Of the many nightmares that can assail nonprofit leaders, the data breach is one with far-reaching consequences. Modern times, modern problems.
During the 2014 Risk Summit in Chicago, David Lewison of AmWINS Brokerage Group, Jeremy Henley of ID Experts and Ted Kobus of Baker & Hostetler, in a session moderated by Philip Reese of USLI, said data breaches usually happen because of hackers, employees who click on phishing emails, disgruntled employees taking information or lost, stolen or misplaced laptops or mobile devices.
If a breach occurs, what to do? Follow these steps:
- Get help. Identify and engage a qualified attorney who will help navigate the breach notification requirements in states where potential victims reside. Identify and engage forensic specialists to determine what information was lost. If there is one, follow the breach plan.
- Report. Notify the proper governmental agencies, notify potential victims and identify what information was lost and what the organization is going to do about it.
- Pay up. Pay for credit monitoring and identity rehabilitation services if necessary. Pay public relations firms to rehabilitate the organization’s image. Defend the organization from investigations, fines, penalties and restitution funds.
- Wait. Hope that the records do not end up in the hands of people who will do harm to the victims. Hope the organization has handled the breach in a way that will not result in a lawsuit.