Nonprofit organizations face the same privacy and data protection challenges and requirements that apply to any business. As compared with for-profit enterprises, nonprofits also must often face these challenges and meet these requirements with smaller budgets and fewer resources, and with staff that may not be experienced in addressing privacy and data protection issues. Moreover, in the event of a data breach, nonprofits may suffer even greater harm than some for-profit enterprises if they lose trust and confidence of current or prospective donors and other supporters.

In the past few years, nearly all U.S. jurisdictions and many foreign jurisdictions have imposed a variety of obligations on entities that collect, use and store “personal information,” which generally is defined to include a person’s name, together with a driver’s license or other state-issued identification number, bank or credit card number, or financial account number. The federal government and some states have also adopted requirements designed to protect “personal health information,” which is commonly defined to include any information about a person’s physical or mental health condition, the provision of health care, or payment for health care services. In addition to these governmental regulations, the credit card industry also imposes numerous data security requirements on any entity that accepts or processes credit card payments.

Most nonprofits collect, use and store “personal information” concerning their patrons and donors, as well as their staff. Many also collect, use and store “personal health information,” at least with respect to staff. Such organizations now must have comprehensive, written information security programs, which include administrative, technical and physical safeguards for protecting the confidential information of employees, donors and others. In the event the privacy of such information is compromised, the organization also must be prepared immediately to comply with the “data breach” laws that have been adopted by almost all states and some foreign jurisdictions.