April 6, 2022

Nonprofit Organizations and Data Security Incidents — How to Manage and Respond

As the number of data breaches, security incidents, and ransomware attacks continue to rise, preparation has become even more important — and make no mistake, these attacks are happening to all types of organizations. 

These threats are increased when organizations lack a strong cybersecurity plan, as a lack of proper preparation and appropriate plans will lead to higher costs. For years, data security was sidelined in order to focus on more profit-generating and cost-saving efforts, but organizations are increasingly realizing the impact security incidents can have — directly and indirectly — on their assets, including their data, as well as their reputation and the increased costs associated with responding to these incidents. 

This problem is particularly relevant for nonprofit organizations. With a business model that generally relies on donors, the need to protect the financial and personal information of those who contribute is critical to the nonprofit organization’s ability to earn and maintain trust, good will, and funding. If a nonprofit organization engages in transactions on its website, such as processing donations or event registrations, and/or transfers (including sending to a cloud) “personally identifiable information” (e.g., names; physical and electronic addresses; social security numbers; financial information; clients’ medical information; and employee records, including W-9 information) about anyone, and/or collects information on preferences and habits of donors, patrons, newsletter subscribers, etc., then the organization is at risk for security incidents and could be exposed to the resulting harm. 

Many data security and privacy laws, including provisions of federal laws and state-specific laws, such as the California Consumer Privacy Act (CCPA), create a carve-out for nonprofit organizations so that only for-profit organizations are subject to the rules and regulations of such laws. As a result, many nonprofit organizations choose to forego the costly obligations of data security/privacy laws as they are not bound by them. Unfortunately, forgoing the cybersecurity steps detailed in such laws and regulations may leave these entities vulnerable to attacks.

This article’s goal is to provide an overview of the types of breaches or incidents that may occur and provide a high-level roadmap on how to respond if an organization finds itself at the center of a threatened or actual attack. We also recommend proactive steps to take to prevent, prepare, and/or protect against such attacks. We note that each organization and attack is different; organizations should seek legal advice when responding to security attacks.

Type of security incidents and how they occur

There are a variety of the types of data security incidents that could affect an organization. For instance, there may be a breach of an organization’s IT systems, potentially exposing information on its servers. Another type of incident is a ransomware attack, wherein attackers gain access to an organization’s system, encrypting the data and demanding a ransom in exchange for the key to access its data. In general, a data security incident is an incident during which any unauthorized actor penetrates the organization’s systems or network, whether internally or via any systems or networks operating on the organization’s behalf on vendors’ systems. 

In the nonprofit organization setting an example is the leak of donor information — whether that be personal information related to demographics, or more sensitive information including financials, such as bank account numbers, routing numbers, other wire information, or any similarly used financial information. This potential exposure is likely the most concerning for nonprofit organizations and likely the largest target by attackers. 

For some recent examples of such attacks, reference the Utah Food Bank incident (wherein more than 10,000 individuals’ personal information submitted via the donation website was exposed by a hacker), the attack affecting the International Committee of the Red Cross (a targeted attack on the ICRC servers that compromised more than 500,000 highly vulnerable individuals’ personal data and confidential information), the YMCA of Greater Charlotte incident (a ransomware attack on their servers that affected an unknown number of users), the ShopGoodwill platform incident (a website vulnerability that led to a data breach that affected the accounts of customers using its e-commerce auction platform), or the breach that affected the Partnership HealthPlan of California, a nonprofit organization that manages health care for counties in California (a ransomware attack that led to the ransomware group stealing private data for roughly 850,000 members, including social security numbers). 

Additional examples of risks of security incidents include (i) a breach of employment information (e.g. security weaknesses of HR systems); (ii) e-commerce hacks (e.g. if an online source is utilizing a fundraising tool, the payment information provided therein may be vulnerable); (iii) human error; and (iv) hardware failure. 

The latter two examples may compound each other as one combined risk. Human error often is the result of a lack of training with respect to cyber security and privacy matters and the cause of accidentally exposing customer (or donor) personal data through negligence. Common examples of low cyber-IQ include weak password management (e.g. passwords that are too short or simple; too long of term before requiring resetting of passwords), the use of old and non-updated software, as well as a general carelessness with handling of data (e.g. sharing personal information with unauthorized individuals; failing to protect computer when the computer is left unsupervised). Hardware failure can also be understood as a risk of physical hardware being stolen and/or outdated pieces of software not being strong enough to protect against more sophisticated hackers. 

Vendor breaches and nonprofit organizations’ responses and responsibilities

Nonprofit organizations often engage with third-party service providers for a variety of services, including where the nonprofit organization is accepting donations, and may choose to outsource IT. Other sources of third party vendors typically include an outsourced bookkeeper, payroll service and other HR management tools, a cloud storage service, or any outside professionals with authority to access the administrative side of a nonprofit organization’s website or shared electronic files.

It is critically important for nonprofit organizations to ensure the third-party vendors employ adequate data security protection practices; there is always the risk that the data processed by the vendor on behalf on the nonprofit organization may be subject to a security attack. As the nonprofit organization is often the collector of the data, the nonprofit organization maintains responsibility for the protection of that information. Digital Impact.IO, a Digital Civil Society Lab initiative supported by the Bill and Melinda Gates Foundation and created to help social sector practitioners use digital resources safely, ethically, and effectively, has developed a set of standard questions to ask vendors about their approach to data security here that may be helpful.

When working with vendors, you, as a nonprofit organization, want to (i) establish clear rules of engagement with vendors with respect to data security measures and stick to them, (ii) set up a questionnaire for each of the third-party vendors to establish areas of particular data vulnerability, and (iii) audit and monitor your vendors for compliance with the data security practices. Although the specific questions may vary depending on the vendor’s role and the data they may have access to, some good questions to ask vendors may include, among others:
  1. How much do they know about federal privacy notice, security, and other similar requirements related to data protection?
  2. What kind of cybersecurity protocols are in place on their equipment and their network?
  3. What policies and procedures are in place? Does your vendor maintain an incident response policy and a backup/disaster recovery plan?
  4. Do they carry their own cyber insurance and if so, how much?
  5. If they’ll have access to printed donor data, what physical precautions are they taking to secure the storage and transfer locations of that printed data?

In addition to performing the due diligence on potential vendors, consider including security provisions to protect yourself by contract, such as a confidentiality provision, a requirement to promptly and in detail notify and disclose any data breach or security incident, and/or a requirement to maintain specific security controls, including encryption, network security, audit rights, etc. A privacy and data security attorney can also assist with this task. 

Practical steps to mitigate cyber risk

In terms of monitoring the quality of data security systems, nonprofit organizations can take steps to understand their systems and what the signs of weaknesses may be. An initial step in this process is identifying the sensitive information held by the company, as you cannot protect what you do not know you have. Organizations should have written policies and procedures, such as a written information security policy (WISP) or a similar alternative that outlines policies, procedures, and security controls for the protection of personal information (currently required by many states, including Massachusetts, California, and Texas), as well as an incident response plan to guide actions in the event of an incident. 

There are also widely recommended technical steps to take that reduce cyber risk in a meaningful way, including:

  1. Devote appropriate resources for oversight and supervision (e.g. work with outside IT consultant or hire in-house IT team). This staff may assume responsibility for the following tasks, as well as for complying overall with security laws. 
  2. Ensure vendor compliance with requirements necessary for protecting access to personally identifiable information of customers/donors.
  3. Perform regular stress tests of networks and systems.
  4. Regularly backup and encrypt sensitive and important data to guard against ransomware attacks.
  5. Audit systems regularly to identify potential risks.
  6. Educate and train all staff on security awareness, incident response and handling, and general data security risks. There are a number of vendors that provide relevant training programs.
  7. Develop and maintain a comprehensive cyber security program. 
  8. Obtain a cyber liability insurance policy.
  9. Reference the FTC’s Guide for Businesses for responding to breaches or incidents.

In addition to tools from the FTC, another reference point may be found via the US National Institute of Standards and Technology (NIST) Cybersecurity Framework, which can help nonprofit organizations identify risks and make management decisions to mitigate those risks.

You may not be able to completely prevent attacks, but you can be prepared

No matter what, no business or organization is able to fully prevent any form of security incident, attack or data breach, but you can manage your systems to watch for and prepare for how to respond to any such incidents or threats. Working with your IT team to identify the sensitive and/or confidential data your nonprofit organization collects and retains, as well as monitoring your security policies, procedures, and systems is a strong start. Knowing what to expect when you engage with a third-party service provider is another critical component of a strong cyber protection program. Demonstrating your knowledge of cyber security to your clients, donors, vendors, and employees will allow your organization to not only protect your data, but also to build rapport and foster good will.

Disclaimer: This is a general article about changing issues. It should not be construed as legal advice because we are not considering the facts of your specific situation. The opinions provided are those of the individual authors and not the views of Goodwin.