As a not-for profit organization, your most valuable assets are often not on a statement of financial position, but in your donor records. The IRS withholds certain donor information on some Form 990’s Schedule B (“Schedule of Contributors”) from public inspection, but are you exercising due diligence to protect the confidentiality of your donors? A great amount of time and resources are used to safeguard cash, investments, property and equipment, but donor lists are often saved in easily accessible places with limited protection.
Your obligation to protect donor information
Cybersecurity is no longer just a concern of the IT department. Your board of directors carries some responsibility too. As some not-for profits look into cybersecurity insurance contracts, they realize that they are obligated to make a reasonable effort to protect their digital resources. If the organization experiences a data theft due to negligence, the insurance company may not cover the loss.
The Independent Sector’s “Principles for Good Governance and Ethical Practice: A Guide for Charities and Foundations” document outlines the basic steps that a charitable organization should take to guard its information, instructing that it “should establish and implement policies and procedures to protect and preserve the organization’s important data, documents, and business records,” and “except where disclosure is required by law, should not sell or otherwise make available the names and contact information of its donors… .”
Stay up to date on security changes
A not-for-profit’s board is responsible for conducting periodic internal reviews of the organization’s compliance with existing statutory, regulatory, and financial reporting requirements. But because the cyber environment changes daily, risk assessment and system evaluation needs to happen more than once every five years.
In the past, hackers primarily targeted large companies that stored great amounts of personal data. But now we see hackers quickly moving toward smaller organizations that have more security weaknesses. Donors expect that organizations will keep their information secure, and not-for-profits risk losing trust – and future contributions – if there is a data breach. In the long run, installing a few simple safeguards and implementing security measures will cost less than it will to repair the financial, administrative and reputational damage that a hacker can cause.
Follow these simple steps to safeguard your – and your donors’ – information:
1. Make it a priority
Data security must become a priority for all the members of the organization. If your database is attacked, not only are sensitive records compromised, but also the reputation of the agency. This damage is difficult to undo, and could even result in the eventual closure of the organization.
2. Come up with a plan
It’s imperative to outline what organizational information needs to be protected, and what level of security is necessary. The board should then develop – with input from financial and IT advisors – a cybersecurity plan. The plan should cover what information needs to be secured, how it will be secured, who is responsible for maintaining data security, how often the data and security measures will be reviewed and tested, and what the protocol is in the event of a security breach.
3. Review high-risk data
Regular reviews of what sensitive data your organization has, and how the data is stored, may eliminate some risks. Personal data like addresses, birth dates, email addresses, and phone numbers are often targets for identity thieves and others who profit from selling this kind of information.
4. Train often
Many cybersecurity breaches have been successful because employees have failed to effectively protect their digital workspace and information. Personnel who work with sensitive data should be aware of how important it is to guard it, and should be regularly trained on security protocols.
5. Invest in an expert
As a not-for-profit organization, you may not have the budget to hire a full-time IT expert. But a third-party technology consultant may be able to get your security set up and provide periodic testing and updating. You’ll also want to work with your organization’s accountants and attorneys to ensure that your fiduciary and legal responsibilities are covered.
CSH’s Not-for-Profit Group professionals can offer advice on what financial data needs to be protected, and how to manage cybersecurity challenges. We know how to keep your organization’s and donors’ information safe. Contact us today for a consultation.