Insuring Donors Goodwill

January 1, 2008       Marla Nobles      

When a steam pipe burst in midtown Manhattan this past summer, area nonprofit Seeds of Peace lost access to email and all Internet applications. Because the organization had its back-up data stored offsite, staff members were able to receive emails within minutes of the explosion, and Seeds of Peace was fully operational within two business days.

“Power was shut down not only to our New York office, but our D.C. office and our offices in Israel – Tel Aviv and Ramallah,” said Fayth Centeno, office and human resources manager for Seeds of Peace. “Our servers were down. Everybody was affected, and nobody was able to work.”

After Con Edison, the utilities company serving New York City, removed the charity’s servers citing asbestos contamination, the group turned to its managed IT service, mindSHIFT Technologies, which also manages the group’s back-up system.

“MindSHIFT was able to move our data to new servers, since they’d been backing it up everyday,” said Centeno. As a result, the only data the group lost was from earlier in the day, since a routine back-up had been performed the prior night.

Backing up data at a remote, offsite location is the No.1 piece of advice IT experts will give when it comes to online-asset protection. Second, install regular virus updates and, third, develop a disaster recovery plan for software, applications and data, and test it at least once a year. Often, that’s bolstered with electronic data processing insurance to cover any physical damage to your system.

But disaster-related corruption is just one culprit of data loss.

In the wake of the security breaches at nonprofit software and service providers Convio and Salesforce, it’s become clear that nonprofits are hardly immune from the exploits of Internet hackers. In the case of Convio, at least 92 clients were affected.

“Coverage that deals with a security breach is a relatively new type of insurance,” said Mel Whiteley, director of the nonprofits group at AH&T Insurance. “It’s an entirely different type of animal.”

Sometimes called information-asset coverage, cyber insurance is designed to protect against damage to your database, arguably a nonprofit’s most valuable asset, resulting from a security breach. It can also be used to recover the resulting loss of income.

“There’s more awareness of the need for some form of data protection, beyond just backing up your database, probably because many organizations have experienced losses, system crashes,” said Whiteley, who works in the firm’s Leesburg, Va. office.

According to the Federal Bureau of Investigation’s (FBI) Web site, and Privacy Rights Clearinghouse (PRC), a nonprofit consumer organization, colleges and universities are among the most vulnerable when it comes to identity theft-related security breaches. In fact, during this past October more than 35,000 employees and students at colleges and universities nationwide were affected by security breaches, according to PRC.

“Having the resources to pay for the cost of repairing, recovering and restoring a database that has been damaged due to an insurable event, such as a security breach, certainly lessens the blow,” said Melanie L. Herman, executive director of the Nonprofit Risk Management Center in Washington, D.C. “Insurance clearly has a role at that point.”

Despite the heightened awareness of the need for data protection against disaster-related loss and security breaches, cyber insurance remains a tough sell, especially in the case of the latter.

“The problem that you run into is lots of organizations have a policy that this is what we do, only they don’t do it, and it gets lost in the shuffle,” said Whiteley. “And when you’re talking small to medium organizations, in particular, those are the ones that violate their own rules,” he said.

“(Nonprofits) don’t feel that it’s a big exposure until they get sued, and even then some organizations may feel they can cover the cost rather than buy insurance,” said Marjorie Young, vice president with insurance brokerage E.G. Bowman Co., in New York City. On the other end, added Young, “I also think people shouldn’t overbuy insurance if they don’t need it.”

According to Young, organizations that gather confidential information, such as Social Security numbers and credit card information, are candidates for cyber insurance. “They’re responsible for the security of that information,” she said. “And if their system’s corrupted that way, they have to notify everyone that it has been corrupted. So, there’s an expense there as well.”

Laura S. Quinn, founder and director of Idealware, which provides nonprofits with Consumer Reports-style advice on nonprofit software, has questions around what can actually be done with the money that you’re insuring your data with to mitigate the risk. And maybe more intriguing, “how do you place a value on what is basically a donor’s goodwill?,” asked Quinn.

The data, said Whiteley, is valued based on the cost to research and reconstruct the database, “to get it back to where it was before.” Young said the value of the data is based on its level of sensitivity and/or the nature of its confidentiality.

In terms of what to insure against, Whiteley recommended an organization anticipate all the things that are “likely and probable to happen. And it really doesn’t matter whether it’s off-premise or on-premise, those things can happen.”

In the case of Seeds of Peace, whose servers are now housed at mindSHIFT’s Fairfax, Va., facilities, Centeno said the group is looking into property insurance. “We have to protect ourselves against one, the cost – the servers are not cheap – and two, the data,” she said. “Once you lose that it’s really hard to recover.”

Another consideration, said Whiteley, is service- or business-interruption loss due to corruption of what is a revenue-producing database. “Maybe in the month of December you would have sold a couple hundred thousand dollars worth of products, or received donations,” said Whiteley. “What business-interruption coverage does is basically replace the revenue you’ve lost.”

In the end, the experts agree: there’s no way to fully recover from a security breach, particularly one that means the loss of constituents’ names and information. “You’re never going to be able to recreate it wholesale,” said Quinn. And then there’s the constituent loss of faith aspect to consider.

Protection is paramount, added Quinn, and sometimes that protection calls for insurance. She recommended organizations consider the following:

  • What is the worst that can happen;
  • How likely is that;
  • What should I do to try to mitigate as much as I can; and,
  • Once I’ve mitigated, how can I protect against the likelihood of it happening again?

Whiteley recommended looking into both property and cyber insurance, as there are caveats with each. Oftentimes property insurance doesn’t include business interruption, he said, and sometimes coverage doesn’t protect data that’s housed offsite. In terms of pricing, he estimated the average cost of comprehensive coverage to be around $25,000 annually. Broken out, liability – to protect against blame for violating someone’s privacy, for instance – goes for about $8,000 annually.

Young recommended a figure five times an organization’s revenue, and quoted $5 million coverage to be around $60,000 annually. NPT