Nonprofits have become the second highest target of cybersecurity attacks with hackers attempting to gain access to nonprofit databases every 39 seconds, according to the 2021 Cybersecurity Guide for Nonprofit Organizations. Attackers have recognized that many organizations lack secure networks and organizational protocols, which makes nonprofits a significant target for gaining access to donor and client data.

A data breach is a significant liability for nonprofit organizations that typically requires the organization to notify donors and clients and may also mean paying for identify theft protection. Looking beyond the time and expense associated with a data breach, there’s also the loss of donor confidence to consider and subsequent loss of donor support due to a breach.

Many organizations bypass proper security measures because they’re not aware of the need or because they feel the cost is too high within the overall budget. However, the cost of proper technology security and the time investment of proper protocols doesn’t seem nearly as high in comparison to the financial and reputational risk of a data breach.

Steps to improve cybersecurity

A recent announcement by Microsoft can help many nonprofits better protect against hacking attempts. The new Microsoft Security Program for Nonprofits will offer free access to AccountGuard, security assessments, and training of IT administrators. The program will assist in alerting organizations to cyberattacks and attempted attacks of organizational email or Microsoft 365 accounts.

Organizations should begin with a vulnerability assessment to identify the most critical areas at risk of attack. This assessment can identify policies and training needed for all staff, board, and volunteers to further enhance the organization’s information technology protocols. Just as organizations already offer ongoing employee training on a wide range of topics, cybersecurity and information technology practices need to be at least an annual requirement within the organization’s approach to employee and board training.

Understanding the legal requirements of cybersecurity

The Federal Trade Commission is the primary federal agency that oversees data protection and enforcement; however, no single federal statute oversees data privacy protection, consumer protection, or data breach enforcement. The Federal Trade Commission uses its powers through 15 U.S.C. § 57b-3 to enact rules and enforce violations of specific data protection acts.

Thus, in the absence of a congressional statute, states have become the primary vehicle for consumer protection and data privacy legislation. Each state has its own specific legislation that applies to consumers and companies operating within that state’s jurisdiction. That means nonprofits must be aware of state statutes related to data privacy and protection and whether or not nonprofits are exempt from those statutes. For example, Colorado recently enacted the Colorado Consumer Protection Act that requires companies to take responsibility for the protection of consumer data and outlines the steps required if a breach occurs. This statute does not exempt nonprofits from these requirements as a covered business, unlike many other corporate-focused statutes.

While Oklahoma currently lacks a state data privacy law, House Bill 2968, filed in September 2021, could lead to the Oklahoma Data Privacy Act. If passed, this bill would mandate significant data privacy and security requirements for businesses, including a consumer right to opt-in prior to the collection and use of their data.

Cybersecurity and data protection must be a current focus of organizational risk for all nonprofits. Nonprofit boards and staff must inform themselves of the organization’s cybersecurity risks and thoughtfully evaluate the tools required to mitigate those risks, including insurance for possible cybersecurity attacks. The organizational duty of care demands cybersecurity awareness.

Your nonprofit
is needed!