What you can do to make your database more secure

There’s a story making the rounds about a group in Utah calling itself “Concerned Citizens of the United States” who sent a list of 1,300 mostly Latino names to the press and law enforcement agencies in Utah.  The list is apparently a list of people that the group claims are undocumented, and includes a pretty chilling set of personal information: names, addresses, workplaces, social security numbers, even kids’ names and due dates for pregnant women on the list.  As you can probably guess, the group is demanding that the people on the list be deported immediately.  You can read the full article here.

When I read it, my first reaction was revulsion and disgust at the gall of this group to do something like this.  History is unfortunately replete with examples of such lists, from the Holocaust, to the internment of immigrant groups, to the persecution of organizers at recent political convention protests.  Or even the TSA’s no fly list that keeps accidentally listing people.  And unlike other forms of persecution – racial profiling laws, etc. – lists have an especially chilling power because they’re personal.  A list like this comes out and you wonder – am I on the list?  Will I be?  And, maybe most importantly, how did they get this information and what happened to my – to our – right to privacy?

Thinking about this question – where the information came from – I suspected, as the article does, that the lists are likely coming from state agencies.  I can’t think of other data sources that would have information like social security, children’s names, and mother’s due dates.  However, thinking about this also made me think about the organizing groups that PTP works with, and the safety and security of their lists.

Whether you’re using PowerBase or not, there are a couple of simple things you can do to make your organization’s data safer.  These tips won’t protect you 100% - our organizations are simply too open to prevent malicious individuals from compromising our data, but they will help ensure that you’re doing what you can to limit the exposure of your members in the event that your data is compromised.

1. Don’t store data that you shouldn’t be collecting in the first place.  At the top of my list of things not to ever collect: a) social security numbers; b) credit card or banking information; c) immigration status
2. Use strong passwords, and change them frequently.  Also, don’t use the same password for everything/everyone.  There are far too many progressive organizations that use the same passwords for everything, and often those passwords are some variant on “justice.” Click here for a nice tutorial on creating good passwords
3. Restrict access where it makes sense.  Most database systems enable you to create different types of permission for different users.  Use this feature, but use it with care – you want to be sure that your staff have access to the information that they need – if they don’t, you’ll be creating a barrier to effectively using your database.  At the same time, I’d be willing to bet that not everyone in your organization needs access to everything.  For example, if you have volunteers and members doing data entry for you, consider a permission level that gives them the ability to enter data, but not the ability to read/export data [i.e. write access, but not read access]
4. Develop and use privacy and technology use policies so that everyone in your organization understands your organization’s perspective on your technology resources, and in particular your data practices.  Your policies should include a clear description of who has access to what information, and who information can be shared with

Are these practices going to solve all your data security problems?  No.  What they will do is get you and your organization on the path to building a culture where you’re taking appropriate care to safe-guard the information that’s critical to your organization’s success.