As Washington DC nonprofit advisers, we are concerned by the growing threat of cyber-attacks and data breaches among our nonprofit clients.
Since 2005, 110 nonprofit organizations in the United States have reported data breaches. At first glance, that may not seem like many; it works out to a little less than 10 per year.
However, you certainly don’t want your organization to be that unlucky one that finds out hackers have accessed their donor files, credit card information, and other confidential notes. In fact, some information contained in nonprofit databases is downright scary.
While your data breach may not be as simple as one in the United Kingdom in which an unencrypted memory stick containing confidential patient data was lost, any data breach can result in serious consequences. Companies can be fined, face lawsuits, and lose donor and member trust.
There are many steps that your nonprofit organization can take to safeguard donor data. Not all steps are time-consuming and costly; many are simple, common sense approaches to data management that are within the reach of any size nonprofit organization.
Six Steps to Keep Data Safe
- Know what data you collect: Start by understanding the data collected by your nonprofit organization. Do you collect donor data, membership data, or data on those receiving your nonprofit’s services? These are all potential sources of data breaches. Take an inventory of all your data sources now. Don’t forget volunteer and employee data too, including social security numbers, names, addresses, and email information.
- Find out where all the data is stored: That sounds easier than it looks. Data may be stored on multiple servers, clouds, or a combination of on-premise servers and off-premises clouds. Look for copies and backups kept on memory sticks (see the U.K. breach, above) and external hard drives.
- Classify the data: Develop data classification lists based on the sensitivity of the data. Some data may be highly sensitive, such as credit card information, health records, or social security numbers. Other data is less sensitive because it is easily found in the public domain—addresses, for example.
- Create data policies: A data policy lists guidelines around who may view, access, store, and utilize data. It should also include details on how data is backed up and updated.
- Build an emergency plan: In the event of a data breach, what are the steps you will follow to lock down the remaining data, alert those affected, and safeguard against future breaches?
- Train staff: Take the time now to update written policies regarding data use. Train your teams on how to safeguard and protect data. Also train them on basic internet security practices, such as avoiding phishing scams and viruses.
Consider Data Protection Insurance
If your nonprofit organization handles extensive personal data or highly sensitive data, you may wish to consider specific insurance to cover against data theft, losses, and cyber-attacks. Such insurance can provide you with peace of mind so, in the event of a data breach, you will have specific coverage to help your organization recover and repair the damage.
No one likes to think about cyber threats, data breaches, and the ramifications of lost or stolen data. However, given that most experts believe the incidences of cyber-attacks against nonprofits will rise, it’s a smart move to take steps now to protect yourself. An ounce of prevention is worth a pound of cure.
Beck & Company
We are Washington D.C. nonprofit advisers, consultants, accounting professionals and CPAs with a passion for helping nonprofits thrive. We can assist you with accounting, audits, and nonprofit technology questions. Contact us today for assistance.