Managers at nonprofits across the U.S. collect and store — in filing cabinets, networked servers and in rented “cloud” space — vast amounts of personal information. And despite the increasing frequency of data breaches affecting public, private and nonprofit organizations, most nonprofit leaders admit knowing too little about the risks and consequences of failing to adequately protect personal information collected from employees, volunteers, clients and donors.
Data Privacy Risks and Responsibilities
If you believe that the work of foreign hackers represents the greatest threat to the confidential information your nonprofit collects, you might be overlooking threats that are far closer to home. The following common business activities can lead to a data breach and potential liability for a nonprofit:
• Conducting e-commerce on your website, especially collecting credit card data and processing payments online;
• Storing and transferring personal employee, client or donor data — for both virtual data and paper records (e.g., sending sensitive data via email or storing sensitive data in the cloud; storing paper records in unprotected filing cabinets that anyone could access);
• Storing personal information on laptops or smartphones;
• Allowing partners and/or vendors to access personal information without proper safeguards; and,
• Storing personal information on cloud servers or systems.
While it’s true that cybercrimes such as hacking, insertion of malicious code into a data system, or the purposeful loss and destruction of data are a valid concern for nonprofit leaders, it’s important to recognize that unintentional privacy breaches can be just as costly.
A simple example is permitting personal information to be stored on a laptop or smartphone. The device — and all the vital data on it — could be damaged, lost forever, or it could even fall into the wrong hands. In some states, the mere loss of the device with personally identifiable information is a breach under the law and triggers reporting responsibility, such as the duty to notify the people whose data was lost.
What is Personally Identifiable Information or PII?
The starting point for understanding the duty to guard personal information is understanding what constitutes personally identifiable information (PII) under the law. Information found in a telephone book is not protected under the law. Therefore, the loss of a paper or electronic file containing donor names and addresses probably doesn’t constitute a breach or trigger state law notification requirements.
For example, in Illinois the definition of “personal information” contained in the Personal Information Protection Act (815 ILCS 530) is “…an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
• Social Security number;
• Driver’s license number;
• State identification card number; and,
• Account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
Privacy and Data Breach Laws
Data management and security standards are becoming increasingly complex as data constantly moves between multiple devices and storage sites. Various federal and state privacy regulations require that for-profit and nonprofit businesses protect PII no matter where it resides: on a network; on stand-alone systems such as billing, medical, and marketing databases; on remote devices such as laptops or employee-owned cell phones; and of course on paper.
Additionally, there are data protection standards for specific industries or specific business practices, such as the PCI Security Standards Council’s Payment Card Industry Data Security Standard. This standard requires organizations to enact information security best-practices if the organization handles major credit cards such as Visa and MasterCard. Failure to comply with these standards can result in enormous fines. Similarly, you might be familiar with federal data security regulations such as the Health Insurance Portability and Accountability Act (HIPAA) if your nonprofit handles protected health information (PHI).
According to the National Conference of State Legislatures, 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted laws that require organizations to notify individuals of security breaches of information involving personally identifiable information. Each of these laws generally has four key PII components:
• Who must comply;
• What constitutes “personal information;”
• What constitutes a breach (e.g., unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and,
• Whether there are exemptions. The most common exemption is for encrypted information.
Cyber Liability Insurance: Worth the Investment?
The question about whether to purchase cyber liability insurance is top of mind for nonprofit risk and finance professionals. Like other insurance buying decisions, there is no single answer that fits every nonprofit’s circumstances. A good starting point is trying to understand what the policies available to your nonprofit actually offer.
Each insurer offers different forms of coverage, but many policies address a few familiar coverage areas. Cyber liability policies might include third-party coverages and also first-party coverages. Third-party coverage protects the insured organization against claims that arise from losses suffered by third parties, such as donors or clients. First-party coverage protects the insured for its own losses. The following is a list of some of the coverages that might be available through a cyber liability policy.
Notification Expenses: Almost every state has notification requirements for both private and government entities. If a data breach occurred at your nonprofit it is likely you will be required to notify parties affected by the breach. Spending weeks notifying affected clients, donors and employees could be costly. Coverage for notification expenses will protect your nonprofit from the strain on human and financial resources in the wake of a breach.
Crisis Management: Your nonprofit could still face harsh criticism and scrutiny from affected stakeholders or the media after a data breach occurs and you’ve met your notification requirements. These disenchanted former supporters might ask: How could this happen? Why didn’t the organization do what was necessary to protect against a breach? Some cyber liability policies offer crisis management coverage to cover the cost of retaining public relations counsel help to minimize the damage to your reputation.
Regulatory Investigation Expense: Since data breach notification laws are subject to change, your commitment to comply might not be good enough. That means there is always a chance you’ll receive a call from a friendly civil servant. Both state and federal agencies can investigate and take action against a nonprofit that is negligent in guarding personally identifiable information.
Some cyber liability policies exclude coverage for governmental or regulatory investigation costs, but other policies include it. Some policies will also cover fines and penalties, such as a fine levied for failing to notify the individuals whose data was compromised within the time limit required by law. These fines can be substantial, and are often on a per-record basis.
Data Breach Liability: This coverage will defend your nonprofit against legal claims brought by a stakeholder who suffered a significant financial loss after their personal data was compromised. A typical suit will allege that your nonprofit was negligent in failing to protect the stakeholder’s personal information, and that their loss was directly attributable to your nonprofit’s negligence.
Content Liability: Some cyber liability policies offer financial protection related to the content of your website, blog or social media sites. This can range from copyright infringement and intellectual property claims to invasion of privacy or personal media injury (defamation, slander, libel) via electronic content. Some insurers refer to this coverage as “website liability.” Keep in mind that many nonprofits that buy cyber liability coverage principally do so to finance the costs arising from the theft of personally identifiable information, and choose to cover content liability exposures under another policy, such as a media liability policy.
Data Loss & System Damage (or Data Restoration Coverage): Your current property policy probably covers damage to computers you own, but traditional property policies do not cover the data stored on computers. Most cyber liability policies cover loss or theft of personally identifiable information (e.g., your clients’ home addresses, your employees’ Social Security Numbers, etc.). Some policies also include coverage for computer forensic analysis, the process used by an expert to assess the scope of the damage.
Business Interruption: Many cyber liability policies cover events related to the temporary or long-term shutdown of an insured entity’s operations, such as: loss of revenue during the downtime after a hack; denial of service; damage to systems or data caused by a virus; etc. This coverage might be beneficial for some organizations, however it is unlikely that most nonprofits would be forced to close their doors while responding to a data breach incident. If your nonprofit would have to close in the event of a data breach, you’ll place greater value on having this coverage in place.
As is true with any insurance-buying decision, there are three keys to making the decision about whether to buy cyber liability coverage:
• Understanding and evaluating your exposure to claims. With respect to cyber liability coverage, this involves developing a general understanding of how a breach of privacy claim could impact your organization, as well as the value of existing or new mitigation measures on the exposure.
• Working with a knowledgeable agent or broker who can help you understand the exposures and also how cyber liability products differ. A knowledgeable, responsive and trustworthy insurance professional is worth her (or his!) weight in gold if they are able to guide you in making an appropriate decision about financing your cyber exposures.
• Determining your budget for this line of coverage. A policy with everything you want will be of little value if you can’t afford the annual premium. E
Erin Gloeckner is project manager and Melanie Lockwood Herman is executive director at the Nonprofit Risk Management Center. They welcome your questions about data privacy risks. Their emails are Erin@nonprofitrisk.org and Melanie@nonprofitrisk.org