In a world where not even the government is safe from a data breach, securing your organization’s most private information such as personal clients or donor financial information should be of top concern. But what can you do? Eugene Fram of the Rochester Institute of Technology has some insightful suggestions for nonprofits when it comes to cyber security:
Carefully “wall off” all confidential information— Have management be certain that private information such as health records, are encrypted and separated from operating data that may be considered public in a nonprofit environment.
Review Director and Officers (D&O) and other liability policies— Determine whether or not the D&O policy protects directors and managers from cyber security (CS) intrusions. (It likely does not, but I understand that some carriers may offer some protection along with smaller policies.) It is clear that most general liability policies do not protect the organization against CS.
Board Encouragement— Devote some meeting time, perhaps 10 minutes, to a discussion of the CS topics so that management and staff are aware of the board’s concerns on the subject and will take action when necessary. Appropriate due care actions like frequent password changes should become routine. Some checklists are available online, suggesting questions directors might pose to raise awareness on the topic and avoid potential CS breaches.
Can third party payer help?— Many nonprofits deal with third party payers with sophisticated CS systems and may offer the nonprofit some advice or assistance.
Education and training of employers— Many CS crimes have been successful because employees have violated or forget to effectively protect their working accounts and information. Proper education and training can help reduce these types of lapses.
You must be secure, if not there are ramifications that could occur if a breach does occur such as major lawsuits and a distrust of your organization.
When your organization collects data from clients or donors you are being entrusted with that data. It is your responsibility, as an organization to make sure that trust isn’t broken by being clear with why you are acquiring the information and how your organization will be protecting the information as best you can.