Tag Archives: blackbaud

Notes From Here And There

IMAG0236_1
Long time no blog, but I have good excuses.  Moving cross-country, even with a modest family of three, is no picnic, and we are now, over 13 months since I was offered the job in DC, starting to see the light at the end of the tunnel. Since summer, I’ve been frantically house hunting and, since December, busy relocating (for the third time) to our new, tree-laden home in Reston.

This, however, doesn’t mean that I haven’t been writing or totally neglecting my nptech duties. So here are some things to look forward to:

#ntcbeer. First and foremost. The annual Nonproft Technology Conference runs here in DC from March 13th to 15th, and the 6th Annual #ntcbeer will take place, as always, the night prior (Wednesday, 3/12, 7pm).  This year we’re at the Black Squirrel, a bar that’s a 15 minute stroll from the hotel (in the trendy Adams Morgan district) with three stories and 80 craft beers, which one would hope will meet the requirements. But I’m willing to bet (seriously!  Who wants to get in the pool?) that we will top their max standing room of about 200 people.  Here’s my logic: we averaged about 175 people last year in Minneapolis and the year prior in SF.  Minneapolis likely would have been bigger but a lot of planes were delayed by weather.  This year, we’re in DC, and that means two things: first, this is the largest center for NPOs in the world.  A lot more of the attendees live here. Second, it’s a very social place.  So I think that it’s not only likely that we’ll top 200; I don’t think 300 is out of range. We’ll have the Facebook page up in a week or two and we can hammer it all out there.

Also, #ntcbeer has sponsors this year.  We’ve been bought out by Blackbaud. (kidding!). Blackbaud and CommunityIT will be on hand with snacks and possible giveaways.  We’re figuring all of that out. Sponsorship is good, because this year we did manage to find a bar that doesn’t require a financial commitment up front, but I don’t think that will be possible in SF next year, given what a hard time we had finding a location in 2012.

Related, details to come, is that, prior to #ntcbeer on the 12th, I’ll be hosting a pre-conference workshop on IT Leadership with Richard Wollenberger and Katie Fritz.

As to that writing, keep your eyes open this week and next for NTEN’s release of “Collected Voices: Data-Driven Nonprofits. I spent 2013 participating in NTEN and Microsofts’ Communities of Impact program, where I joined 17 other nonprofit staff in diving into the challenges of managing, maximizing and sharing data in our sector.  We had two in person, two day meetings; numerous calls with bright presenters; active and professional facilitation by Julia Smith, NTEN’s Program Director; and this is the final product.  In addition to a few case studies and short pieces, I contributed an article on “Architecting Healthy Data Management Systems”. As this is really the focus of my career, whether it was unifying the database backend and building a portal to all client data at a law firm in the 90’s, or developing an open source retail data warehouse at Goodwill, or migrating/connecting all of LSC’s grantee data and documents to a Salesforce instance at my current job, this is the work that I think I do best, and I have a lot of best practices to share.  So I’m somewhat proud and happy to be publishing this article. it will be a free download for NTEN members.

Speaking of LSC, I’ve been busy there as well. We held our 14th annual technology conference two weeks ago, with record attendance. Among the crowd were frequent collaborators of mine like Laura Quinn of Idealware and Matt Eshleman of CommunityIT. It was a great time, with a lot of valuable sessions and discussions on data, internet security, and business process mapping.  We held a “Meet the Developer” session where our grantees, for the first time, got to speak directly with the guy that programs our online applications and give him some direct feedback. I attended in order to both facilitate and act as a human shield.  😉

The conference followed the release of our report on the two year technology summit that we hosted.  This consisted of two gatherings of leaders in the access to justice community from legal aid law firms, the courts, the ABA, the State Department, and the NLADA, along with key application developers and strategic thinkers.  We worked on a goal:

“to explore the potential of technology to move the United States toward providing some form of effective assistance to 100% of persons otherwise unable to afford an attorney for dealing with essential civil legal needs.”

Currently, the research shows that only 20% of those that qualify for and need the legal assistance that our funding provides are being served by the limited pool of attorneys and resources dedicated to this work. The report makes the case that 100% can receive some level of assistance, even if that isn’t actual legal representation, by innovative use of technology.  But we are working on the assertion that some help is better than no help, which is what 80% of those who need help get today.

The key strategies include:

  • using statewide portals effectively to connect people to the available resources
  • maximizing the use of document assembly to assist individuals in preparing court forms (a goal that lives or dies by the standardization of such forms, which is currently a big challenge)
  • Expanded use of mobile and SMS (many of the people who need assistance lack computers and smartphones, but can text)
  • Business Process Analysis, to insure that we are efficiently delivering any and all services, and
  • Expert Systems and intelligent Checklists, in order to resource individuals and attorneys to navigate the legal system.

As I mention here often, the right to an attorney only applies to criminal cases, not civil, but the peril for low income families and individuals from civil lawsuits is apparent.  You could lose your house, your children, your job, or your health if you can’t properly defend yourself against a wealthier accuser.  Equal justice is a cornerstone of American ethics. Take a look at the best thinking on how technology can help to restore it.

Pop Quiz: PCI Compliance

This post was first published on the Idealware Blog in August of 2009.

The credit card industry is doing the right thing by consumers and enforcing proper security measures regarding the handling of credit card information.  You might have heard about this – a number of the popular vendors of donor databases are recommending upgrades based on their compliance with these regulations. The “Payment Card Industry Data Security Standard”, commonly known as PCIDSS, is a set of guidelines for securely handling credit card information.  The standard has been around for about four years, but early enforcement efforts focused on companies with a high volume of credit card transactions.  Now that they’re all in compliance, they’ve set their sites on smaller businesses and nonprofits. So, what does this mean? Here’s the simplest F.A.Q. that you’re likely to find on the topic:

  • Do you ever process online, phoned in, or mailed-in credit card donations in-house? e.g., do you maintain the credit card number, expiration date and name of a donor?

If no, you don’t have to worry about this.

  • If yes, do you have more than 20,000 such transactions annually?

Well, if you do, congratulations!  Most nonprofits don’t, so they qualify for level 4 of the PCI Compliance scale. That results in a Self Assessment Questionnaire (SAQ) Validation type of “4”.  Higher validation types are subject to stricter security standards.

The Self-Assessment Questionnaire will ask you all sorts of technical questions about your network and security procedures.  Do you have a firewall?  Are all of your transactions encrypted?  Do you use anti-virus software?  Is credit card information properly restricted to authorized staff?

Depending on your network, you might already comply with a lot of the requirements.  If you don’t, then it might require a significant investment to get there.

  • What will happen if I ignore this?

This isn’t government regulation (although your state might have laws in place that do mandate some similar response). Participation is not mandatory.  But, should your security be breached, two things will happen:

  1. The compliance requirements for your organization will be reassessed to level one or two, and they’ll be much more costly and complicated to meet.  The credit card companies might decline to do business with you if you don’t comply.  Can you afford to not take Visa?
  2. You will likely be indirectly fined for non-compliance.  The credit card companies will hold your bank liable for losses due to credit card theft in situations where your security was substandard.  Your bank will likely pass that fine on to you.
  • So what’s the easiest way to deal with this?

Simple: don’t handle credit cards.  There are a number of services that, for a price, will do this for you, from Paypal and Google Checkout to CharityWeb and Blackbaud’s BBNow. Outsourced ECRM software (NetCommunity, Convio, Democracy in Action, etc.) will also handle it. The cost is likely not as significant as that of maintaining compliance or suffering the consequences of a non-compliant breach.

I’ll share that, at the Goodwill where I used to work, outsourcing wasn’t an option, because we were both a charity and a retailer. Our frustration was not that we didn’t have good security in place.  It was that there were differences in how we had set up our security and the PCIDSS requirements.  So, while we had done a lot of work and made significant investments, we still had to reconfigure things and spend more in order to be compliant.  In addition to making our internal IT changes, we had to switch software programs in order to avoid storing credit cards unencrypted in our database, a typical problem.  We also engaged a consultant.  Once you are reasonably sure that you comply, then you must pay a security service to verify your efforts, another non-trivial expense.

Blackbaud has put together some good further reading on this topic (and they are one of the vendor’s whose latest software is compliant; ask your eCRM vendor!).

Balancing Act

My friends at Blackbaud referred me to this excellent post by Jay Love, CEO of ETapestry, once a small donor database service, now a subsidiary of the mother of all donor database companies. Jay’s timely caution to nonprofits is that they be skeptical about all of the for-profit folk answering their employment ads in the face of the poor economy. People from that side of the dollar fence are generally unprepared for the culture of nonprofits. His story about vendors trying to break into our sector with no experience or research into our needs is fascinating. But I have a different take on hiring people from the for-profit world, and while Jay seems t be saying “don’t do it”, I’m on the “be sure to do it – in moderation” side.

Of course, the healthy disclaimer is that I never worked for a nonprofit, or knew all that much about the culture, before I took a job at Goodwill in late 2000. But I did have enough sense to pick an NPO that ran more like a traditional business than most, at least in some ways, and I took some time to adjust to the culture before I tried to push through any changes. Which isn’t to say that I blend all that well – I’m one of the people complaining that we move to slowly and that consensus is not a value, it’s a tool that, like most tools, is better suited for some tasks than others.

Any business (and nonprofits are businesses) benefits from diversity, just as any business benefits by retaining internal expertise. Businesses suffer when they lean too far in one direction or the other. If your hiring policy is to only hire people who are lifetime nonprofit workers, you run the risk of stifling innovation and you court stagnation. The world doesn’t sit still around us, so we have to dynamically adapt to it. A key tool for managing that adaption is to maintain a diversity of experience and skills in your organization.

Think about it: ten or fifteen years ago, non-profits were largely unregulated. There was no HIPAA. There was no Sarbanes-Oxley, which, while not designed for NPOs, is generally agreed to impose guidelines on us. There was no PCI compliance, the next wave of external oversight that will demand that we modify our processes and investments. Beyond the 990 and what we chose to disclose about our outcomes, there was little demand for detailed metrics. These are all circumstances that the for-profit world, with traditional government oversight and accountability to shareholders has dealt with for decades. We need some of that expertise.

Of course, it’s a scale, and just as we can suffer from cultural insulation, we can suffer by turning over too dramatically. While I would steadfastly debate that we need some of that for-profit perspective on board, I’ve seen a few examples of for-profit executives that take over as CEOs and — because the nonprofit style is so antithetical to the big business style — quickly replace everyone that, to them, looked like they weren’t up to the task of running “a business”. This type of culture change, in a nonprofit, is deadly, because it is a misconception to think that we can run like normal businesses. When that happens, the nonprofit runs the risk of losing all of the internal historical expertise, as the people who aren’t squeezed out don’t stick around for the cultural change, and the new execs face the budgeting challenges with no perspective to draw on.

So, a businessman like me – and I absolutely consider myself a businessman — gets frustrated with the slow pace at the nonprofits that I work for. And I beg, moan and try and shame my boss into adopting more business-like practices. But I don’t sweat it too much, because, at the end of the day, even if we don’t do things in the efficient and productive ways that I’m so stuck on adopting, we still do an amazing job of defending the planet, or, you can fill your mission in here. I’d hate to see it fall apart because we didn’t properly comply with regulations or we simply didn’t manage our resources well, and we have to staff to address that. So my shoutback to Jay Love is that the bunker mentality is a bit much. Let a few for-profit types in the door. But, until they understand and value our culture, don’t let them drive.