More and more, employees are working remotely. Whether COVID-related or part of your organization's culture, remote work is now part of how we do our jobs. Luckily, advances in technology have allowed teams to work from home with ease, or at the very least, participate in a hybrid-work environment without having to worry about not having access to specific files or applications while outside of the office.
While there are several advantages of working remotely, there's a monstrous risk for fundraisers: keeping donors' Personal Identifiable Information (PII) safe. Not convinced it's a big deal? There are hefty financial penalties when entities fail to manage their telecommuters' access and protection of PII properly.
Join 30,000+ fundraising professionals that receive our weekly Sunday newsletter with industry trends, tips, and analysis delivered right to your inbox
For example, Cancer Care Group agreed to a $750,000 settlement after a remote employee lost a laptop and backup drive to car theft. The laptop contained more than 50,000 patients' protected health information.
The Office of Civil Rights (OCR) determined that Cancer Care Group was in widespread non-compliance with the HIPAA Security Rule before the breach. They failed to conduct an enterprise-wide risk analysis when the breach initially occurred. OCR also found that Cancer Care Group did not have a written policy regarding removing hardware containing PHI into and out of its facilities.
A similar settlement cost respiratory medical group Lincare almost $240,000. A remote employee breached the patient data of 278 patients by exposing and abandoning their sensitive information. The court ruled that Lincare did not have adequate policies and procedures to safeguard patient information taken offsite even though employees who worked in patients' homes routinely removed patient data from Lincare offices.
The trouble didn't end there for the company. Former Lincare employees also filed a class-action lawsuit against the company. The employees claim negligence concerning their PII and that identity theft could result from a Lincare data breach.
What can you do to safeguard your organization from data breaches?
We compiled a list of documentation requirements and preventative actions you need to observe to protect you and your donors.
First and foremost, if anyone on your team is working offsite, you must set rules for them in your Security Policies and Procedures.
Use the following checklist to guide what to include in this section.
- Make a list of remote employees
- Indicate the level of information to which they have access
Describe Equipment, Software, and Hardware requirements:
- Encrypt home wireless router traffic using WPA2-AES. This is a pretty standard configuration, and most routers these days come pre-configured.
- Change default passwords for wireless routers to something complex. This provides an extra layer of protection.
- Make sure that IT configures all devices accessing your network. Devices must be encrypted, password-protected, and installed with firewalls and anti-virus software.
- Require that employees use a VPN when they access the company's Intranet remotely.
- All PII must be encrypted before being transmitted. This can either be through the company's Intranet or internal email encryption.
- Encrypt and password-protect any personal devices employees use to access PII.
- Have your IT department or vendor configure personal devices before allowing them access to the network. Specify what brands and versions of personal devices can access the company data.
Describe Security and Privacy requirements:
- Employees should not allow any friends, family, etc., to use devices that contain PII.
- Have each employee sign a Confidentiality Agreement to assure the utmost privacy when handling PII.
- Create a Bring Your Own Device (BYOD) Agreement with clear usage rules.
- Employees who store hard copy (paper) PII in their home office need a lockable file cabinet or safe to store the information.
- Employees need a shredder at their location to destroy paper PII once it is no longer needed. The company needs to specify when it is ok to dispose of any paper records.
- Employees must follow the organization's Media Sanitization Policy to dispose of all PII or devices storing PII.
- Make sure employees disconnect from the company network when they finish working. Usually, IT configuring timeouts take care of this.
- Employees cannot copy any PII to external media not approved by the company. You may require all PII to stay on the company network.
- Keep logs of remote access activity and review them periodically. IT should disable any accounts inactive for more than 30 days.
- Mandate that any employees in violation of these procedures will be subject to the company's Sanction Policy and/or civil and criminal penalties.
Remote employees aren't exempt from following data security practices. It's in your best interest to define all remote employee guidelines and ensure all signed documents involving remote work are up-to-date, signed, and safely stored. Taking these steps will ensure you're compliant should HHS come calling!