Individuals in today’s workplace, whether nonprofit or for-profit, often make two common errors when thinking about privacy and information security. First, people tend to think of information security as a technology problem — making it all about firewalls and encryption. Designing a truly secure information-handling system instead requires a holistic approach that uses technology components but that first must address business processes, policies and, most importantly, people. Many serious and successful hacking attempts begin with what hackers refer to as “social engineering” — they compromise the human components of the information system rather than the electronic ones. Second, people often think of information