Cyber Risk: Safeguarding Electronic Information
How is it that we bless the handy electronic device when it delivers information instantly, and then curse it when it quietly slips that same information to someone outside our organization? Technology is a wonderful and necessary tool, but it comes with risk. We can minimize risk by taking common sense measures.
Almost every day we hear about an incident in which sensitive data is stolen or inadvertently released to the public. Personal information can be used by criminals to open lines of credit, defraud retailers and secure employment under assumed names, and the damage reaches far beyond the individual victim whose identity is stolen. The institution responsible for retaining the data may be held liable for the release of information and the costs incurred by the victims as a result of the breach. You can help prevent these incidents by taking some simple precautions.
Keep an Eye on Hardware
Desktops and laptops used to store personal or financial information about parishioners, students, staff or donors must be kept secure from unauthorized use. Start by password-protecting all equipment. Each user should have a separate, secure log-on ID. This lets you or your system administrator track each computer. Install a time-out function on computers that will shut down the device after a period of inactivity, thus protecting data that may have been left open on a screen.
If laptops are intended for semi-permanent use in a location, such as a computer lab or parish office, they should be attached to the furniture with security cables or stored as a group in a locked moveable cabinet secured to a building fixture.
When you are ready to replace or upgrade computers, don’t just discard them or give them away - wipe them clean first. Check with the Department of Computer Services on the proper way to permanently delete and dispose of data and components.
Protect your information against theft or misuse with firewalls and anti-virus software. Use this same technology to prevent students from accessing inappropriate content from the Internet.
Viruses are software programs that spread from one computer to another. They corrupt or delete information and can allow unauthorized access to your computer. You must have anti-virus software on all of your computers. If the diocesan Department of Computer Services does not mandate a specific one, you may use a commercially available product. The price of the software will include updates. It is critical that you download and install anti-virus software updates each time they are offered. You may also choose an option that allows the updates to install automatically.
Firewalls are electronic devices that permit or deny access to transmission. They protect your local parish or school network from unauthorized access, while allowing legitimate content to pass to your users. The rules for who and what can pass are written into filters that can limit the types of sites, the types of data and the times of day they can be accessed. Subscribe to a service that will provide your system administrator with weekly management reports that flag activity outside school hours and requests for access to ‘blocked’ Internet sites.
Establish and Follow Local Policy
Every parish and school should establish policies and procedures to manage the security of 21st Century technology, recognizing the need to balance information accessibility, privacy and software/hardware affordability.
Your Department of Computer Services is a font of valuable information and practical, effective solutions for hardware, software and security. There is likely no problem they have not already addressed for another parish or school. It is a good idea for each parish and school to have an electronic device and Internet use policy as part of its handbook.
Local policy should be compliant with the Diocesan Safe Environment program and two federal laws that reflect concern for student information and Internet safety: the Children’s Internet Protection Act (CIPA) and the Family Educational Rights and Privacy Act (FERPA).
Ask Questions of Vendors
Third parties want to do business with your parish or school. The positive association is good for them and it makes life easier for your staff and families to sign on with an offertory management company, payroll service or tuition collection operation. Go for it! BUT READ THE FINE PRINT, and make sure your parish or school attorney reviews it, as well. Make sure the vendor specifically states it will not rent, sell, exchange or lend information to any other organization. And ensure that the contract you sign puts all liability on the vendor if there is a data breach.
Technology is amazing and no one wants to revert to the abacus—but it’s prudent to safeguard your equipment and data. You are not expected to be an expert, so please ask for help.
Insurance Coverage Questions
If you have questions about our Cyber Risk Insurance coverage, please call our insurance hotline: 1-800-690-8709.