Is Your Nonprofit Prepared for a Data Breach?
Do you want to be in the unenviable position of notifying your donors, volunteers and staff of a data breach? It's a call that no nonprofit director wants to make. Whether it’s a lost laptop containing a donor database or hard-copy volunteer records that weren’t properly shredded, a nonprofit can quickly find its reputation and mission at risk.
The financial costs of managing a data breach are well documented and growing, with a recent study estimating an average of $221 per lost record, and $7 million average total cost.1 These costs may include legal guidance, breach notification, forensics, credit monitoring and other crisis services.
While less tangible, the lost trust that nonprofits can experience from donors, volunteers and the community also can be significant and harder to restore, and can affect fundraising activities, volunteer engagement and partnerships with other organizations.
“Nonprofit organizations often work so closely with a dedicated group of volunteers and a loyal donor base who entrust the nonprofit with their personal data,” says Tim Francis, Enterprise Cyber Lead at Travelers. “Nonprofits should take steps to protect that data and to prepare themselves for a potential data breach.”
Understand Your Data, Systems and Network
Knowing the basics about what systems you are running, what data you are storing and how your network is structured can help a nonprofit more effectively allocate limited data security resources. Some things you want to know about your data include:
- Knowing what and where data are being created, collected and stored.
- Maintaining an accurate inventory of computer systems and software.
Understanding your network infrastructure.
Focus Your Cybersecurity Efforts
After you understand the data, systems and network that you are trying to protect, focus on security controls that would be the most effective based on your specific needs and resources. Consider implementing stronger controls for storing and transmitting your most sensitive data, such as the Personally Identifiable Information (PII) of donors and volunteers, or the Protected Health Information (PHI) of current and past employees.
Prepare for the Unexpected
Every organization needs a plan for what to do in case of a data breach. An incident response plan can help organizations plan to comply with applicable laws and regulations, and launch a rapid and coordinated response that can help reassure donors, volunteers, staff and the general public that your organization takes the breach seriously and has the incident under control, to maintain the organization’s strong reputation, which can be one of the organization’s strongest allies. It’s worth protecting by guarding against data breaches.
Consider Cyber Insurance
Any organization that uses technology or collects data is at risk of a data breach or cyber attack, including nonprofits. Cyber insurance can be essential in helping your organization recover after a data breach. It also can assist before a breach by connecting you to cyber resources that can help you prepare to better respond to and recover from a data breach. Your nonprofit’s mission is precious. Guard against cyber attacks by equipping your organization with the protection that keeps your focus on preserving the mission.
1 Ponemon Institute 2016 Cost of Data Breach Study, for surveyed companies that experienced a breach which required the company to notify victims under state law.
Insights & Expertise
Help protect your nonprofit organization from these three risks.
Thinking about joining a nonprofit board? Here are some questions to consider to help protect your personal assets.