Protecting Your Nonprofit’s Privacy and Security

Host (00:01):

Welcome to the, She said privacy. He Said Security podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Host (00:20):

Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors a certified women’s privacy consultancy. I’m a privacy consultant and a certified information, privacy professional, and I help provide practical privacy advice to overwhelmed companies. Hello, Justin Daniels here I am passionate about helping companies solve complex cyber and privacy challenges during the life cycle of their business. I do that through identifying the problem and coming up with practical solutions. I am a cybersecurity business attorney, and this episode is brought to you by our dog Basil and also Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, Saas, e-commerce, media agencies, and professional financial services. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there’s greater trust between companies and consumers to learn more, visit redcloveradvisors.com.

Host (01:28):

And today I’m so excited that we Corey Cutter joining us today. So welcome to the show. (Corey – Glad to be here. Thanks for having me.) So for those who might not have met Corey before – Corey serves as the senior privacy counsel for the American Cancer Society and is their sole advisor for all privacy related matters, she received her undergraduate degree from Indiana University and earned her JD from the University of Colorado School of Law. She holds several privacy certifications from the IAPP. So welcome again to the show. Thanks. We could just talk about Colorado all day. Can we just talk about Boulder now? I know you just want to talk about Colorado and drones and the dog, your favorites, all your favorites. We could talk about the lipstick that showed up at the beginning because we’re on video and zoom has this really cool lipstick feature that I might’ve had still on.

Host (02:25):

I think it looks great on you. It was a really nice deep purple and we’ll just remember if we’re going to do that. Then the little drone may be outside your window taking some video. Oh, that’s all right. Back to our regular scheduled program. You didn’t kick us off. I am. Corey It’s welcome. It’s great to have you, and we’d love to know, give us a little background. How’d you get started in your career and ended up where you are today.

Corey Cutter:
It’s been a long journey, but I start, my privacy background really started in litigation. I used to do work for one the large consumer reporting agencies. So the fair credit reporting act FCRA that really got me started with consumer rights. And that led, led me down the path into privacy. And I actually think I’ve told this to Jodi before, but when we first met, but I think for me, I got started in privacy.

Corey Cutter (03:17):

I started learning about it. I went to my first IAPP convention and I realized that there were other nerds like me who really liked privacy and were excited. And I described privacy kind of like being a Trekkie from Star Trek. Well, that’s not my preference. You know, they have their own world and they’re all excited by it all the time. And that’s what they want to talk about all the time. And that’s how privacy people are as well. So I’ve found my world in privacy and just kind of grew from there. And that makes a lot of sense. Cause you’re kind of the security side to privacy and you want to talk about it all the time, but you found your community. Yeah,

Host (03:52):

I have an interesting question following up with that. Cory is, so I am by training an M and A and a deal lawyer and I work on cases and one of my colleagues has a litigation background. And so it’s a very different perspective. I’d love. If you could talk a little bit about the audience, about how your background in litigation informs your perspective on privacy and compliance. I’ve found that it can be very different than someone like myself. Who’s a deal lawyer. And it’s just interesting.

Corey Cutter (04:19):

Well, I think from, as, as a litigator, you only see things when they’ve blown up. Right? And so I think we, I look at things from what is the worst thing that could happen. And I backed out of it from there in terms of how I can advise a client or, or, you know, in my case, in house, you know, which business I’m looking at. And I say back away from there, because if, if I only gave advice for the worst case scenario they would never listen to me at all. So I have to find that balance. But I do find that litigators in general, you give you, you learn a lot, but you see the worst cases all the time and that’s, what’s constantly put in front of you. You rarely see a, Oh, that went smoothly because you wouldn’t be litigated.

host (05:00):

I’m that notion non-profits have a lot of competing priorities to manage. So I love to hear how you’re able to manage the privacy and security risks in that type of an environment. So if you could share a little bit, that’d be really interesting to our audience. Yeah. I don’t think that there’s that much difference between a nonprofit and a for-profit in terms of the balance, because we all approach it from my level of risk and what, what level of risk we’re willing to assume. The difference is in the non-profit world, people are trying to do good and it is sometimes hard to convince people that they’re there end goal doesn’t justify the means and that they have to consider other things along that path, even though what they want to do is amazing. They still have to balance risk as well as you know, consumer viewpoints and things that the, the donor or the constituent want to protect me in the interim.

Host (05:58):

You bring up an interesting point, Corey, cause I represent some municipalities, and one of the challenges we face is part of our goal is the public good, but we also have a limited budget and in a way, nonprofits have the same challenge where you have certain expenses you have to do and you’re trying to do good. And so then how do you balance the allocation of your resources when people don’t always appreciate the importance of, of your role in privacy?

Corey Cutter (06:22):

That’s a very good question. I think the reality is we lose out on a lot of the fun tools and technology that can assist with our responsibilities. And I have to focus a lot more on on really getting people to understand the purpose behind it. So that policies and processes are adopted from people. Because there are, there are obviously limited funds and you don’t want to be spending all your money on privacy and security when your mission is to try to eliminate cancer from the world. So there, there is a balance, but I think that by, by teaching people really what the, why it’s important for them and why it can help engage more donors, more, make volunteers feel more comfortable giving us information. That’s, that’s an easier way to go about achieving that goal. 

Jodi (07:17):

There’s a lot of nonprofits that could benefit from how you’ve been able to translate that in your organization. And if you could share a little bit maybe about what are some of those benefits, because I think there’s a lot who say, Oh, but that’s just a risk who’s going to bother me. I’m a non-profit I mean, right. I’m I do good, no one’s going to come in and attack me, but we all know as privacy and security professionals, actually, you’re a treasure trove. You probably might not have strong privacy and security protocols in place. And that makes it an easy and a fabulous target. If you could share what have been some of the success stories or what have been some of the points you’ve used to help bring people together in the company to adopt some policies and procedures,

Corey Cutter 08:10):

Ironically, using analogies that are outside of your goal, your mission for the nonprofit is helpful. And a lot of these, I will frankly say that I will steal from other presentations that I hear you know, I tell people I’ve stolen them, but they’re, they’re very good. And there are a couple we, one that we use in, in our, in our privacy training that I have stolen-  is that borrowed? I’ve just borrowed it. Or even passing it forward… Okay. So borrowed, one of the ones that I had borrowed is talking about the fact that you know, how casinos use poker chips, right? Instead of money because they found that people were less attached to a chip than they were with an actual dollar bill. And the data is like that, that, that if you consider your, your database as just as just poker chip then you’re, you’re much more willing to give it up and share it with whoever and not protect it because it doesn’t mean as much to you, but you have to remember the behind each of those poker chips is the dollar or behind each of those poker chips is the person.

Corey Cutter (09:06):

And the other example that I used that I think helps you put these perspectives is when you think about all the data that’s at the grocery store, that they, that they will keep about you. Right? And it’s fine for most people, if they get an app an ad for a coupon for something that they buy on a regular basis. But if you walk into the grocery store and there’s, you know, someone assigned for Metamucil that comes up and says, Hey, Corey, you’re in the grocery store, do you want to buy the Metamucil? You might be a little more sensitive to the fact that the grocery store is keeping that information on you. And that’s, that’s the same type of thing. When you talk about with American Cancer Society, you know, for a lot of people, we do have their cancer information. And I don’t mean the research piece cause that’s a whole different arena.

Corey Cutter (09:48):

But cancer, while they might stand up at an ACS event and be super excited to share the fact that they are a cancer survivor, that might not be something that they’re willing to share in everyday life. And we have to be cognizant of the fact that the context matters when we’re keeping that information. And we have to be respectful that we can only use it in the context that they give it to us. So that’s, that’s, I’ve found to be helpful. 

Host:
Those are fabulous analogies. I like the chip analogy a lot. So it’d be stealing that from you. Yeah. I like the tip. I’ve always referenced people, right. We’re talking to humans and people, and sometimes people are always focused on the number of emails I have or the number of sales or the number of contacts or the number of leads, but it’s actually, it’s a human that you’re trying to connect with. And when you think about them as humans, it changes people’s perspective a little bit. So I really like the chip piece and you’re absolutely right. You have some really sensitive information and that’s true in a variety of different organizations non-profit and profit. So thank you so much for sharing that story. I really think that will help resonate with people why it’s so important to understand, again, it’s the human that’s up the other side and it’s not just random data.

Host (11:13):

Let’s delve in a little bit more technically now, Corey, as you are well aware we’re seeing an expansion of privacy laws all around the country. We have California, Virginia. They’re looking at Oklahoma, Florida every day. We have a new privacy law. I go yay for Red Clover. But from your perspective how does this changing regulatory landscape impact the nonprofit world and how you go about navigating it because with what you do, you have a national database of interested people. 

Corey Cutter (11:45):

Yeah, so that’s actually very interesting because there are two issues there. And one of it is how in general does a nonprofit national organization keep up with the changing laws, which is challenging in and of itself. What is, what I find interesting is obviously not all of those laws apply to nonprofits. Some of those laws specifically will carve out nonprofits. Some of it, you know, nonprofits can be kind of brought in as a third party and it still creates an issue. We do get a chance to absorb the new laws on an easier pace, I guess, than a for-profit company, because I will often advise the organization that if a law is in place and consumers are used to it with for-profits, we need to consider whether that’s something that we as a nonprofit, just want to give them anyway, because it’s an expected right.

Corey Cutter (12:33):

Or suspect expected benefit that they already have. And so there’s a balance there. I’ll look at a lot that says, well, this doesn’t technically apply. We’re safe from that, but what do our donors think? What will our volunteers expect? And how do we respect what the community at large thinks is, is going to happen when they interact with us? But I will say the fact that some laws don’t apply is actually helpful at times. You know, I’ll see a new law, Virginia was coming down the pike, I’m watching it, I’m watching it, but it didn’t include nonprofits. So I could kind of go, okay, that’s one thing I don’t have to deal with right now. But you know, Washington state specifically does include nonprofits and the New York law, while it doesn’t specifically include it. Their technology law does include the security law and include non-profits. So, you know, there’s an indication that nonprofits will be included in that. So it’s, it’s a balance of watching what the consumer wants and expects as well as trying to look a few steps down the road, because since we have the monetary problem that we don’t have excessive money to spend, to just start dealing with compliance, the sooner we can start adopting some of these laws, the more likely it is that once they come into effect and actually include us, that we’ll be ready to go.

Host (13:51):

It seems like a really interesting point that you’re making is even if you technically don’t have to comply with the privacy law, because it doesn’t apply to you, it’s almost like these laws are creating a new norm of expectation with consumers. And as a lawyer, you have to think about the implications of the business relationship that should be driving, how you want to interact with your customers, as opposed to a simple or more strict legal interpretation. It sounds like that’s really one of the ramifications of this proliferation of these privacy laws.

Corey Cutter (14:25):

That’s exactly right. You certainly said that in a more concise and clear way, then I was trying to express it. But I think that that’s exactly right.

Host (14:33):

Well, well, don’t worry. My wife says I’m wordy far too often. So this was a momentary lapse into brilliance and it won’t last long.

Host (14:40):

What would you say are the biggest challenges that you’re facing right now?

Corey Cutter:
The biggest challenges is a lot of new privacy laws that are coming down the pike really do require technical solutions to be fully compliant. And that’s something we may or may not have budget for depending on what it is so that, you know, in the scheme of things, even when you look at risks, there are things that we have to weigh that risk. Is it worth donor dollars here to be fully compliant? And I often will, when I’m advising, we’ll take a look at what are the things that we can do that the consumer will expect, but the donor will expect, that the volunteer will expect it don’t cost us anything. You know, so if someone calls us up and says, they want, they want us to delete their information and, and that particular record doesn’t have a legal reason to maintain it, then we delete the information or that’s my advice in any, in any event, because at least from our main system, because if a donor doesn’t want to interact with us, they’re not likely to be someone that we’re going to get a lot of money from going forward.

Corey Cutter: (15:45):

If a volunteer doesn’t want to interact with us, that’s not likely someone who’s gonna be spending a lot of time and effort to assist in our mission. So understanding that we can respect what someone might want. And that’s not something that costs a lot of money on the front end. Just say, we’ll take it out of our CRM in a database. Having said that, you know, a lot of deletion laws, you know, really do require you to get down in the nitty gritty and get them and get someone’s name out of an email. If there’s not a valid reason not to and pull it out of an Excel file that’s in, you know, in, in somebody’s C drive. And those are things that we don’t have the ability to do. So we try to go with the spirit of the law, as well as the spirit of what someone might want.

Host (16:24):

But that’s a challenge because it’s the pick and choose type of approach. Right? I know. And I think kind of tying all this together. If, if a donor comes to you and says, I want to be removed from your database and you honor that potentially down the line, they might change their mind. They might have someone that’s impacted by cancer. Now they realize, you know what, goodness, like, I really actually want to donate again. And now they kind of come back. Whereas if you had potentially said, sorry, no we don’t have to, but the law says, nonprofits are excluded. See right here, we don’t, we don’t have to do that. And you take that approach. Now they’re going to be mad and they’re going to have kind of a distaste in their mouth for the organization, but actually by honoring and listening in those areas where you can, and you do the best job that you can. I think you’re actually really helping to create a longterm relationship. Even if in the short term, there isn’t a relationship because I bet those people would come back. It would be a fascinating, maybe some technology to do that, but a fascinating ability to kind of track that, to see, you know, did you, these people delete and then they came back which I guess is a whole different privacy thing, but you do have to have a log. So you’re allowed to track that part for anyone listening might be like, that’s an oxymoron. No, you have to have a log.

 

Corey Cutter:

No, I think that’s a very good point. I think that that’s mine. That is the underlying reason why I’m giving the advice that I give because and, and that’s the same in the for-profit world, right? You try to use privacy to to improve your brand with the public, and the same thing be true here is that if, if someone is asking us to do something and we don’t need to maintain it for whatever reason, then we want to respect what they’re, what they’re looking. Just because that doesn’t engender people to want to spend more time with you or your, or your cause, as opposed to, you know, that that person that then wants to post on, on social media that, you know, this organization keeps harassing me. I told them no. And they keep coming back versus this organization respected me. You know, it’s, it’s it’s either positive media or the silent media, as opposed to the negative one. 

Host (18:28):

I guess, Corey changing topics just slightly is, you know, from your perspective, can you talk a little bit about, you know, the impact on a nonprofit, if you are in a situation where you have a data breach or a failure to comply with privacy laws, it seems to me what’s really at issue is obviously there’s the financial component, but then there’s the really the reputational issue because people are trying to do good and they may have certain expectations. Is there thoughts that you can share with us around…

Corey Cutter (18:56):

You mean the, the donors had expectations? Is that, what is that what you’re asking

Host (19:01):

The donors and the survivors and the very you know, I mean, this is a very sensitive and, you know, visceral type of topic for, for people involved. 

Corey Cutter (19:10):

Certainly. And it would also depend obviously on the type of data breach and what data was an issue and what was disclosed. You know, this, I think became a huge, this was actually not an issue for ACS because our, our personal information wasn’t affected, but the Blackbaud breach that occurred you know, this past year, it was massive, absolutely massive. Thousands of non-profits were in fact affected. And you there were people coming together trying to say, well, are you guys gonna let people know? And we don’t have a legal requirement to, to disclose, or what are you going to do? And how are you handling this? So all of those things did come out because for nonprofits, as you intubated with the question, you know, trust is essential to that relationship with a nonprofit because there are lots of them and people have limited funds and limited time that they’re going to expend. And so that trust factor is huge and doing what your constituency would expect when something like that happens and respecting them in the greatest way possible is in fact, something that you have to jump on almost immediately. Luckily for us, we were not impacted with that one and didn’t, didn’t have to make those, those hard positions, but you saw a lot of notices going out for people that didn’t have a legal requirement to notify. So that was based on that.

Host (20:25):

And Corey, I’m going to bring up this point and if you’re able to chime in great, but one of the biggest challenges that I face when I do the ransom, where a part of my practice, how do you balance requirements trying to do what’s right for the customer? It is a really difficult needle to thread

Corey Cutter (20:43):

It is. And I think all of that’s going to be factually based of course, you know, the, the good lawyer answer. It depends. But it really does depend, you know, when we looked at blackbaud we had some people that would call in and ask, and we, we gave our call center instructions on what they could, you know, to explain to people that our personal data wasn’t affected, because we wanted to be able to handle that portion, but we didn’t want to alert 10 million people that in fact, their data, wasn’t, wasn’t an issue in, in an incident. So there there’s that there’s the practical balance, as well as the logical one. You don’t want to inflame an issue to do the right thing. Right. but you want to be prepared to inform people that, that inquire. And if our analysis might’ve been different, if it were just that it didn’t trigger a requirements, but it was still out by his name and phone number or something like that. We might’ve had different approach, but it’s a balance and it, and it really depends on, on where you sit and what are the, what’s the impact. And how massive is it? You know all of those fun things. So I don’t think that’s different for any any situation, obviously legal compliance, is legal compliance, but I don’t think otherwise any breaches, any different, you do the same analysis every time.

Host (22:00):

One of the toughest things that I grapple with is the legal part versus informing your customers. And there is an art to how to do that. And then if you’re business people, who’ve never dealt with a breach, you have to make very difficult decisions with incomplete facts, with an incomplete forensic investigation, with customers who are all over you to find things out. Because if you’re a silent that is immediately interpreted as negative, but at the same time, you’re still getting the facts straight. And to go out with facts that may not be complete, that you have to retract. How many times have we seen that in the news? And I just appreciate your perspective, Corey, because from my vantage point on those types of engagements, it’s really tough and you really have to develop a really finally sense, a fine sense of judgment.

Corey Cutter (22:47):

Yeah. I, I agree with that completely, but I, I just think that doesn’t change every time that’s going to be the case, right. And every incident you have, you’ve got it. You’ve got to do that balance. You have to consider your, your, basically your reputation both at large and would be immediate customer base or donor base or volunteer base. You want them, you want to respect them and then figure out the best way to inform that, that group of people, whether they’ve been affected or not.

Host (23:15):

But I would say this is where you may not be giving yourself enough credit, because I’ve seen plenty of situations where we had a vendor get hit. That impacted us, and the way the vendor handled, the communication and everything. I was thinking, what are you guys thinking about? Your, your relationship with your customers. You’ve clearly circled the wagons and want to ride out the legal storm at the cost of your reputation and customer relations. And so I’m listening to you and I agree with you wholeheartedly. It is not always the commonplace view and common sense approach that wins out when you put people in a very emotional, challenging they are exhausted situation. So kudos that you’re able to really understand and discern that.

Corey Cutter (23:55):

Thank you. I’ll be sure to pass that along to my boss.

Host:
Well, we’ve talked a lot about tips that non-profits and for-profit organizations can, can take to help make sure that they’re following either privacy laws or just customer expectations. What would you say is your best personal privacy tip that you would offer people?

Corey Cutter:
Yeah. So my personal privacy tip, frankly, other than, you know, reading, reading the newspaper, privacy is now a big deal and breaches get covered a lot more with much more frequency than they used to is to use some sort of monitoring service for your information that monitors the dark web. I use an app called JHumbo. I’m not pushing for that or not pushing for that. They actually have a free version and a paid version, but it, it will alert you if something happens, you know, so, okay.

Corecy (24:43):

I got an email the other day. I noticed the other day that, that you know, my, my phone number had been leaked and was sold on the dark web. And so anything that I use that for two factor authentication, I can then consider whether that’s something I need to change or not. So it just keeps me on top of things before it becomes an issue. That particular app is also helpful because it will, if you link it with, you know, some of the social media accounts, Facebook you know, Twitter, LinkedIn, it will ask you if you want to go back and delete whole conversation so that they’re not just sitting there and eventually getting posted there later is a breach. It will remove searches or, or cookies that you don’t want on there. And it kind of does that on a regular basis automatically. So it kind of is a cyber hygiene that you don’t have to do on your own. And I find that helpful. 

Host (25:39):

Yeah. That’s a great tip. Thank you. I had shared, I hadn’t heard of that one before, so I’m excited. I know you’re going to be right on top of that. Well, when you’re not in the office and not studying and reading about privacy breaches, what do you like to do for fun? 

Corey Cutter:
I’m going to be Frank. I am a homebody to the ultimate extent, but my dog is my life. I absolutely love going on walks with the dog and hanging out in the park. And that’s my excuse for activity. And it’s my excuse to stay home all the time. So it is a lab mix. She’s a rescue and I’ve had her for a decade and she’s awesome. Unfortunately, Jedi, she hates people. Whenever she’s mixed with is not, she loves me, you know, and, and very few people in my life. But she maybe I’m just gonna say she’s a private dog.

Host (26:22):

That’s all good. Now, if people would like to learn more about you and the great work that you’re doing at the American cancer society, where can they find you?

 

Corey Cutter:

For me? You can find me at the American cancer society, which is just my email at the American cancer society, Corey.cutter@cancer.org. But the American cancer society go to the website and look at all the amazing things that they provide to people services, they provide rights, they provide housing, they help with and consider whether that’s a charity that they want to support.

Host: Well, wonderful. Thank you. It’s been great to have you thanks so much for your time today. Absolutely. We appreciate all of the fabulous tips that you’ve provided.

Host (27:05):

Thanks for listening to the, She said privacy. He Said security podcast. If you haven’t already be sure to click, subscribe, to get future episodes and check us out on LinkedIn, see you next time.