The ever increasing cyber-attacks and data breaches targeting the private sector and government agencies, and the increased focus on cybersecurity plans and preparedness, may seem like remote risks for nonprofit organizations. Because nonprofits have not been as vigorously targeted for attacks as their for-profit and government counterparts, the sector has been slower to adapt to the threat environment and allocate their often scarce resources to cyber preparedness and protection. Perhaps this can be explained, in part, by a nonprofit’s organizational focus on mission and programming, limited resources (underscored by pressure to reduce administrative, overhead, and compliance costs in favor of programmatic expenditures), and a sense of their charity status, or “halo,” providing protection from any risk.
But nonprofits remain as vulnerable as their for-profit and governmental brethren. As more nonprofits are targeted, it is critical for organizations in this sector to understand the risks posed by cyber breaches and data hacks, to engage their boards and leaders on these issues, and to allocate funds and resources to cybersecurity. Equally important, and as part of this process, nonprofits need to understand how the many issues and aspects of cybersecurity play out differently in the charitable sector.
For example, recent litigation has focused on the duties of officers and directors in preparing for and responding to cyber threats. Of what relevance are these cases to nonprofits? In the for-profit context, directors are generally considered to have a duty to maximize shareholder value and act in the best interest of the corporation, which includes ensuring that reasonable steps are taken with respect to data security. But how should we approach this analysis in the context of nonprofit organizations (which do not have owners or shareholders) where directors and trustees have similar duties to act in the best interests of the organization, but in furtherance of charitable purposes or the public good? Here, the “fiduciary” choice between allocating limited resources to cyber preparedness and insurance premiums rather than activities that directly serve to accomplish the organization’s charitable mission (e.g., serving meals to the homeless), may not be so straightforward.
Other significant differences include the consequences of a data breach for nonprofits, and who/what regulator has investigative and enforcement powers. Nonprofits aren’t within the jurisdiction of the Federal Trade Commission. And, poorly handled cybersecurity might not result in enforcement actions, major fines, or penalties, but could attract an onslaught of media attention and scrutiny, with the fall-out including jeopardized donor/funder relationships that form the lifeblood of nonprofits, and investigations and review by state regulators with ever expanding powers.
In the coming months, we will explore these issues and more, mapping out the issues for nonprofits and highlighting the application and translation of for-profit lessons to the charitable sector. In particular, we will discuss:
- Duties of nonprofit board members, including applicability of recent cases addressing board duties in the for-profit context;
- The regulatory players in this sector, and their potential jurisdiction over (and responses to) nonprofit data security and breaches;
- The potential consequences of a nonprofit cyberattack or data breach; and
- Cybersecurity readiness and priorities for nonprofits (including cyber insurance), with a focus on preparedness for smaller organizations with limited budgets.
To set the stage for these discussions, it is important to understand the risks and the vulnerabilities. Nonprofits collect and store data that are potentially vulnerable to attack and disclosure.
- Mailing lists (which can include personally identifiable information (“pii”), and also affiliations and donor attributes that the individuals or organizations might prefer to keep confidential);
- Donor/funder information (which, although publicly available in the case of private foundations, is not for public charities and other types of Section 501(c) organizations, including 501(c)(4) social welfare organizations);
- Donor/funder credit card details;
- Grantee information (which can include non-public reports and contact information and, for individual grantees, social security numbers and other pii);
- Employee records and personnel files;
- Educational and medical data (which might be an issue for colleges and universities, hospitals, research organizations, and private foundations offering scholarships and other assistance to individuals); and
Internal governance materials (including confidential emails, reports, board/executive session minutes, communications with auditors, and other sensitive information).
Like for-profits and governmental agencies, nonprofits, too, have multiple points of exposure, including:
- Software and tech systems;
- Cloud services;
- Third-party vendors and service providers, including
- IT consultants
- Payroll services
- Data storage/input temps
- Outside professionals and service providers;
- Grantees with access to the organization’s grants portal or other databases and platforms;
- Project collaborators;
- Licensees; and
- Employees and fiduciaries (both those who may at some point have an axe to grind or, more commonly, those who are lax with passwords and security measures, or who are otherwise susceptible to phishing and other social engineering tactics)