Securing your CRM Donor & Client Data

September 10, 2014


In a blog post I wrote last year about Constituent Relationship Management systems, I listed several common CRMs that are available for nonprofit organizations. As I wrote, your needs as an organization – and how you need to manage your data – should come first. The technology (whatever software platform you choose to use) should support those needs. In other words, as my co-presenter in a workshop given last year on “Data Management for Nonprofits” pointed out, CRM is a process that is not necessarily tied to technology.

But an important point I did not cover in that blog post is how your organization actually uses your donor (and/or client) data, and how to properly keep that data secure. In this post, I will write about some do’s and a don’t in managing your CRM data.

untitled-design-101. DO make sure your data is stored behind an encrypted (HTTPS) connection.
SSL certificates are necessary to internet security. They encrypt traffic (data) that is passed between the web server and an individual in a way that prevents others from being able to intercept, or read, any of that data. They are required by law for websites such as banks, and they are required by any website that handles financial transactions. I also highly recommend SSL certificates for any website that implements a user login system. Here’s another blog post I’ve written, on “Securing your Website,” which goes into SSL certificates in more detail.

2. Do keep your server, and the CRM that resides on the server, up-to-date.
As we discovered earlier this year, a critical bug that affected the integrity of SSL certificates appeared, making all websites that implemented SSL certificates vulnerable to confidential data leakage. It was up to the systems administrators of webservers (like us) to update the software (OpenSSL) affected by the Heartbleed bug.Additionally, bugs are found in CRMs all the time, which prompts the software maintainers to issue an update. Here’s an example of a recent security update provided by CiviCRM. While WordPress is not necessarily a CRM (it is a CMS, or Content Management System), many CRM systems can interface with WordPress websites. Thus, not only is it important to keep your CRM systems up-to-date, but its also vital to keep your CMS system (like WordPress or Drupal, to name a few) up-to-date! Here’s an example of a recent WordPress security update.The fact is, if you do not keep your systems and software up-to-date, your websites and CRM systems will be vulnerable.

3. DO NOT copy, migrate, or share your data insecurely.
We once had a client, who was in the process of migrating their CRM data off of a local Microsoft Access database into a cloud-based CRM, tell us that they were confused about migrating their data. So they decided to take the entire Microsoft Access database (which contained clients’ Social Security Numbers), and email the document to their their contact at the new cloud CRM provider and asked the new provider if they could help import the data.

This is a huge violation of data privacy (and it could, in some circumstances, be illegal). By emailing that unencrypted data, this nonprofit opened themselves up to a huge liability: What if that data had been intercepted (or given or sold by the person receiving the email) to a person or organization with malicious intent? Hundreds, if not thousands, of individuals private information could have been compromised, and once the leak had been traced back to the nonprofit organization, they would have been liable for the data breach.

In summary, remember to keep your systems and software up-to-date, use common security practices (including implementing SSL certificates), and be sure to protect your clients’ (and/or donor) data.

To learn more about our services, visit our home page, or read about our services.

Sign Up for Our Newsletter

Recently on Twitter:
Contact us today to discuss the best ways to turn your IT challenges into IT opportunities.
Develop CENTS