As the World becomes more digital, cyber-attacks are on the rise; any organization can be victim of a cyber-attack, regardless of the sector of operation or industry. Charities must be very cognisant of this. Unfortunately, as we have seen with many organizations, it is not if but when a security breach will occur. The key point is, when such a situation occurs, how to handle the situation.
Cybersecurity is no longer the sole responsibility of the information management (IT) department; everyone has a role to play in cyber security, as ultimately everyone is responsible to ensure proper data management. For SSVP, this includes information concerning persons in need, volunteers, members, employees and donors; other Society’s operational information such as financial, minutes, reports, statistics, etc. may also require special security provisions.
We regularly hear stories of systems being hacked by perpetrator(s) posing as employees, leading to an access to the organization’s different systems, including accessing environments such as bank account or payroll processors, where unfortunately, personal information may be divulged.
The 7th principle of the Canadian Government Personal Information Protection and Electronic Documents Act (PIPEDA) is Safeguards; fundamentally, personal and operational information must be protected by appropriate security relative to the sensitivity of the information; it must cover:
- Knowledge (e.g. information learned);
- Hard Copy (e.g. paper);
- Digital (e.g. Excel spreadsheet, online storage).
Reacting to a security breach:
- When being made aware of the situation, the first action is to further reduce the risk. Change passwords and limit access to the system that has been identified to have been breached;
- Assess which other systems may have been compromised indirectly (such as a building security system);
- Assess the type of information that could have been compromised, and inform the affected individuals. This may require these individuals to perform credit monitoring to protect from identity theft;
- Depending on the severity of the breach, you may need to reach your financial institution, the local police force, the Canadian Anti-Fraud Centre, and/or the Privacy Commissioner of Canada.
To better understand data management risk, please refer to the LEAD-3 module (Information and Privacy Management) available under the formation resources: