If you were a long-time donor to a nonprofit, and just learned that your credit card details provided to the nonprofit to make a donation are now in the hands of a hacker, would you ever trust that organization again? In an article about nonprofits and sensitive data published by the Nonprofit Technology Network (NTEN), the author points out that while data breaches occur at for-profits, government entities and nonprofits alike, consumers may be less willing to trust nonprofits after a data breach. This is because a consumer’s relationship with a company or a government entity is largely based on the consumer’s need, whereas his or her relationship with a nonprofit is not necessarily need-based. This suggests that nonprofits may be at greater risk for reputational and financial damage in the wake of data breaches.
Although data breaches seem to be increasingly common, most nonprofit leaders still know very little about the risks that arise from the collection and storage of personal information collected from employees, volunteers, clients and donors. Considering this dark and somewhat frightening landscape, what must you know to understand the exposure and fortify your nonprofit against the associated risks? This article explores:
- Data privacy risks and responsibilities
- What is personally identifiable information?
- Privacy and data breach laws
- The importance of reaching out for help complying with legal requirements in the wake of a data breach
- Cyber liability insurance basics
- Data security strategies
- Tips for working with tech vendors
DATA PRIVACY RISKS AND RESPONSIBILITIES
Many leaders believe that the work of foreign hackers represents the greatest threat to the confidential information their organizations collect. Yet the truth is that many threats to data privacy lives much closer to home. The following common business activities can lead to a data breach and potential liability for a nonprofit:
- Conducting e-commerce on your website, especially collecting credit card data and processing payments online
- Storing and transferring personal employee, client or donor data—for both virtual data and paper records (e.g., sending sensitive data via email or storing sensitive data in the cloud; storing paper records in unprotected filing cabinets that anyone could access)
- Storing personal information on laptops or smartphones
- Allowing partners and/or vendors to access personal information without proper safeguards
- Storing personal information on cloud servers or systems
While it’s true that cybercrimes such as hacking, insertion of malicious code into a data system, or the purposeful loss and destruction of “In some states, the mere loss of the device with personally identifiable information is a breach under the law and triggers reporting responsibility, such as the duty to notify the people whose data was lost.”data are a valid concern for nonprofit leaders, it’s important to recognize that unintentional privacy breaches can be just as costly. A simple example is permitting personal information to be stored on a laptop or smartphone. The device—and all the vital data on it—could be damaged, lost forever, or it could even fall into the wrong hands. In some states, the mere loss of the device with personally identifiable information is a breach under the law and triggers reporting responsibility, such as the duty to notify the people whose data was lost.