Managers at nonprofits across the U.S. collect and store — in filing cabinets, networked servers and in rented “cloud” space — vast amounts of personal information.
According to Erin Gloeckner and Melanie Lockwood Herman of the Nonprofit Risk Management Center, despite the increasing frequency of data breaches affecting public, private and nonprofit organizations, most nonprofit leaders admit knowing too little about the risks and consequences of failing to adequately protect personal information collected from employees, volunteers, clients and donors.
- If you believe that the work of foreign hackers represents the greatest threat to the confidential information your nonprofit collects, you might be overlooking threats that are far closer to home. The following common business activities can lead to a data breach and potential liability for a nonprofit:
- Conducting e-commerce on your website, especially collecting credit card data and processing payments online;
- Storing and transferring personal employee, client or donor data — for both virtual data and paper records (e.g., sending sensitive data via email or storing sensitive data in the cloud; storing paper records in unprotected filing cabinets that anyone could access);
- Storing personal information on laptops or smartphones;
- Allowing partners and/or vendors to access personal information without proper safeguards; and,
- Storing personal information on cloud servers or systems.
While it’s true that cybercrimes such as hacking, insertion of malicious code into a data system, or the purposeful loss and destruction of data are a valid concern for nonprofit leaders, it’s important to recognize that unintentional privacy breaches can be just as costly.
A simple example is permitting personal information to be stored on a laptop or smartphone. The device — and all the vital data on it — could be damaged, lost forever, or it could even fall into the wrong hands. In some states, the mere loss of the device with personally identifiable information is a breach under the law and triggers reporting responsibility, such as the duty to notify the people whose data was lost.