Page 272 - Washington Nonprofit Handbook 2018 Edition
P. 272

a.     Protecting Information

                       The  Federal  Trade  Commission  (“FTC”)  and  a  few  states  outside  of

               Washington  specifically  require  organizations  to  take  measures  to  protect
               information.    Under  Section  5  of  the  Federal  Trade  Commission  Act,  15  U.S.C.
               sections 41-58, the FTC has instituted numerous actions against entities who failed
               to  adequately  secure  personal  information,  including  at  least  one  nonprofit
               corporation.    Of  the  states  that  have  data protection laws,  most  prescribe  broad
               requirements       to    “reasonably      secure”     sensitive    personal     information.
               Massachusetts  has  enacted  very  detailed  security  regulations  covering  sensitive
               personal information; including encryption requirements (see 201 Mass. Code. Reg.
               17.00—effective  March  1,  2010).    Nevada  also  has  enacted  specific  encryption
               requirements  for  sensitive  personal  information  sent  electronically  or  stored  on
               mobile devices.  See NRS 603A—effective January 1, 2010.

                       This  section  gives  a  general  overview  of  what  your  organization  can  do  to

               help protect and secure personal information.  Additional tips and guidance can be
               found on the FTC’s website at http://www.ftc.gov/infosecurity/.

                              (i)    Data Minimization


                       Organizations can best protect information by not having it in the first place.
               Avoid  collecting  unnecessary  information  by  eliminating  unnecessary  fields  in
               forms.  Reduce the amount of data you have by storing information in redacted or
               truncated  form,  for  example,  by  using  only  the  last  four  digits  of  credit  cards  in
               databases.  Delete information that you no longer need.


                              (ii)   Securing Data

                       Data in  physical form is  a  common  source of  identity theft.    Keep  physical
               documents safe by limiting access to areas where personal information is kept to
               only those individuals  who  have  a  legitimate  “need  to  know.”  Require  employees
               and  volunteers  to  lock  documents  containing  sensitive  data  in  file  cabinets  or
               drawers for storage.


                       Protection  of  data  in  electronic  form  is  best  handled  by  information
               technology  personnel  and  professionals  with  expertise  in  data  security.    Every
               individual  in  your  organization,  however,  should  know  what  they  can  do  to  help
               keep electronic data secure.  For example, avoid storing sensitive data on portable
               devices  such  as  CDs,  DVDs,  USB  flash  devices,  laptops,  and  phones.    Strongly
               consider encrypting data you must keep on such portable devices and, if practical,






               WASHINGTON NONPROFIT HANDBOOK                -261-                                       2018
   267   268   269   270   271   272   273   274   275   276   277