Highly Sensitive Information (HSI) – Social Security numbers, Driver’s License numbers, credit/debit card numbers, checking/savings/bank account numbers, etc.
Allowed Personal Health Information (PHI) – As defined by HIPAA: Name(s), address(es), telephone number(s), electronic mail address(es), any other contact information, age, gender, date of birth/death, facsimile number(s), web universal resource locators (URLs), internet protocol (IP) address number(s), client record identification number(s), date(s) of healthcare provided, department(s) of service, treating physician(s), outcome information, and health insurance status.
Confidential Information (CI) – Includes all Allowed PHI. Also includes financial information such as donation amounts and donor demographic information as related to fundraising communications.
Data Team – The tightly controlled list of employees with access to Confidential Information.
SFTP – Secure File Transfer Protocol. An encrypted and controlled method by which Confidential Information may be securely sent or received.
External Storage – Storage devices such as USB Drives, CD/DVDs, SD Cards, etc., as well as cloud storage services such as DropBox, Apple iCloud, Personal Google Drives, etc.
DoD 5220.22-M – Standard method of data sanitation as described by the U.S. National Industrial Security Program Operating Manual published by the U.S. Department of Defense
2. DATA HANDLING
Pursuant’s policy is to never receive or handle, whether from a client or produced internally, Highly Sensitive Information. Pursuant only accepts data related to fundraising communications (as outlined in HIPAA Subpart E – §164.514(f)). If any non–Allowed PHI is received or produced for any reason, it is to be immediately reported and destroyed per the Data Destruction section outlined in this document.)
Confidential Information (CI) is only allowed to be sent or received to/from clients through SFTP. When CI is received by Pursuant, or created while conducting official business, Pursuant will maintain this information as confidential. All employees are instructed and trained to recognize this information as sensitive and to hold it in strictest confidence. CI is only allowed to be accessed by, and stored on the systems of, employees that are members of the Data Team, as is necessary for their job function. Data Team systems are fully encrypted and transferring of CI to unencrypted External Storage or systems is not allowed.
3. DATA STORAGE
Confidential Information is only stored while the relevant parties or clients have an active relationship with Pursuant. Once CI is no longer necessary to Pursuant business functions, it is kept only as long as is required by federal and state law for the purposes of record keeping in the event of future litigation. Portions that are not relevant to that purpose or CI that is older than what is legally relevant is destroyed per the Data Destruction section outlined below.
All Pursuant data, including CI, is stored on servers and systems that are kept physically secured within the Pursuant office behind multiple locks, access to which is tightly controlled. These systems are also under 24/7 video surveillance. Off-site backup data is stored securely in Amazon S3 Glacier cloud-based storage through AWS. More information about Amazon S3 Glacier storage can be found in the Important Links section below.
4. ACCESS CONTROL
Only Pursuant employees and contractors who have been trained on and accepted the Information Security Policy may access data on Pursuant systems. Confidential Information is only accessible by members of the Data Team. The Data Team is audited and controlled on a continual basis, ensuring that only employees who absolutely require access to CI in order to complete their job functions are granted that access. Any attempts to gain access to CI by any individual outside of the Data Team will result in an immediate alert to IT staff. Terminated employees and contractors are immediately removed from access upon termination.
Clients may request a list of the names of all individuals who have access to their data at any time.
5. DATA DESTRUCTION
Special care is given to ensure Confidential Information is destroyed in such a way that it cannot be recovered. Any External Storage media that contains Confidential Information is wiped in accordance with the DoD 5220.22-M Standard and subsequently physically destroyed and rendered inoperable. Any CI that must be destroyed which resides on internal Pursuant storage systems is permanently deleted directly from that location. Any system or data backups that contain destroyed CI are allowed to hold that data until it is naturally overwritten by the backup cycle.
6. BREACH PROTOCOL
In the event of a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Confidential Information, immediately upon discovery, Pursuant will assess the scope of the breach and begin work to contain the breach and limit further compromise of data as much as possible. Immediately after determining the scope of data potentially compromised by the breach, Pursuant will notify all affected parties. The communication sent will include the scope of the breach and what steps Pursuant is taking to ensure the breach is contained. Pursuant will maintain an open dialog with all affected parties throughout the entire breach management process. Once the cause of the breach has been determined, Pursuant will put controls, policies, and/or procedures in place to better secure the environment against future breaches.
7. IMPORTANT LINKS
Pursuant Information Security Policy (Permission to view granted by request only) – https://drive.google.com/file/d/1F7k2GYF4Yf2HMTgV0OMuYca9SzC8TAIR/view
DoD 5220.22-M NISP Operating Manual – https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/522022M.pdf?ver=2017-04-17- 134632-467
HIPAA Regulation Text – https://www.hhs.gov/sites/default/files/hipaa-simplification-201303.pdf
Amazon S3 Glacier – https://aws.amazon.com/glacier/
This document is a summary of relevant points defined in the Pursuant Information Security Policy. Please refer to that document for more detailed information.