As a nonprofit or charitable organization, the threat of a cyber breach may not be top of mind. Computer network hacking – that’s something that only happens to governments and big businesses, right? Wrong. In fact, small organizations are being targeted more than ever before and the nonprofit sector is not immune. In addition to the headline-grabbing “hacking” incidents, consider the following cyber and privacy scenarios:

Loss of laptop: A director of a nonprofit organization leaves her laptop on an airplane. Files on the laptop contain donor and beneficiary data including addresses, credit card information, bank account numbers and other personal identifying details. The laptop is found by a flight attendant and returned to the director several days later, however, the data breach is not reported to the Privacy Commissioner within the required timeframe and the organization is fined as a result.

Inadequate security/record snooping: A volunteer at a children’s foundation inappropriately accesses confidential health information of children in the program. Although the information is not used or shared further, participants begin to lose trust in the program.

Computer virus: A volunteer centre’s computer network is down for 4 days as a result of a virus and they are unable to provide any services. Experts are hired to repair their system and get it up and running again.

Insecure disposal of sensitive information: In an effort to go paperless, a cleaning crew at a HIV awareness organization discards all employee and volunteer files in an unsecured dumpster. Personal information of employees and volunteers is compromised and those affected join a class action lawsuit against the nonprofit.

Disclosure and selling of private data: A disgruntled volunteer in a community service office is arrested for trying to sell names, addresses and social insurance numbers for tax fraud purposes.

How would you handle the situations described above? What are your responsibilities as a nonprofit or charitable organization? Are you aware of the potential costs associated with these incidents? And how do you respond to these breaches of privacy?

When faced with situations such as these, Cyber Security and Privacy Liability Insurance can help.

What is a cyber breach?

As evidenced above, a cyber breach can come in many different forms. A cyber breach is an event in which an individual’s private and confidential data, including personal, medical and/or financial information, is potentially put at risk while stored in electronic format. The release of this secure information, either intentionally or unintentionally, to an unauthorized person or environment can result in claims against the individuals and organization that collected and stored the data.

Anyone who maintains or transmits personally-identifiable non-public information electronically (on computers, laptops, portable electronic devices or other electronic media) is vulnerable to a cyber breach. This breach can range from a minor occurrence, such as a colleague accessing information on your computer, to the theft of thousands of volunteer or donor records. While some breaches derive from external hackers or malicious insiders, they can also result from system glitches, or even from simple carelessness or human error.

Why are nonprofit and charitable organizations vulnerable to cyber breaches?

Although both nonprofit and for-profit organizations have the kinds of valuable data that hackers target – such as employee or volunteer data, credit card numbers, donor information, and private health information – nonprofit and charitable organizations may not have the resources, technology, or expertise to defend against and respond to cyber threats. This makes nonprofit organizations especially vulnerable to cyber attack – and ideal candidates for cyber insurance protection.

Also, unlike large for-profit companies with established risk management and legal departments, nonprofit organizations may struggle with the technical and financial consequences of a data breach. Imagine how hard it would be for a nonprofit or charitable organization to raise funds following a breach of private information belonging to current donors. It would also be difficult to recruit new volunteers if the confidential information of current volunteers was compromised. The survival and reputation of your nonprofit or charitable organization could be at stake if a data breach isn’t handled quickly and appropriately.

Consequences of cyber breaches

The cost of a cyber breach is considerably high; especially for nonprofits with limited resources. Financial costs can include those associated with government investigation, legal defence, damages awarded to the individuals whose private and personal information was compromised, the expense of notifying individuals of a breach, and business interruption costs, among others.

The Ponemon Institute’s 2017 Global Cost of Data Breach Study estimated the cost of lost or stolen records to be $141 (USD) per record. Cumulatively, the average cost of a data breach to a company was $3.62 million.

Clearly, the financial costs are high, but so too are the other costs associated with a data breach. These include damage to an organization’s reputation and loss of donor and volunteer confidence.

Is your organization protected?

Cyber Security and Privacy Liability insurance protects you and your organization against the exposures and risks associated with a cyber and privacy breach. Most Cyber insurance policies will pay for things like:

  • Notification costs, identity restoration services, and credit monitoring for the individuals whose information was compromised;
  • The costs to engage a computer expert with the technical know-how required to identify the source of the data breach and protect against future incidents;
  • The costs to hire a public relations firm to repair any damage done to your organization’s reputation or image as a result of the breach;
  • Fees associated with a regulatory investigation, including your legal defence, any fines and penalties the organization is required to pay (as permitted by law), and compensation for individuals who have been affected by the breach.

Be cyber safe

Too many security breaches stem from simple errors, such as sensitive emails mistakenly addressed to the wrong person or staff mislaying data on mobile drives, and these vulnerabilities are particularly evident in organizations with extensive volunteer involvement.

Help safeguard your organization through awareness and preparedness. Knowing that cyber breaches occur every day in both small and large organizations is just as important as implementing physical and electronic security measures and being aware of how to securely store, transmit, and dispose of sensitive information.

Having minimum controls (typically outlined in cyber insurance applications) can prevent most privacy or data breach events, but being prepared and knowing how to react following a breach is imperative. Consider taking the following steps:

1. Identify and evaluate cyber security threats and risks and then decide what should be done to improve cyber security in your organization.

2. Develop and implement written cyber security policies and standards with board oversight and engagement. Also be sure to test and monitor your security policies and standards regularly and update them as necessary. Policies and standards can include:

  • A policy to collect minimal information about donors, volunteers, and others, restricted only to what is needed by organization
  • A standard describing acceptable handling and destruction of paper records containing private, personally identifiable information
  • A policy detailing who is to be given system access, with procedures outlining how to monitor access and address any breach

3. Train and inform all employees to follow the cyber policies: collective protection of a nonprofit is everyone’s responsibility. It extends beyond directors and officers – to anyone who has access to sensitive information on computers and data bases.

4. Apply security precautions, such as:

  • Have and use strong passwords. Avoid using the same password repeatedly
  • Encrypt all devices that contain private, personally identifiable information, including desktops and portable devices such as laptops and USB sticks
  • Update computer firewalls and virus protection software as soon as they are available
  • Only use secure and reputable payment processing sites
  • Implement strong defensive technology to monitor and protect your website and systems

5. Insure your nonprofit or charitable organization appropriately with Cyber and Privacy coverage.

For more information on Cyber Security and Privacy Liability or other insurance products for your organization, please contact BMS Canada Risk Services Ltd. at 1-855-318-6558 or cyber.insurance@bmsgroup.com.