Non-profits around the world help communities by delivering services related to healthcare, education, religion, housing, public safety, emergency response, cruelty-prevention, senior services and many other public benefit missions and activities. As these types of organizations continue to build and extend their public outreach, many have yet to fully grasp the constantly changing cybersecurity landscape and avalanche of new data privacy laws. This can place a great amount of risk exposure on non-profits if their data were to become exposed.
Protecting the Data
Similar to their for-profit counterparts, non-profits may house confidential data collected from staff, donors, volunteers and beneficiaries. This data can be related to internal operations, organizational finances or information originating from e-commerce platforms on their website (online credit card data). Another potentially sizeable portion of data collected by non-profits is personally identifiable information (PII). The purpose of collecting the PII does not matter, even if related to the business, student loans, donors, government data, healthcare or tax purposes.
Duty to Protect
A board of directors (BOD) should understand their duty to adequately protect sensitive data from cyberattacks and compliance requirements established by new data privacy laws. When it comes to cybersecurity and all the new data privacy laws, directors and officers of non-profits should understand if the security controls environment manages cybersecurity risk to acceptable levels of tolerance based on the complexity and needs of the organization. Boards should ask themselves, “Have we taken reasonable steps to protect against cybersecurity incidents that could lead to a data breach?”
Many of the data privacy laws, like the European Union’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), have broadly defined what constitutes PII under the law. For example, the CCPA defines PII as items such as personal identifiers (cookie numbers or a non-profit devised number), IP addresses (if an IP can identify a household), biometric data, geolocation data, internet browsing history, psychometric data (aptitude or personality tests) and inferences a non-profit might make about a staff, donor, volunteer or beneficiary.
It does not matter if this PII is stored on paper records or virtually on a smartphone, laptop, server or in the cloud. What matters is that non-profits are compliant with the data privacy laws if they have collected PII from anyone where these laws have been enacted. To complicate matters, many states are beginning to roll out their own data privacy laws, which require consideration when determining the overall compliance requirements associated with the data they are collecting.
As it relates to new data privacy laws like GDPR and the CCPA, non-profits must realize these new laws afford staff, donors, volunteers and beneficiaries additional rights about their PII data that may be inadvertently collected and stored. For example, new data privacy laws give users the right to be informed about what kind of personal data a non-profit might have collected and why it was collected. These new laws also provide such users the right and ability to request the deletion of their personal information, prohibit the sale of their personal information and access their personal information in a readily usable format. This would allow users to transfer their data to third parties without being hindered. For CCPA, protections of this data will be enforced by the state’s attorney general. It should also be noted that consumers will maintain a private right of action should a non-profit fail to implement and maintain reasonable security practices in the event a cybersecurity incident resulted in a data breach affecting their PII.
What Can Non-Profit BODs Do?
Non-profits should have the capability to withstand events such as natural disasters and cybersecurity incidents. Their IT infrastructure should be able to ensure the confidentially, availability, integrity and compliance of the core data being stored or transmitted through the non-profit’s IT infrastructure. Non-profit boards should be asking themselves:
- Can our organization protect its data from cybersecurity incidents, such as hacking, phishing, ransomware, insider threats, denial-of-service, loss of IT staff or theft of a mobile device?
- Are we aware of all applicable data privacy laws, and is our organization capable of meeting the requirements? Non-profit BODs should understand that many of these new data privacy laws carry serious penalties for failing to comply.
The answers to these questions will help navigate the data privacy and data security challenges they face currently.
About DHG IT Advisory
DHG IT Advisory works with companies to manage technology risk while maintaining data integrity, protecting privacy and complying with regulations. From project management and regulatory compliance assistance to digital forensics and incident response, DHG is equipped to meet your IT advisory needs that drive your business. To learn more about DHG IT Advisory, visit dhg.com/itadvisory.
Douglas Jambor, CISSP, ISFCE, CCE
Senior Manager, DHG IT Advisory
If you experience issues with this form, please use a different web browser or contact us at firstname.lastname@example.org