Page 273 - Washington Nonprofit Handbook 2018 Edition
P. 273

any  place  you  store  sensitive  data.    At  minimum,  use  some  form  of  security
               technology using strong password protection.  Encrypt sensitive data you send over
               the  internet,  including  data  sent  via  e-mail.    Make  sure  web  pages  that  collect
               sensitive information over the internet use Secure Sockets Layer (SSL) security.  A
               site is secure if the letter “s” follows “http” in the site URL.  In other words, if the
               webpage URL starts with “http,” it is not secure.  If it starts with “https,” SSL security
               is used.


                       Use  and  regularly  update  firewalls,  antivirus  and  antispyware  software  to
               protect systems and computers connected to the internet.  Finally, make sure that
               the  vendors  you  use  also  protect  any  personal  information  you  allow  them  to
               process  or  store  on  your  behalf.    Organizations  may  be  held  responsible  for  the
               actions  of  its  vendors.    Require  all  vendors  to  notify  the  organization  of  any
               breaches and consider reserving the right to audit their activities.


                              (iii)   Data Disposal

                       Many state laws, including RCW 19.215, specifically require that you properly
               dispose  of  sensitive  data.    In  Washington,  “sensitive  data”  includes  financial
               information  and  health  information.    Information  that  is  improperly  disposed  of
               can  end  up  in  the  hands  of  dumpster  divers  or  other  types  of  identity  thieves.
               Under  Washington  law,  proper  destruction  involves  “shredding,  erasing,  or
               otherwise  modifying  personal  information  in  records  to  make  the  personal
               information unreadable or undecipherable through any reasonable means.”


                       Make sure all employees shred or properly incinerate any paper documents.
               Disposal  in  recycling  bins  is  not  a  secure  way  to  dispose  of  documents.    When
               disposing  of  old  computer  equipment,  wipe  the  hard  drives  of  data  using
               appropriate  wiping  utility  programs.    If  such  technology  is  not  economically
               feasible,  you  can  also  remove  the  hard  drive  and  physically  destroy  it  by  simply
               smashing it.


                       b.     Security Breach Notification

                       Laws  in  several  states,  including  RCW  19.255,  require  your  organization  to
               notify individuals in the event of a data security breach.  The laws in each state vary,
               but  many  states  have  similar  requirements.    The  breach  notification  law  in
               Washington requires an organization to notify affected individuals where there has
               been  a  breach  of  computerized  data  in  the  form  of  a  name  in  combination  with
               sensitive  information  such  as  social  security  number,  credit  card  data,  financial

               account number, or driver’s license number.  Some states also require notification





               WASHINGTON NONPROFIT HANDBOOK                -262-                                       2018
   268   269   270   271   272   273   274   275   276   277   278