You think your information is encrypted… but is it?
For over 20 years, nonprofits struggled to take data privacy seriously. And we’re now having to play catch-up on making sure valuable information is secure.
This week on A Modern Nonprofit Podcast we discuss today’s biggest cybersecurity threat and how nonprofits can use technology without putting themselves at risk.
My guest this week is John Gilmore, Director of Research at Abine.com and joindeleteme.com. He helps clients pinpoint where they are most at risk, and the steps needed to secure their data online.
In this episode, John talks about why organizations are more concerned about bad press than a data breach, and why you should be cautious when using a third-party organization to solicit donations.
In this episode, you’ll discover…
- Today’s biggest data privacy threat and why it causes such havoc for businesses (5:43)
- Tips to keep your information more secure online (11:47)
- How nonprofits can use technology to work smarter without putting themselves at greater risk. (18:38)
- The one question you must ask if you outsource any work or data collection. (31:05)
Thanks for listening and be sure to subscribe for new episodes every week!
🎧 Click here to listen to the Podcast on AnchorFM or Apple Podcasts
👇 Or scroll below the to read the full transcript of our conversation
For more information on how to improve your data privacy, visit joindeleteme.com
A Modern Nonprofit Podcast
Data Privacy Strategies for Modern Nonprofits
2/23/2022
Tosha Anderson:
Hey friends. Welcome back to another episode of A Modern Nonprofit Podcast. I’m your host, Tosha Anderson, the founder and CEO of The Charity CFO, but we’re not talking necessarily about accounting today. We’re talking with my friend, John Gilmore and John you’ve spent so much time in and around different things. I found your background pretty interesting. Um, you’ve spent some time in all different things, but one thing that seems to be a common thread, you have a lot of experience on business intelligence and kinda cyber security and consumer fraud trends, emerging issues around digital identity and theft and all of those sorts of things. And, and I think sometimes, um, at least I can, um, validate concerns or worries. And we were kind of chatting a little bit before I had the record button that I think many leaders of nonprofits you’re talking small organizations, they have grassroots budgets.
Tosha Anderson:
I mean, if they, if they have any sort of security or online presence, um, it’s probably not the most cutting edge. And I think this is an intimidating topic for people and maybe an area it’s like, ah, I know I’m probably not doing what I need to do, but I don’t really wanna know. I kind of need to know. And I kind of, I can kind of relate to that because I think that’s how people handle accounting. When I start talking to them about that, they get all kind of anxious and, and worried about how things are going in that space. So I’m just really excited to have you on today to have a little bit more of a casual conversation about that. And some practical tips on what these nonprofits can be doing to protect themselves and really what are some of the real threats out there and what are just some of the things that we’ve worried ourselves of that maybe aren’t as significant as we thought. So, John, again, thank you for being on. I’m excited to dive into this conversation.
John Gilmore:
My pleasure.
Tosha Anderson:
So perfect. So let’s just start right out of the gate. Tell us a little bit more, um, kind of about the landscape in which we’re, we’re talking about here, how is the world changing? What should we immediately know about cybersecurity and, and web prep, web, you know, web presence and a lot more of nonprofits they’re they’re operations is cloud based now. Sure. And what are you seeing? That’s kind of an immediate threat.
John Gilmore:
Well, just out me and the company I work for Abine, which is the, uh, parent company delete me. We started off the, the, the framework. I think that helps people understand these issues is the, the top line is data privacy. It’s not cybersecurity necessarily. It’s not necessarily fraud. It’s not necessarily, you know, the top issue is data privacy and that’s, that’s what our company works in. We started 10 years ago, um, as a data removal service, primarily for consumers, individuals who wanna have information removed from public sources, but about three or four years ago, we started a B to B service. And some of the first people who came to us were nonprofit organizations. Uh, in fact, the two groups of clients that came to us before we even started marketing data, privacy services for businesses were journalist organizations and not for profits. And what, what we realized these two organizations had in common is that they have a lot of individuals who do direct outreach, that they have a lot of people in the public eye who have to do a lot of public speaking, or they have to do a lot of one to one events with people in.
John Gilmore:
So you have these kind of high profile, either journalists or heads of organizations or your fundraisers who, who are constantly out in the public eye. And they, it’s very easy for those people to become targets of abuse for, for a variety of reasons. So if we just take it the top line on the issue of data privacy, um, I think everyone in the world is aware that information since the sort of the internet began information about us has been trivial to collect, consolidate, and reuse, and that’s been going on for 20 years. And that day there are data breaches from places like Facebook gets scraped again, or major institutions, experience data breaches, and more and more information just spills out, excuse me, into the public sphere. And for many years, I don’t think it was a huge concern. I think the way most people thought about it was, well, everything is available.
John Gilmore:
What can you really do with it? It takes too much effort. I mean, who is gonna stalk me or who is going to docs me. And I think there was very little concern for the potential for abuse, cuz it was seen as more of an individual. It was yes. Some people experience identity theft. Yes. Some people get docked. Yes. Some people may, may become targets of harassment or whatever, but it was kind of this fringe side issue that didn’t affect core business concerns. It didn’t affect national. It didn’t affect, um, the way people do business. Uh sure. And so up until fairly recently, it, it was kind of not seen as a problem. And I think what changed is that the people who exploit personal information got a lot more sophisticated and relatively short amount of time. And the number one phenomenon that I think is an indicator of that would be ransomware that before ransomware, most people thought of cyber threats as a hacker who penetrates your network, opens a back door and per LO’s data.
John Gilmore:
Whereas today the, the ransomware threat and, and not just ransom, but almost all kinds of, of cyber attacks, whether they’re denial of service or anything else, um, are, are done by social engineering, they’re done by Phish people send you a text message, you click on it. Next thing you know, your device is sending. I is infecting the rest of your company’s assets. Um, and I, I don’t think people gotta handle on the way the potential expansion of social engineering and the way it could be abused. And, and let me just, I’ll just frame this as an example. Um, say I have a list of all of your employees, all of their email addresses all of their job titles. And I have lists of all of those, the people, those people talk to that I can cross reference these. I can use that to penetrate your organization and execute a ransomware attack where I infect your sales databases or your whatever core assets I need to.
John Gilmore:
And I extort money from you, the organization. So that’s like method one method. Two could be, I take this information and I launch attacks against your customers. I can impersonate the fundraiser. I can impersonate the organization. I can send invoices to other companies in your name and start stealing money. Or I can take a key person within that organization, say it’s the CEO or, uh, any high profile individual. And I can extort them personally. I can, I conduct identity theft. That might be a high net worth individual. This is a big problem, particularly for executive C-suites, but also just for the, from the point of view of nonprofits, you have lots of wealthy donor information. So instead of targeting the organization, instead of targeting your clients, I can go after your donor lists and I can either profit from them by individually, I can attack those individuals, but more often what happens is the data just gets sold.
John Gilmore:
So, and that that’s like another aspect of what I think people don’t understand about the sort of threat economy. Again, it’s like, if you go back to the old conception of what, um, organizational threats were, it’s like this loan individual who penetrates your organization and does damage. Now it’s this vertically in integrated marketplace where you have one group of people who sell lists of targets, another people, a group of people who sell software to, to execute ransom, wear attacks. Then you have the actual bad actors who go out and, and say, well, we’re gonna do this against people in healthcare, or we’re gonna do it in people against education. And then what, what do they do? They sell what they steal onto yet another third party and that each of the people involved in these things don’t really care about where the information came from or as long as they can make a buck in the process, they’re gonna do it cuz it’s low risk high reward.
John Gilmore:
I mean, I think that the idea of data privacy, again, go back to the very beginning, which is that the source of all of this problem is the fact that no one took data privacy seriously for 20 years. And that’s why we are where we are today. And in the non profit sector, think it was slept on for a long time. Is that look we’re, we are not organizations that are highly. I mean, there are some that are very highly endowed, but you have a lot of organizations that are basically operating on a shoestring. And so they’re like, why would anyone target a food bank in Pennsylvania? Right. Well, you look at what happened in like 20, 20 people targeted food banks in Pennsylvania and they got away with a million dollars, uh, people targeted small healthcare clinics. Uh, that, that in fact like some of the, the, I think if you look at data like from Verizon, Verizon who tracks, uh, a lot of cyber attack information, half of all successful attacks are against small businesses, right?
John Gilmore:
They’re not the most damaging, you know, the, the ransomware payouts are lower. They may only be $10,000 or in the tens of thousands of dollars rather than the million. But they, when you can do hundreds of them in a year, what’s the difference? No. Sure. So, so the, so I think the big issue is data privacy. The second issue is understanding that the risks are social engineering primarily, and then the third is, well, how do we deal with that? Um, and it, it, depending on what kind of organization you are, it differs, but I think the thing that has been slept on the most and maybe I’m, I’m, here’s what I, I wondered about my rambling. Um, I think, I think the thing that is still unaddressed is that most of the way people are thinking about responses to these things are, well, let’s get new technology, let’s get better email security software let’s, um, put better malware on all the devices, our individuals better, better anti malware software and all of the devices people use. When I think that the real solution in many sort of cyber services companies will tell you this, the solution that is actually more effective is training and improving your processes so that you don’t have databases with lots of valuable PII in one place that is accessible by lots of people. Interesting. So it’s, it’s really much more, I think about having everyone in the workforce understand the risk and two, make sure your processes treat personal information as the potential risk area. So
Tosha Anderson:
Interesting. So let’s talk a little bit more about some of the examples on, you know, some of the nonprofit industry have, have recently, um, kind of come under tech, some bigger ones. You know, I get questions all the time. Certainly we’re on the accounting side and more of the accounting solutions are moving to a cloud, but a solution, um, like, uh, QuickBooks online or Sage intact or some of these other platforms that the, the larger ones and even the smaller ones, um, more and more of these are online databases. And I know there’s a huge concern, about security. What if I get hacked into what if people hold my accounting system hostage in the examples that you were saying, what if they were able to hack into my accounting system issue, like in voices to some of my donors or whatnot, steal money, those sort of things.
Tosha Anderson:
And more recently Black Bot, which is a huge, both fundraising and financial management system. And some organizations have both had a pretty significant breach, not that long ago. So tell us a little bit more about your thoughts on how do you think that breach affected the nonprofit space and would you caution, um, nonprofits and know you said, uh, people focus on the system and the technology and not so much on the training. Now I’m curious to know if you have any thoughts around some of that conversation that we’ve been having with some of the nonprofits we work with.
John Gilmore:
Yeah. I think the, how did the outsourcing of key processes put the, not for profit industry at great risk? When you’re a lot, a lot of organizations have limited budgets. It’s very attractive to say we’re gonna do all of our donor outreach via all manage all of our databases via a third party. All of our accounting software via someone like M I P or there others that, that, that has been a trend across small businesses, all in any vertical area. Sure. And how did that increase risk? It’s pretty simple that it increased the, the, to penetrate an organization when company has all of its assets internally, you first need, you would actually need to get side the network to then access assets. When you hold all of your assets via a third party, the number of ways that it can be accessed, explode, because anybody who has a password, anybody who has a password now, it may only be one person in your organization that has say, you know, access to the accounting platform within your, not for profit, but that organization has thousands and thousands of customers of users.
John Gilmore:
Yeah. And every single one of those customers have passwords. So it doesn’t matter if you, the individual nonprofit gets breached it’s if any, one of their thousands of customers that because black blah has, what is it? 45,000 not-for profit customers. Anybody who wants to penetrate black bod can just say, who are the IA accounting people at all of these organizations, email addresses, right. Go to public databases and find out, oh, what, what did this, uh, email address uses a password at this other website, where there was a breach? The chances of that password being reused are like 50% that most people don’t. You know what I mean? So that they’re just by farming public information, you just correlate who ha is likely to have access to this platform. Then take that and find potential passwords that work, you breach the organization, you then infect their systems and you steal all their data.
John Gilmore:
And now you have all of the data that everyone who’s hosting, whose whose stuff was hosted is now exposed. So it’s putting the problem with the outsourcing thing is putting all of your eggs in one basket. It and somebody else’s basket. And so, and black Bo was the first of a whole string of supply chain attacks that occurred in like 20, 19 and 2020. That really kind of woke up a number of sectors to the risks of outsourcing. And I would say the sectors that were sort of most caught, I wouldn’t say caught off guard, but they, that the realization of risk was so tremendous was, but not for profit, but the healthcare sector, which to a large degree, is not for profit. The education sector, which to a large degree is not for profit. Like most universities are non profit, uh, and public sector, the government government agencies.
John Gilmore:
Um, and then you, you know, you have all these satellite organizations who serve healthcare, who serve sure, uh, uh, government and that whole sort of world was woken up by things like the solar winds, uh, supply eye chain attack. It’s all the same basic story is that everyone decided to move their, their internal assets to a third party and increased the risk of any single event. If all of these people had had kept sequestered the information, they said, well, we’re gonna put sales information on this source, or we’re gonna keep our, but we’re gonna keep other things in a, in a different place. It would’ve improved things, but having this, this one, the one stop shop approach, um, I think is what consolidated risk in, in these particular areas.
Tosha Anderson:
Interesting. I wanna go back to something, cause I think it’s interesting. Um, you use the word outsource and I know many of our clients use black bot for example, and they have a fundraising function in house that happens to use Blackboard software to keep track of everything and I’m trying to figure out, so I just wanna understand if that’s what you mean by outsource. There’s like using that software to maintain the database, but where I’m, where I’m always shook. Um, because I think they, you know, nonprofits are always exploring, how do we work smarter? How do we work faster? How can we work more efficient? So usually the solution is, you know, some sort of, um, a technology platform like a technology stack, right. And that’s constantly evolving and changing. And so I’m trying to understand, like what would an organization do to kind of balance using technology to our benefit, to allow them to work smarter and not harder if you will, but not putting themselves in. Where do you find the balance, I guess is what I’m trying to say. So for example, I
John Gilmore:
Think you’re probably, I think you’re probably right. That outsourcing is the wrong word. I, I would probably back that up and call it third party processing. Is that yeah. Involving third parties in all of your data management processes, which means any data you have, your third party has as well. Sure. And I, and I think that bringing things back to the first point, which is about data privacy and keeping data siloed, it’s really more about the sharing of information and the lack of security involved in those processes. And so when you ask, um, what should companies do to improve that kind of relationship? Assuming it’s necessary? Like, I think most people are gonna go, wow, that’s terrible, but we can’t afford to completely revamp the way we do business. These pro these platforms are too essential. We’ve designed everything we do around them. I think what people should be rethinking is a, who needs access to these platforms?
John Gilmore:
B what information is essential to share the, like, I’ll give you the example that came from the, the Blackboard breach, which someone had pointed out like Blackboard. Initially, one of the reasons they got in so much trouble was for multiple of reasons. One, they didn’t tell the clients that there had been a, a data breach. And so six months passed before the clients were informed that all of their information was lost. Secondly, Blackboard had said, don’t worry, nothing sensitive was compromised. It was all encrypted. Well, it, that, wasn’t true. And that tons of information, I’ll give it the example specifically, which I’m getting to your point, like when you have a platform, an accounting platform or sales platform or anything like that, you have specific fields, like name, address, phone numbers, and these fields may be encrypted. Then you have the note section. And I I’m sure you know what I’m talking about. Yep. And anybody who deals with a client,
Tosha Anderson:
Especially in fundraising, yeah.
John Gilmore:
Anybody who deals with a client, where do they put all of these sort of updated? What do they change? Every time they have a meeting with a client, they go to the note section and they say, client said, this client said that added this much to their account, blah, blah, blah. The note section is actually where some of the richest information is, and it turns out in their platforms that was not encrypted. There was never update in their underlying security. And so that for instance, client gave us a new bank bank account. They just pasted the account number into the notes section saying reminder to update, or we have to update the information. Sure. So what was captured in those particular fields? I don’t, you know, again, I’m, I have to be very careful cause this is what I I’ve heard from secondary sources about the black blood thing, particularly, but this is also what I know in general from a lot of these breach incidents, which is that people will say, oh, no, all of our information is encrypted, but, but is but is it, it, you have to look at the, the fine details of what is being shared and why are you sharing it with a third party? Dos does the note section need to be hosted by a third party? Shouldn’t that be in the individual account manager, you know, account manager or the, whoever is the person who is the primary that should be for them and them alone.
Tosha Anderson:
Gotcha.
John Gilmore:
You know what I’m saying? Yeah.
Tosha Anderson:
Yeah.
John Gilmore:
And so it’s the, it’s this lacks attitude, I think that has prevailed for 20 years and how we work with systems. And I think if anybody wants to, how do we start reconsidering? How we use third party systems to manage our, our business, you have to start looking at your data and all of your information and saying, you’re self assume it gets lost. Assume all of this gets lost. What is potentially the most dangerous? And that’s when you start to realize that some of the most potentially dangerous stuff is the stuff you’ve been treating as though it’s just, you know, the notes section in these, in these platforms,
Tosha Anderson:
I can see the notes, notes section mean, especially critical for non profits, because I’m not just thinking about fundraising, um, or the accounting, you know, check number, you know? Yep. It’s the program. Um, outcome databases that to, to, you had mentioned health clinics and things like that. I know I’ve spent so many years working in social service, you know, mental health services and things, and it’s those case notes like, oh, we had a therapy session. That’s what we talked about, you know, uh, could be pretty damaging. So switching gears a little bit, um, kinda thinking of, um, you know, something else that’s been really interesting. Uh, it’s not quite the, the same, but it reminds me along the topic of, um, activists slash mobs, targeting donors specifically, and other organizations, and it, and I’ve been following, um, the Twitter war of Elon Musk and this, you know, young person you probably heard of, I shouldn’t be laughing but tracking his private plane and you know, this, they basically target Elon Musk, for example, um, and tracking his private plane and putting really sensitive, potentially very dangerous information about his location. Um, and you could kind of take that in a different way. I mean, there’s more and more celebrities. Um, you know, you have, uh, so many different celebrities that are pledging like large gifts and dollar amounts. Um, you know, right now this, in the media constantly about these really large public figures, giving large gifts and things like that. So I’m, I’m really kind of curious to see, you know, how is that changing, um, the dynamic and, and targeting these donors and, and kind of protecting ourselves against, you know, people that
John Gilmore:
Might, I’m really glad you brought that up. Um, before we did this call, I guess two weeks ago, when you set it up, I sent out a bunch of questions to some of our account guys who have our largest, not for profit clients and, and our, our clients. Uh, we handle everybody. I mean, in the, in the, not for profit sector, the very large, uh, sort of legal defense funds, civil rights organizations, women’s health, I would say by and large, the majority of our clients lean on the sort of aggress politics side. Um, and I said, could you do me a favor, send out an email to a bunch of these people and ask them, like, what is, what are your sort of biggest concerns over the last six months? Not one of them actually mentioned data breaches, which I thought was kind of in interesting is that even though that’s something I think from the, from the people who provide services like us, we think that that’s what they worry about all the time.
Tosha Anderson:
Sure.
John Gilmore:
Every single one of them, like the ones who got back at least said, it’s personal targeting by activists. Mm. And in the last three weeks, and I, I thought that was interesting. And in, in the wall street journal in December, and then two articles in early January, the, they wrote three large stories about the growth of activist targeting, um, both, uh, donor advised funds,
John Gilmore:
As well as specific charities or specific donors. And this, it, it, this is the thing that worries, I, most of these biggest organizations, because their fear is anything that ends up in the news. Any that nobody wants to be the next main character on Twitter. Nobody wants to have a, a story about within their organization, like someone at someone at the, a C L U did something bad or someone at, you know what I mean that no one want, but that is, that worries people far more than the, the liability consequences of a data breach. Cause if you have a data breach, no one really blames you. They blame the hackers. Whereas if that adverse, uh, and, and that just as hackers have found it far far easier to do, to do damage than in the past, the same is true of adversarial organizations and something that one of the account people said, he quoted someone.
John Gilmore:
And he said, one of the things about being an issue advocacy organization is that there’s always someone on the other side of the issue. And if, and that puts us in a very unique position and they’re very conscious, I I’ll an example would be for abortion rights organization. Sure. When the Texas, uh, law was the Texas abortion laws was, were being sort of number one subject in the press, all of these organizations were terrified that somehow they would get involved, that all, all they wanted to do is collect funds and donate and stay out of the fight. But the, the, what they worried most about was getting dragged in by dragged into the crossfire, by people who are furious on both sides. And it is, it is a key concern and it, and it, and it’s kind of the aspect of data privacy that I think is underexplored is that rep attacks on people’s reputations Dragging out. I mean, all it takes is finding an email or, or tweet from 20 years ago or 10 years ago. And suddenly it can become a big that damages, not just that individual, but organizations and it, and for a lot of these, these organizations, it’s something they’re increasingly concerned about.
Tosha Anderson:
Yeah. I can relate to that. I, when I used to work for nonprofit, my biggest fear was, is this gonna land us on the front page of the paper? And not even if we did anything wrong, just the perception that you do something wrong. And then it’s one of those things. If you keep trying to convince somebody, you didn’t do anything wrong, you just look more and more guilty. So, uh,
John Gilmore:
You know, the classic you brought up Elon Musk, but the, the, the classic example from a few years ago was the Mozilla guy, the CEO of Mozilla who had donated to, um, prop 48, which I think was an opposition to gay marriage. If I remember correctly and he was personally targeted and he lost, he was ousted as the head of Mozilla, the success of that, that we found a guy who donated to an unpopular cause the excess of that really emboldened individuals. Now, these people may not even be organized. A lot of these sort of attacks against individuals are not necessarily coordinated by adversarial, hacktivists or organizations. They’re really, they’re, they’re almost like these naturally occurring events where one person will say this guy’s a jerk. Another one goes, I have his travel information. A third person goes, I know what his wife does and that this, they individually people start sort of just dumping information into the public sphere until it becomes actionable where some third party goes or, or a journalist just latches onto, it says, let’s make this a story and publicize it. And it just, it snowballs out of control. And that the process by which a lot of these damages occurs, it’s not like anyone even intends it initially. It just becomes it. The risk of it exists because anybody can just take five minutes outta their day and go, let me, you know, let me search this random source for any information about this person. And then I share it and it shared,
Tosha Anderson:
Well, you know, you bring up a good point. I work with a couple clients that have an anonymous donors that are pretty significant funders for their cause. And they’ve made it perfectly clear if my name gets leaked and it’s really not even that controversial, but nonetheless, they, they value their privacy so much that if their name gets leaked, they will stop funding that organization. And so to your point, I’m just envisioning like in my brain, you know, um, you know, actually putting their name in the donor database rather than putting anonymous there. Right. And there’s this balance, I think it goes back to training. Um, I came from the auditing world on the financial side. Right. And so you have to have an audit trail. You can’t just put anonymous for everything. Yep. And it’s like, how do you train your team members to keep things very anonymous and confidential, making all these different parties happy? And maybe that means you need some sort of, um, compromise and off, you know, off the record type of record for anything that might be extremely confidential .
John Gilmore:
Absolutely. Right there. There’s very much, I mean, the way I would put it is that inside any organization, people should really take the, who needs to know who in, in our organization needs to know who our donors are, who needs to know how, you know, the, the amounts, the dates, any, any who, who needs to know this information. You know, obviously the accounts people do, the, the person who has a personal, uh, relationship with those people do, but not everybody within the organization does. And you, and, and that information should not be shared unless it’s absolutely necessary, like with the financial sharing, with financial services organization or whatever. Um, it, that it’s really something that needs to change. Um, you know, you were talking about donor privacy. This is, uh, I mean this year alone, something that I, I mean, I was not even entirely aware of this, but there was a major Supreme court case.
John Gilmore:
The, uh, was at Americans for prosperity versus Bonita where California was passed a law where it was gonna require, uh, not for profits to disclose donor information. And so 16 states around the country had crafted basically copycat legislation saying, yeah, we like that. Um, now these may be partisan sort of legal laws mean that are being pushed because they don’t like, like some state actors may not like that these non for profits are so influential. I know that’s, you know, in California, in particular because of the ballot, um, initiatives that, uh, that anybody can essentially come up with a ballot initiative that people in the sort of establishment go, God, we don’t want another one of those. Um, and so there is some attempt to try to dissuade private act from influencing, you know, uh, politics. But so the, the Supreme court struck it down and they said, you cannot force these organizations disclose it.
John Gilmore:
But I think people failed to realize the scale of the risk that it, that forced disclosure, the, the, the increased risk. It puts on everyone. An analogy that I would give, which is something very much UN discussed is for years and years, um, voter databases have been public information that if you voter records can be purchased for between $50 and like a couple thousand dollars in every state in America, they have, there has been some change in the last five years where some states have increased that you have to be a validated organization to request it. You have to be either a political consultancy or a media organization, but by and large, the vast majority of them are just public databases that I could right now. Wow. Go and put on my credit card and buy all of the voter information for the state of, for any, for most states in the union.
John Gilmore:
And when people like myself said that is a problem. Most people like in 2014, when we started saying the voter records should not be so easily accessed, everyone said, blah, that’s ridiculous. Two years later, Russians hacked the election. And suddenly all of these news stories were talking about how voters receive voters were receiving, uh, yeah. Misinformation emails, how, um, organizations were being spoofed. And, uh, it, it was like people almost, but, but, but even despite that, even despite the, the fur that evolved around, uh, the NA the security of our elections process, none of that has changed. You can still get access to pretty much all that information. And this is what concerns me, which is that we’ve seen the, the risks associated with lax data, privacy escalate and escalate the last three years, but we haven’t really seen any fundamental change to the way people handle basic personal information.
Tosha Anderson:
I have one more question for you that just got me thinking. Um, so more and more nonprofits are utilizing these, whether they’ve signed a up for them or people kind of indirectly opt into some of these social media crowd, fundraising campaigns. And I know a lot of our nonprofit clients will often talk about, um, we’ll pick on Facebook for a little bit, um, a lot of Facebook fundraisers, right? It’s like I could go and choose any organization out there and say, I’m gonna raise money on behalf of this organization. And I’m basically piggybacking off of the name and reputation of that organization. Even though they haven’t asked me, they don’t even know who I am. And these, um, organizations that receive the funds, they often talk about how incredibly difficult it is to actually get that donor information from the platform for which, you know, Hey, you used our name and our reputation to raise money.
Tosha Anderson:
Although we thank you for the proceeds, but you’ve just now collected information about the donors and those that support our cause. Um, and oftentimes they can’t even get that information. And I know there’s more and more and more platforms out there that kinda sell themselves as make things easier to fundraise. We’ll do your transaction processing. This will also serve as a database for you, but it’s, you know, our own little separate database, different from your main database that you use. And there’s more and more of these, I think, little platforms coming up. Um, and I just didn’t know if you had any thoughts on that. I know sometimes that you, we think it’s gonna be more difficult to do outreach and fundraise with, you know, more restrictions, but on the flip side, I almost think that there’s way easier ways to collect, uh, for personal information on donors that may be even the nonprofits are having a hard time collecting and they should be the first ones getting that information.
John Gilmore:
It really is. It, it really is a double edged sword of, you know, that there is no easy solution to these problems, but I do think you’re right, which is like, it, it, the way someone I spoke to described it, they said on one hand, um, we wanna take data privacy more seriously. On the other hand, it may, people are getting harder and harder to reach out to that. People are more skeptical. You can’t just cold email people anymore,
Tosha Anderson:
Right?
John Gilmore:
Spa text message, or are just assume it spam because people got hundreds of fake ones a day. There’s no way you’re gonna get through the mess. People put up fake websites, or they put up a fake thing on Facebook and other people will. I mean, this happened to black lives matter where a number of copy cut organizations formed and made away with millions like apple own almost donated 4 million to a fake black lives matter organization. And addressing all of that is a bit above my pay grade. I mean, specifically to donor fundraising. Um, like I think the things that I have the greatest insight are, are more on the back end of how people should be handling data. But I think the, the thing you raised, which is should we really be allowing third party organizations to solicit in our name from my point of view, I would probably recommend against it.
John Gilmore:
Um, that I, that I see lots of organizations like this who offer services. They say, we’ll do something on your behalf for, for almost nothing will basically do it for free. And people will see what they’re doing is extremely beneficial. But most, very often what they are doing is farming people’s information and reselling it. And they, they they’re profiting by accessing the people who you right. Should have a relationship with. And they keep the relationship. They, they own the PII now on those individuals. And this is something you, you see all the time out just as an anecdote. One of the most ridiculous things I saw in 2021 was that trader Joe’s in Los Angeles had a parking problem that not enough people could access parking. So they partnered with this third party, who said, you could only park here if you download our app and you could, you could shop at the trader Joe’s.
John Gilmore:
If you downloaded this app from who knows, I’ve never heard of this organization. And this is what this is an example of is kind of what we’re talking about, which is if you wanna do business with me, you also have to do business with this third party. And it’s, it’s something that really it’s very, very bad. The same is true with of the IRS issue, where the IRS now is soliciting this third party, ID me to do their identity. And it’s essentially saying, if you wanna do your taxes, you have to use this third party and you have to hand over tons of information to this third party. Sure. That third, there, there are no laws regulating how that third party hand handles this information. Nobody reads the terms or of, of data use. Nope. Everyone just clicks. Okay. Okay. Okay. Cause we’ve gotten so numbed by cookies that we just click.
John Gilmore:
Yes, yes, yes. To get past things that this is something that I see as a fundamental problem across every sector, which is that allowing third parties who you may not even know, like very well, you just know that, well, they, they bring us revenue, they bring us revenue and that’s all we care about. But what you’re handing over to them is your reputation that when that information gets breached or misused, you could be held liable cuz it was being done in your name. Um, it, it, I, I I’m, I don’t know. I don’t have any easy answer to that other than please stop doing it.
Tosha Anderson:
Yeah. I mean,
John Gilmore:
I’m doing a bunch of other podcasts like this week and next week talking about the I DME information. And the thing that, that really concerns me is this idea of just constantly inserting more and more people into processes yeah. That they have no business being involved in.
Tosha Anderson:
Right. Bring up a good point. I mean, I think that’s a lot to think about and I brought that up. It just kind of crossed my mind. I’m like, wait a minute. So funny. Um, rather than an organization having information and then putting it out there with too many people and too many access points, there’s almost gates for which the nonprofits can’t even get that information. Yeah. So John, um, thank you for everything today. This has been really insightful and it’s pleasure. And you mentioned normally I get a little anxious here and about these sort of things. It’s a little doom and gloom, and this is really informative. And you know, you mentioned that you’ve worked with nonprofits in the past and if you have, um, any other resources or if there’s a good way that if, if anyone’s listening out there, it’s like, you know what? My organization probably needs to be talking to somebody about these sorts of things. Is there a place that people can follow your company or reach out if maybe they want to talk about the services you offer, other nonprofits, what is, what’s the best way to get in touch with, with you or you, your team
John Gilmore:
Deleteme.com.
Tosha Anderson:
Awesome.
John Gilmore:
You know, you can always go to our website and look at the B2B services. If you’d like to talk to some of our clients, we do events period periodically where people in individual sectors talk about the sort of particular use cases of PI removal. Um, depending on whether it’s journalists, whether it’s not for profit, whether it’s software firms, we, we have clients across a variety of sectors. So we do occasionally dove do events and webinars. Um, but I think, you know, in terms of data privacy and not for profits, I think there’s other resources as well. The, the people that I’ve seen that are involved in this sector or there’s, uh, uh, like the nonprofit technology conference, N te N and uh, community, it innovators that these people sort of specialize in, um, technology issues as it relates to nonprofits. And, you know, I go to them for information when I’m just interested in getting data. Um, you know, I think everyone should be aware of them because they, they’re also sort of on the sort of forefront of making sure that people within your sector sort of are, are aware of all of the issues. And, you know, they provide an in some insights on how to address things.
Tosha Anderson:
Absolutely. Well, again, thank you, John. This has been really helpful. And as you had mentioned, if anyone wants to reach out to you go delete me.com, right? Yep. Deleteme.com and uh, until next time, thank you all so much, John. It was good seeing you see you next time.
John Gilmore:
Thanks a lot, Tosha
Do You Struggle to Make Sense of Your Financial Statements?
Get our FREE GUIDE to nonprofit financial reports, featuring illustrations, annotations, and insights to help you better understand your organization's finances.
Get the free guide!
0 Comments