We are awash in a sea of data and still learning to swim. Nonprofits, like corporations, are taking in more information than ever before, and sometimes more than they know how to handle. The risk of a privacy breach is on the minds of many of the nonprofits we speak with, and if it isn't, it should be - the consequences of a breach can be severe. Attacks, and in particular ransomware attacks, are on the rise in Canada and recently they have begun targeting nonprofits, hospitals and higher education institutions. Nonprofits in particular are especially vulnerable seeing as they retain large amounts of sensitive donor, client, employee, and financial information but may not have large budgets for data security.
Regardless of the size of an organization or the sophistication of their software systems, they can still be vulnerable to attack. Although the reports of these types of attacks are becoming common headlines, there are still many more breaches that go unreported. "There are a significant number of breaches that never get reported because there's no obligation to report them," says Imran Ahmad
, a partner at the law firm Miller Thomson, who specializes in cybersecurity.
Reputation is everything to a nonprofit organization, and a data breach can destroy a reputation in one fell swoop. Although there is incentive to deal with a potential breach quietly, mandatory breach reporting requirements included in the new Digital Privacy Act (Bill S-4)
will come into force this year, and failure to meet these requirements will carry fines of up to $100,000.
As a result, it is more important than ever that nonprofits protect their data and have a plan in place to appropriately report issues when they do occur, otherwise nonprofits could face more than just a tarnished reputation.
Here are 5 ways that Nonprofits can prevent and manage a data security breach:
1. Stay on top of the legislation
: Along with the PIPEDA
and the Digital Privacy Act, there is other legislation nonprofits needs to stay informed about, such as the Payment Card Industry Data Security Standard
that requires organizations to follow ‘information security best-practices’ if the organization handles major credit cards, such as Visa and MasterCard. Organizations who fail to comply with these standards can be penalized with substantial fines. There are other data security regulations in Canada, such as Ontario’s Personal Health Information Protection Act
(PHIPA) that your nonprofit must also comply with if you handle protected health information. These regulations are subject to change, so it’s important to stay up-to-date.
2. Ensure your software is secure:
Budgets are tight for all nonprofits, but software is not the place to skimp. We often come across nonprofits that are still using unsupported systems that are more than a decade old. The older your operating system, computers and network, the more susceptible you are to data breaches. In addition, some nonprofits choose to use open source software to get things done in a less expensive way. However, open source software is often extremely vulnerable to attacks. Being on a supported, secure system with a trusted provider that offers regular software and security updates that address new threats is an imperative.
3. Complete a risk assessment and action plan:
Anticipating risks helps organizations understand where they are vulnerable for things to go wrong and create a plan for how to get the organization back on track should something happen. As risks are identified, nonprofits should prioritize them based on likelihood and potential impact so they can focus on the highest priorities. Some things to think about are:
4. Develop a cyber-security plan:
- What data is vulnerable?
- How current are your information systems? How secure?
- Are your data security policies and procedures adequately defined and enforced?
- Are emloyees adequately trained regarding data security?
- Do you have appropriate insurance should something go wrong?
- What is required to close any potential gaps?
Once you have completed your risk assessment and addressed the priorities and gaps, it is important to ensure you implement a comprehensive and ongoing cybersecurity plan, data protection plan, and privacy program. These should outline potential risks, policies, responsible parties and procedures, and include an ongoing communication plan and response plan in case an incident does occur. Given the changes coming in 2017, the response plan should address:
5. Board level oversight:
- Employees’ roles and responsibilities as they relate to incident response
- An awareness plan outlining why incident response is important
- A list of outside parties that will require notification in the case of a breach
As an organization’s level of potential risk and impact increases, so will the need for oversight from an active Board of Directors, who have an obligation to protect the assets of a nonprofit (personal information, client information, good will, reputation). Good governance obligates Boards to have an active role in ensuring that management has implemented systems that mitigate risk and have a plan to identify and respond if something does occur.
Many nonprofits operate within tight budgets, and technology and security may have previously not been a high priority. Going forward this must change because the risks far outweigh the costs. Of course, we could go much deeper into each of the 5 points above, however the goal of this article is to create awareness and ensure that nonprofit leaders are engaging their key stakeholders (management & boards) in discussions around risk and how best to mitigate them. Dealing with these risks must be a team effort and should include representatives from all areas of the organization such as IT, Finance, HR, Operations, Funds Development and Legal. Ideally, these discussions should alwso be led by a champion who promotes the business case throughout the nonprofit.
We hope you enjoyed reading Part 1 of our 2 Part Series on Risk Management for Nonprofits. Part 2 will focus on reducing internal risk through proper system processes, segregation of duties, and effective auditing procedures. Stay tuned!