Got Hacked? Your Donors Know It
You're a nonprofit leader or board member, and you know that digital media literacy and cybersecurity are vital. Understanding everything about data is essential. It's not only me talking about topics such as protecting donor data. Nevertheless, hackers now use a new strategy specific to security, and it should give you pause. If you haven't made data protection your No. 1 priority, you’re placing your nonprofit at significant risk.
As an attorney, I predict that we’ll only see more and more lawsuits by donors against organizations that didn’t do enough to protect their data. Inevitably, we'll also see the rise of cases against the very nonprofits they supported. Recent tactics by hackers will only raise the stakes for nonprofits, so let's explore the dangerous new approach.
Hackers Rope in Everyone to Get Payments
NBC News recently reported the hacking case of a school district. Criminals stole sensitive files and locked computers — all for ransom. By the way, if a school district gets hacked — any organization can get hacked.
In the past, hackers would engage with the organization they hacked —in this case, the school district. However, times are changing, and hackers want to ensure they get their money, so they must inflict the greatest amount of pain and pressure. As a result, the hackers reached out to school families, informing them of the data hack.
Moreover, they said if the families didn’t ensure the school district paid, their information (and that of their children) would be released on the dark web. Of course, hackers wanted the families to demand the district pay up — no matter what.
The school district didn't inform the families of the hack — but the hackers did. You could guess how the families felt to receive the news directly from hackers rather than the school district helping the people affected prepare and protect themselves. In short, families felt anger.
Donor Data Protection Is More Important Than Mission
We know that socially-minded leaders create nonprofits to help people and improve lives. However, the protection of donor data and other sensitive information must become the No. 1 priority for nonprofit leaders concerning donor engagement and stewardship. Further, digital media literacy is vital to spot fraudulent information. Otherwise, you risk your nonprofit and place it in legal jeopardy.
Getting sued is never a good thing. It’s time-consuming and costly to defend your nonprofit. Further, suppose it gets proven that your nonprofit didn't prioritize cybersecurity and data protection. That risks your organization's reputation and may even place your fiduciary board in a difficult circumstance. Additionally, it can substantively strain accomplishing the mission if donors are the primary funding source of your organization. Nonprofits can't ethically look to achieve their mission and, at the same time, turn a blind eye to the digital safety of their donors. It's become an ethical and moral question, especially as hackers amp up the pressure.
It’s not surprising that the hacked school district didn’t communicate it to their school families or staff. In reality, it’s an approach that many organizations use because they fear the risk and embarrassment of disclosure. However, the school district case demonstrates that the risk of not disclosing is much, much higher. Do you think if hackers inform your donors that your nonprofit has been hacked, you'll retain those donors on the other side of the crime?
What You Can Do Today
For protecting yourself or your organization, it's essential to be aware of donor data laws, and you must hire a cybersecurity expert. Again, you can’t afford not to do it. In the process, there are several things you should also consider for the protection of sensitive information, and likely a consultant will work with you to ensure it’s done.
1. Report Any Data Breach to Donors — Quickly
If there’s ever a data breach, make sure you report it quickly to your donors. You need to notify them as soon as possible to know the situation and take steps to protect themselves. If there’s a breach of information, or even if you think there might have been a breach, you also need to immediately discuss it with your legal counsel.
2. Develop an Incident Response Plan
To help you avoid being sued (or at least to do the right thing), you need to develop an incident response plan. Regardless of the size of your organization, it’s crucial to have a written plan to use in the event of a breach or data leak. It helps you carefully document any breaches and take appropriate steps to ensure they don't happen again.
3. Create an Information Security Policy
If one of these incidents occurs, you will want an information security policy. You can use this policy to outline what steps should happen when exposed to sensitive data. For example, if a laptop containing donor data was stolen, this document should outline the steps that need to be taken to ensure that thieves do not access or use the data.
4. Employee Access to Sensitive Data
Limiting access to data and systems is an easy way to reduce the risk of exposing donor data. Make sure that only people who need the data have access to it. Remember that just because someone is an employee, they don't necessarily need to access all of your data. Limit access to sensitive data, like social security numbers, credit card numbers, addresses and other personally identifiable information. You should create different authorizations for different groups based on the access needed only.
5. Employee Training
Aside from media literacy training, employees should be trained on what data and information are protected and the consequences of exposing it. Employees are instructed not to share personal or confidential information with others, even in a joking manner. Employees should know never to reveal personal or financial information when speaking with someone who does not need to know it. Further, the data security training shouldn’t be a once in a blue moon activity. It should happen annually, and any security updates should be given throughout the year, as needed.
6. Reporting Incidents to Authorities
When an incident is reported to authorities, it helps to investigate what happened. Reporting also lets donors know that you are aware of the situation and taking action to protect them. It reassures them that you’re looking out for their safety and data. It’s essential to report all incidents to authorities, even if the data was publicly available beforehand. And it may help ensure things like lawsuits due to negligence don't happen in the future.
It's essential to know what information is vulnerable and how you can protect against a possible violation. Remember, there are three sources of data security threats: internal, external and natural disasters. However, you can take positive action in the digital era. Train your team to spot phony sources and threats through media literacy. And invest in the latest security technology and develop more stringent security measures with experts in the field.
Paul D’Alessandro, J.D., CFRE, is a vice president at Innovest Portfolio Solutions. He is also the founder of High Impact Nonprofit Advisors (HNA), and D’Alessandro Inc. (DAI), which is a fundraising and strategic management consulting company. With more than 30 years of experience in the philanthropic sector, he’s the author of “The Future of Fundraising: How Philanthropy’s Future is Here with Donors Dictating the Terms.”
He has worked with hundreds of nonprofits to raise more than $1 billion dollars for his clients in the U.S. and abroad. In addition, as a nonprofit and business expert — who is also a practicing attorney — Paul has worked with high-level global philanthropists, vetting and negotiating their strategic gifts to charitable causes. Paul understands that today’s environment requires innovation and fresh thinking, which is why he launched HNA to train and coach leaders who want to make a difference in the world.