Published by National Council of Nonprofits, 2017:
If your nonprofit engages in any of these activities, it’s time to get serious about taking steps to address cybersecurity risks. Does your nonprofit:
- Conduct e-commerce on its website, such as processing donations or event registrations?
- Store and transfer (such as by sending to the cloud) “personally identifiable information,” about anyone, including donors? (Common examples of personally identifiable information include: clients’ medical information; employee records, including drivers’ licenses, addresses, and social security numbers.)
- Collect information on preferences and habits of donors, patrons, newsletter subscribers, etc.?
What are the risks? What should we do? During my tenure at the Nonprofit Risk Management Center, I learned to break risks down and prioritize them so they can be managed. Data breaches, that are both likely to happen and can result in serious harm, can fall in the “high priority” category, so it’s prudent for every nonprofit to take steps to assess the risks and protect its data from unauthorized disclosure.
The Nonprofit Technology Network (NTEN) suggests that the first step in assessing your nonprofit’s data risks is to take inventory of all the data your nonprofit collects and identify where it is stored. NTEN offers a template assessment tool; and here is a simple one-page inventory tool from Digital Impact.IO for the same task. These inventory tools ask: What data do we collect about people? What do we do with it? Where do we store it? Who is responsible for it? Think about the cost/benefit of maintaining all that data. You may find that there is data your nonprofit is currently asking for and keeping that it doesn’t really need. If so, reducing or limiting the data that your nonprofit collects, and streamlining the storage process (as well as diligently destroying data in accordance with the nonprofit’s document retention policy) could be easy first steps towards mitigating risk.