected or the cost of notification was lower than $250,000. Imagine the heaping of scorn you will be served if an inattentive high net worth donor who doesn’t read her e-mail finds out her accounts were penetrated due to your organization’s insufficient notification efforts.
In that light I have to give Working Assets a “B-” rating on the way they handled this disclosure and Convio a “B”.
Working Assets set up an notification process quickly and notified their users via a Web site and their staff were all over the Web answering questions. Eileen Bayers, Working Assets’ VP of Customer Relations deserves some kudos for that. She was responsive to the comments thread here. That’s a good process. It could have been even better if they had provided a link to the security breach notice and made that conspicuous on the front page. There was also no press release.
UPDATE (11/16/2007): Originally, Convio received a “C-” for the late disclosure and for not doing due diligence properly on their GetActive acquisition. I’m upgrading them to a “B” as I see that they have finally updated their Web site to show in a conspicuous fashion the online security alert. It’s enough to serve as a model for notification of constituents for other nonprofits. Dave Crooke did a decent job of answering technical questions regarding the breach despite the fact that he did it on an e-mail list when he should have done it on the Convio site itself. However, Tad Druart, Convio’s Director of Corporate Communications, did a good thing by not only alerting the press but also the blogosphere. It was a calculated decision to be sure, but Tad probably tamped down on the level of blogging cattiness by the likes of yours truly and others.
The rest of the organizations are so far receiving failing grades — the dreaded “F”. They should at least implement a public notice on their Web site’s home page detailing the breach. All it takes is one constituent getting really hurt by the whole situation and I believe nonprofits will start to be more forthcoming with their security breaches.
Loading ...
