Privacy Statement and Notice | Pioneer Valley Habitat for Humanity

At Pioneer Valley Habitat for Humanity, we are committed to keeping your information private. We recognize the importance applicants, program families, tenants, and homeowners place on the privacy and confidentiality of their information. While new technologies allow us to more efficiently serve our customers, we are committed to maintaining privacy standards that are synonymous with our established and trusted name.

We collect nonpublic personal information about you from the following sources:

Information we receive from you on applications or other forms;
Information about your transactions with us or others; and
Information we receive from a consumer reporting agency.

Pioneer Valley Habitat for Humanity employees and volunteers are subject to a written policy regarding confidentiality, and access to applicant data is restricted to staff and volunteers on an as-needed basis. When collecting, storing, and retrieving applicant, program family, and homeowner data – such as tax returns, pay stubs, credit reports, employment verifications and payment history – internal controls are maintained throughout the process to ensure security and confidentiality.

Email and text message communications: We may use email and text messaging to communicate with you. Normal messaging rates apply and the frequency of messages may vary. Mobile Carriers are not liable for delayed or undelivered messages. No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. All other categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

Opt-out of email or text message communications: You may change your communication preferences or opt-out of email messaging at any time using the link at the bottom of any email. You may opt-out of text messaging at any time by replying to any message with STOP contacting us at info@pvhabitat.org. This will end the communications from that particular phone number. You may continue to receive service-related and other non-marketing text messages from other phone numbers managed by Pioneer Valley Habitat for Humanity, and you may opt out of those in a similar fashion.

We may disclose nonpublic personal information about you to the following types of third parties, only as necessary to effect, administer or enforce a transaction for you:

Financial service providers, such as mortgage servicing agents;
Nonprofit organizations, government entities, or other subsidy providers.

We may disclose the following kinds of nonpublic personal information about you may be shared only with the above third parties:

Information we receive from you on applications or other forms, such as your name, address, social security number, assets and income;
Information about your transactions with us or others such as your loan balance and payment history; and
Information we receive from a consumer reporting agency such as your creditworthiness and credit history.

Your information is never shared with non-affiliated third parties for any other purpose.

Written Information Security Plan

INFORMATION SECURITY POLICY

OBJECTIVE

In order to protect the privacy and personal information of our donors, applicants, homeowners and staff, Pioneer Valley Habitat for Humanity (Habitat) has developed this written Information Security Program. This is a comprehensive set of guidelines and policies that we have implemented in compliance with Massachusetts General Laws 201 CMR 17 “Standards for the Protection of Personal Information of Residents of the Commonwealth,” as well as other federal, state and international regulations and standards. This plan will be reviewed on an annual basis and amended as necessary to protect “personal information” (see definition that follows).

Personal Information

For the purposes of this policy, “personal information” is defined as a Massachusetts resident’s first and last name, or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without security code, personal identification number or password, that would permit access to a resident’s financial account (with the exception of information that has been lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public).

Designated Employees to Maintain Security Plan [201 CMR 17.03 (a)]

At Habitat, the Executive Director is the designated employee in charge of maintaining, updating, and implementing our Information Security Program.

Pre-Authorized Users

At Habitat, we have identified specific employees and non-employee volunteers who, based on his or her role, require access to personal information in order to carry out their assigned tasks as directed by the Board of Directors and/or the Executive Director. These “Pre-Authorized Users” (PAU) are identified in a documented list maintained by the Executive Director. Other employees and volunteers may not access personal information without specific written approval from the Executive Director or his/her designee.

Internal and External Risk Assessment [201 CMR 17.03 (b)]

In order to assess any risks of access to personal information, we have evaluated and restricted where that information may be present. Habitat may keep personal information and any other sensitive information in our on-premise filing cabinets, on cloud storage (an encrypted third party “cloud” service), on desktop PCs, and in storage areas which are password protected and/or key locked. We do not allow any personal information to reside on any employee’s or Pre-Authorized User’s (PAU) personal computer. Our internal computers are protected behind a firewall. In order to insure that none of this information is vulnerable to a breach, we have implemented these following policies and practices.

Employee Training [201 CMR 17.03 (b) (i)]

All employees and PAU are responsible for maintaining the privacy and integrity of personal information. Any paper record containing personal information about any donor, applicant, homeowner or staff member must be kept behind lock and key when not in use. Any computer file containing personal information will be kept on a password protected computer. No personal information is to be disclosed without first fully authenticating the receiving party.

When disposing of paper records containing personal information, a crosscut shredder or outside shredding service will be used. Similar appropriate electronic methods will be used for disposing of electronic media.

Habitat trains all new employees and PAU on this policy, and there are also annual reviews for existing employees and PAU. Such training will be documented and each employee or PAU present will certify their attendance.

Employee Compliance [201 CMR 17.03 (b) (11)]

Any employee or PAU who discloses personal information or fails to comply with these policies will face immediate disciplinary action including the possibility of termination from Habitat.

Detecting Preventing Security System Failures [201 CMR 17.03 (b) (iii)]

Habitat will monitor notifications of off-site data storage (such as a cloud based storage) activity in order to determine if there have been any unauthorized electronic security breaches of policy. A Security System evaluation will be performed annually by the Executive Director under guidance provided by the Board of Directors. Additionally, all employees and PAU are trained to watch for any possible physical security breaches, such as unauthorized personnel accessing file cabinets or computer systems.

Keeping, Accessing and Transporting Personal Information [201 CMR 17.03 (c)]

As mentioned above, Habitat will take all reasonable measures to ensure that employees and PAU are trained to keep all paper and electronic records containing personal information on-site. Only the minimum information necessary will be brought off-site, and paper records will be kept behind lock and key. Records brought off-site will be returned to the Habitat office as soon as possible. Exceptions to this rule (e.g. issuance of Habitat laptops) may be approved by the Executive Director.

Documents, electronic devices or digital media should not be left unattended or open in an employee’s or PAU car, home or in any other potentially insecure location. As a safeguard, timeout parameters (e.g. 15 minutes) should be set on all computers left unattended.

Personal information must be encrypted when it is transmitted, whether across public networks or wirelessly. All incoming personal information should be directed to accounts@pvhabitat.org or apply@pvhabitat.org – these two email addresses will only be checked on an encrypted computer. No Habitat representative should send or reply directly to any email with personal information contained in it.

Disciplinary Measures [201 CMR 17.03 (d)]

Any employee or PAU who willfully discloses personal information or fails to comply with these policies will face immediate disciplinary action including the possibility of termination from Habitat.

Prevention of Terminated Employees from Accessing Information [201 CMR 17.03 (e)]

The computer access passwords of all terminated employees and PAUs will be immediately disabled. Physical access to any documents or resources containing personal information will also be immediately discontinued. In addition, all Habitat forms of identification and any access keys to entry and/or filing cabinets must be returned to the Executive Director prior to the departure of a terminated employee or PAU.

Third-Party Service Providers [201 CMR 17.03 (f)]

Access to personal information by third-party service providers will be kept to a bare minimum. Any third party service provider who does require access to information will be fully vetted under the direction of the Executive Director.

Limiting Information Collected [201 CMR17.03 (g)]

Habitat is committed to collecting only the minimum of personal information necessary to accomplish our purposes; old information is also disposed of securely in accordance with our Document Retention and Destruction Policy.

Identifying Where Personal Information is Stored [201 CMR 17.03 (h)]

Personal information is stored in the following locations: locked filing cabinets, secured off-site data storage (cloud storage), password protected computers and a bank safe deposit box.

Physical Access Restrictions [201 CMR 17.03 (i)]

The Habitat office is kept locked when employees are not present and unauthorized third-parties are not allowed physical access to records. The Executive Director maintains a pre-approved list of those individuals with key access to paper records. Paper files that are not currently in use are kept in a secure space as identified by the Executive Director. In addition, electronic records are kept in off-site data storage (cloud storage) which are housed behind multiple layers of electronic safeguards.

Monitoring and Upgrading Information Safeguards [201 CMR 17.03 (i)]

Habitat’s appointed information security coordinator, the Executive Director, will continually monitor and annually assess all of our information safeguards to determine when upgrades may be necessary.

Annual Review [201 CMR 17.03 (k)]

Habitat’s appointed information security coordinator will also perform a documented annual review of our information security plan.

Documenting and Reviewing Breaches [201 CMR 17.03 (l)]

Habitat’s information security coordinator will thoroughly document and review any breach that may occur. Records of this will be kept on file with our Information Security Policy.

Computer System Requirements [201 CMR 17.04]

To combat external risk and security of our data, Habitat has implemented the measures that follow.

Secure User Authentication Protocols: [201 CMR 17.04 (1) (i, ii, iii, iv, v)]

Passwords are required for all user accounts. All employees receive their own user accounts.

Passwords are changed upon an employee or PAU relationship termination. The computer access password of any terminated employee or PAU will be disabled before the employee is terminated.

Secure Access Control Measures: [201 CMR 17.04 (2) (i, ii)]

Only employees and PAUs that need access to the personal information are given access to folders.

Each person has a unique password. These passwords are not assigned by any vendor.

Encryption on Public Networks [201 CMR 17.04 (3)]

The designated Habitat associate receives a security alert on off-site data storage (cloud storage) files which have been accessed. This security notice can be used to order to detect any possible breaches on a timely basis, and must be subsequently reported to the Executive Director within 24 hours.

Laptops and Portable Devices [201 CMR 17.04 (5)]

All laptops and other portable devices or storage currently in use that have personal information stored directly on them will be encrypted and password protected. Personal information should not be stored on cell phones or other portable devices that are not encrypted.

Security Updates and Patches: [201 CMR 17.04 (6)]

Operating system patches and security updates are installed when appropriate.

Antivirus and Updates [201 CMR 17.04 (7)]

Habitat does not maintain a network server. Habitat currently uses a third party “cloud” vendor that maintains a high level of password protection, anti-virus and encrypted software.

Employees and PAUs will be trained in the proper use of the computer security system and the importance of personal information security [201 CMR 17.04 (8)]

All employees and PAUs are responsible for maintaining the privacy and integrity of personal information. All employees and PAUs have been trained that any paper record containing personal information about any donor, applicant, homeowner or staff member must be kept behind lock and key when not in use. Any computer file containing personal information will be kept password-protected.

All new employees will be trained on this policy and there are also annual reviews for existing employees.

2020 Blackbaud Data Breach

Pioneer Valley Habitat for Humanity was affected by a data breach. Contact and donation history data (no bank or credit card details) were included in a third-party-hosted database that was hacked by a malicious actor this year. The breach of the database was limited in scope to what is considered by cybersecurity experts to be non-sensitive information and any potential impact of the breach appears to have been successfully mitigated. There is no action required by you at this time.

In the interest of full transparency, we believe it is our moral obligation to notify you of this breach in spite of its limited nature and successful mitigation. In this letter, we are sharing the relevant information we have received about the breach, as well as the steps we are taking to protect your information in the future.

What was impacted?

Some data related to your past support of Pioneer Valley Habitat for Humanity was stored in a database managed by a third-party vendor, Blackbaud, which was accessed illegally by hackers. Specifically, information relating to you may have included:

Your name
Your current or former contact information (including your address, phone number and/or e-mail address)
Information regarding past donations in support of Pioneer Valley Habitat for Humanity, including amounts and dates
Information regarding past volunteering with Pioneer Valley Habitat for Humanity, including type of volunteering and dates

No sensitive financial records (such as credit cards or bank information) were accessed by the hacker.

As the data management vendor, Blackbaud was responsible for all data security. Blackbaud has published information about the hacking incident here: www.blackbaud.com/securityincident.

The hack was performed by cybercriminals who demanded a ransom to restore the data to Blackbaud. Blackbaud has publicly reported that they paid the ransom and received confirmation that the copy of the data held by the hackers was deleted.

Pioneer Valley Habitat for Humanity was informed of the data breach on July 16, 2020. The breach itself took place between Feb. 7 and May 20 of this year. Since being informed, we have been working to gather information about the scope and severity of the incident, as well as engaging cybersecurity experts to evaluate the impact of the breach on our supporters, ensure that our systems are protected, and notify global regulatory authorities as appropriate.

We are coordinating our work with Habitat for Humanity International, which is working in coalition with other nonprofit organizations affected by the breach to ensure that Blackbaud is held accountable for the consequences of the breach, and that it informs all affected organizations and patches the security holes that allowed this breach to take place.

Pioneer Valley Habitat for Humanity’s commitment to protecting your data

Pioneer Valley Habitat for Humanity is deeply concerned with protecting the data of our supporters, including our valued donors, volunteers, staff members and the people we serve. Our Privacy Policy (available at https://www.pvhabitat.org/privacy-policy/) details how we collect and use your data, which is in full compliance with all applicable laws and best practices in the nonprofit sector.

If you have any additional concerns or questions about this incident, or about how Habitat for Humanity International manages data related to you, please contact Megan McDonough by e-mail at megan@pvhabitat.org, by phone at 413-586-5430 or by mail to PO Box 60642 Florence, MA 01062.

Thank you for your past and continued support of Pioneer Valley Habitat for Humanity’s work in Hampshire and Franklin Counties of western Massachusetts, as we work toward a world where everyone has a safe, decent and affordable place to live.

In partnership,

Megan McDonough, Executive Director
Pioneer Valley Habitat for Humanity

More Information