Estimated Reading Time: 14 minutes
By Erin Gloeckner and Melanie Lockwood Herman
If you were a long-time donor to a nonprofit, and just learned that your credit card details provided to the nonprofit to make a donation are now in the hands of a hacker, would you ever trust that organization again? In an article about nonprofits and sensitive data published by the Nonprofit Technology Network (NTEN), the author points out that while data breaches occur at for-profits, government entities and nonprofits alike, consumers may be less willing to trust nonprofits after a data breach. This is because a consumer’s relationship with a company or a government entity is largely based on the consumer’s need, whereas his or her relationship with a nonprofit is not necessarily need-based. This suggests that nonprofits may be at greater risk for reputational and financial damage in the wake of data breaches.
Although data breaches seem to be increasingly common, most organizational leaders still know very little about the risks that arise from the collection and storage of personal information collected from employees, volunteers, clients and donors. Considering this dark and somewhat frightening landscape, what must you know to understand the exposure and fortify your organization against the associated risks? This article explores:
Many leaders believe that the work of foreign hackers represents the greatest threat to the confidential information their organizations collect. Yet the truth is that many threats to data privacy lives much closer to home. The following common business activities can lead to a data breach and potential liability for an organization:
While it’s true that cybercrimes such as hacking, insertion of malicious code into a data system, or the purposeful loss and destruction of data are a valid concern for nonprofit leaders, it’s important to recognize that unintentional privacy breaches can be just as costly. A simple example is permitting personal information to be stored on a laptop or smartphone. The device—and all the vital data on it—could be damaged, lost forever, or it could even fall into the wrong hands. In some states, the mere loss of the device with personally identifiable information is a breach under the law and triggers reporting responsibility, such as the duty to notify the people whose data was lost.
The starting point for understanding a nonprofit’s duty to guard personal information is understanding what constitutes personally identifiable information under the law. Information found in a telephone books is not protected under the law. Which means that the loss of a paper or electronic file containing donor names and addresses probably doesn’t constitute a breach or trigger state law notification requirements. In Illinois the definition of “personal information” contained in the Personal Information Protection Act (815 ILCS 530) is “Personal information means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
Data management and security standards are becoming increasingly complex as data constantly moves between multiple devices and storage sites. So what should nonprofit leaders know about this changing regulatory landscape? Various federal and state privacy regulations require that entities protect personally identifiable information (PII) no matter where it resides: on a network; on stand-alone systems such as billing, medical, and marketing databases; on remote devices such as laptops or employee-owned cell phones; and of course on paper. Additionally, there are data protection standards for specific industries or specific business practices, such as the PCI Security Standards Council’s Payment Card Industry Data Security Standard. This standard requires organizations to enact information security best-practices if they handle major credit cards such as Visa and MasterCard. Failure to comply with these standards can result in enormous fines. Similarly, you might be familiar with federal data security regulations such as HIPAA if your nonprofit handles protected health information (PHI).
According to the National Conference of State Legislatures, 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted laws that require organizations to notify individuals of security breaches of information involving personally identifiable information. Each of these laws generally has four key components:
It is arguably unrealistic to expect that nonprofit leaders have the time needed to master the various laws pertaining to data privacy and data breaches. Something every leader must know, however, is who to call if they believe a breach may have occurred. While the state laws are accessible through resources such as NCSL, there are experts in this field that can help you sort through the regulatory language and also walk you through the steps involved to comply in a timely fashion. If your nonprofit purchases cyber liability coverage, you may have access to these experts at no additional cost, as part of the policyholder services provided by your insurer. As with any insurance available to your organization, it’s important that you understand what it covers, when coverage is triggered, and what pro-active or responsive risk management support is available.
Your insurance agent or broker is the go-to resource for information about what’s covered under the cyber liability policy you already purchase, or one you’re considering. Each insurer offers different forms of coverage, but many policies address a few familiar coverage areas. Work with your agent or broker to purchase a policy that adequately protects your nonprofit. Cyber liability policies may include third party coverages (items 1-5 below) and also first party coverages (items 6-7). Third party coverage protects the insured organization against claims that arise from losses suffered by third parties, such as donors or clients. First party coverage protects the insured for its own losses. The following is a list of some of the coverages that may be available through a cyber liability policy:
To reduce the likelihood and severity of a data breach, consider the following practical strategies.
To prepare your organization for the breach you hope will never happen, consider the following important questions.
Aside from using the strategies above to mitigate potential data privacy exposures, remember to establish a process for vetting tech vendors if you outsource any IT processes or rely on a vendor for third-party “cloud” storage. Outsourcing IT support and/or data storage may be wise if your organization lacks the personnel expertise or resources to manage data internally, but beware of placing too much trust in a tech vendor. Resolve to become a discerning consumer so you can distinguish dependable tech vendors from those unworthy of your trust. Take the time required to negotiate a contract with your tech vendor that ensures the support or services you need while adequately protecting your organization against harm or loss caused by the vendor’s negligence. For starters, consider asking these questions before you engage with a prospective tech vendor:
Melanie Lockwood Herman is Executive Director at the Nonprofit Risk Management Center. Erin Gloeckner is NRMC’s former Director of Consulting Services.
2014 Security Breach Legislation. National Conference of State Legislatures. www.ncsl.org/research/telecommunications-and-informationtechnology/2014-security-breachlegislation.aspx
http://netdiligence.com/files/WP_Cyber_EXEC_SUMM.pdf
http://searchsecurity.techtarget.com/feature/Is-cyberinsurance-worth-the-risk www.phly.com/files/cyber%20npss31-1830.pdf
http://jpins.com/2014/07/02/are-nonprofits-at-risk-for-cyber-liability-claims/
www.charityfirst.com/cyber_liability_insurance_non_profits/
www.nonprofitinsuranceblog.com/dononprofits-need-to-worry-about-databreach-lawsuits/
Risk in the Cloud www.https://nonprofitrisk.org//library/articles/Risk_in_the_Cloud.shtml
Tech Risk Q&A www.https://nonprofitrisk.org//library/articles/Tech_Risk_Q_and_A.shtml
Insurance for Cyber Risks www.https://nonprofitrisk.org//library/articles/Insurance_for_Cyber_Risks.shtml
“First let me congratulate you on a conference well done. I had a great time at the Nonprofit Employee Benefits Conference and walked away with some valuable tools and questions that we’ll need to be addressing in both the short and long term. Thanks to you and your staff for all you do to provide us with quality resources in support of our missions.”
“BBYO’s engagement of the Center to conduct a risk assessment was one of the most valuable processes undertaken over the past five years. Numerous programmatic and procedural changes were recommended and have since been implemented. Additionally, dozens (literally) of insurance coverage gaps were identified that would never have been without the work of the Center. This assessment led to a broker bidding process that resulted in BBYO’s selection of a new broker that we have been extremely satisfied with. I unconditionally recommend the Center for their consultative services.
“Melanie Herman has provided expert, insightful, timely and well resourced information to our Executive Team and Board of Directors. Our corporation recently experienced massive growth through merger and the Board has been working to better integrate their expanded set of roles and responsibilities. Melanie presented at our Annual Board of Director’s Retreat and captured the interest of our Board members. As a result of her excellent presentation the Board has engaged in focused review which is having immediate effects on governance.”
“The Nonprofit Risk Management Center has been an outstanding partner for us. They are attentive to our needs, and work hard to successfully meet our requests for information. Being an Affiliate member gave us access to so many time- and money-saving resources that it easily paid for itself! Nonprofit Risk Management Center is truly a valued partner of The Community Foundation of Elkhart County and we are continuously able to optimize staff time with the support given by their team.”
“The board and staff of the Prince George’s Child Resource Center are extremely pleased with the results of the risk assessment conducted by the Nonprofit Risk Management Center. A thorough scan revealed that while we are a well run organization, we had risks that we never imagined. We are grateful to know that we have now minimized our organizational risks and we recommend the Center to other nonprofits.”
Great American Insurance Group’s Specialty Human Services is committed to protecting those who improve your communities. The Center team has committed to delivering dynamic risk management solutions tailored to nonprofit organizations. These organizations have many and varied risk issues, hence the need for specialized coverage and expert knowledge for their protection. We’ve had Melanie speak on several occasions to employees and our agents. She is always on point and delivers such great value. Thank you for the terrific partnership and allowing our nonprofits to focus on their mission!