Donor Data Is at Risk in the Nonprofit Sector: What Can Be Done?

A colleague of mine, who happens to be a former fundraiser, has said to me that if she were a thief, one of the places she would hack first is a nonprofit organization. She’s probably right. Let’s think about it for a moment.

Some nonprofit organizations, because of volunteer work with minors, for instance, have even more sensitive data when they are conducting criminal background checks on volunteers. All of this provides terrible characters with bad intentions with a mine of information they can plunder.

What’s more, if you’ve been in the sector, then you probably know that if there was an event that occurred that was adverse for the nonprofit, say a hacking, some nonprofit leaders would try to remain quiet for fear that the news would adversely impact their fundraising revenue.

In the case of a hacking, they probably would be right in the sense that donors would choose not to give and would be, rightly, outraged. However, that approach wouldn’t be a good idea because many states have laws about notifications regarding data breachers. So, it’s better to be smart from the beginning and get the work done. Unfortunately, criminals realize that there is a wealth of information to be stolen, particularly with small nonprofits, and there has been an uptick in hacks.

Venable, LLP held a conference in 2017, and here are some of the insights they provided that you should know about cybersecurity for nonprofits.

• Approximately 30 states have regulations that obligate nonprofits to dispose of personal information.

• Credit cards require merchant banks to enforce compliance by their clients on security, and if merchant banks are fined for improper compliance, those fines can be passed along to their clients, including nonprofit clients.

• There is a financial cost to data breaches, and according to information from an earlier Verizon report, which was updated in 2018, the financial loss of 1,000 records is $52,000 to $87,000. The loss of 100,000 records is $366,500 to $614,600.

• There are at least 1 million victims of cybercrime, daily.

• Most states have implemented a data breach notification statute, and federal legislators are considering this type of law at the national level.

• Cybersecurity means risk management, which is the following:

• Know the threats
• Understand the impact
• Manage the vulnerabilities

Nonprofits don’t have to sit and wait for criminals to break down their technological doors. There are activities leaders can do––today––to ensure that they are protecting the integrity of all of their technological information, such as their websites, and most importantly, sensitive donor and volunteer information. What follows are only three activities you can do, none of which will cost your organization fees, but will provide you with resources and expertise.

• State Assistance. States can be a good place for nonprofits to seek information and even get financial assistance to help them protect information. As an example, New York State completed a study and then published resources organizations located in that state can use to ensure security. States, such as Massachusetts, are providing grants for nonprofits to use to help them shore up their security and data protection.

• Get the Basics Done. In Venable’s presentation for cybersecurity, which I mentioned above, for nonprofits made the point that people and organizations are hacked because they didn’t get the basics done. Ninety-nine percent of successful crimes happen because nonprofits didn’t update their anti-virus software, change passwords regularly, update their software platforms or train staff on cybersecurity with a company such as KnowBe4.

• Digital Impact Toolkit. The Digital Impact Toolkit is available for free from DigitalImpact.io, which is an organization that was created to help nonprofits to remain safe in the digital era. The toolkit provides easy to use forms that will help you assess your digital security. If you complete the kit, you will know your data inventory sources, and you’ll have a clear––and easy to follow––understanding of who is responsible for your data policy, and even help you with developing (or assessing) a grant for data security.

As an attorney and consultant who has worked in the nonprofit sector for decades, I understand the legal implications of nonprofits not taking the time to secure digital information because they think they do not have the financial or technical ability to do it. However, this is a grave mistake. Ignorance of the law has never been a defense if something happens. And, as a matter of integrity, all nonprofits have to step up to secure sensitive information about people.

As I’ve outlined, there are government and also private sector resources that can be used to help you with your digital security. I’ve named only three, but there are many tools, and even institutional funders, who are looking to help nonprofits to ensure data integrity and security.