The supporters of your non-profit organization trust that you’ll protect their interests. At a high level this means that they trust that their support goes to the pursuit of achieving your organizations’ mission. But protecting their interest goes beyond your mission and into safe guarding and protecting the information your organization has about them, including financial information.
The theft of a laptop, the accidental loss of a thumb drive, a volunteer’s unwitting response to a phishing e-mail or phone call, can have disastrous consequences for a non-profit. The public relations nightmare can be a time and resource consuming event, but these examples of data breaches could also result in significant fines and other costs, such as notifying donors and other stakeholders of the breach and the cost of providing credit monitoring for individuals and organizations whose information was affected.
Ninety percent of organizations in a June 2011 Ponemon Institute survey reported at least one data breach within the last 12 months. The estimated cost of the general data breach is over $200 per compromised record. If an employee loses a thumb drive containing personal or financial information for 500 donors, it could easily cost your organization over $10,000. This amount could escalate if there is a fine involved.
Consider the case of Hospice of North Idaho (“HONI”). This Idaho nonprofit organization has the dubious distinction of being the first entity fined by the Department of Health and Human Services (“HHS”) for a data breach involving fewer than 500 patients. In June 2010 HONI lost a laptop that contained sensitive personal information for about 441 patients. The laptop was stolen from an employee’s vehicle. The thief was apprehended, but they laptop was not. There was no evidence that any patient information had been abused or compromised, but HHS fined the hospice $50,000 for the violation, primarily because the laptop was not encrypted. HHS wanted to send a “strong message” to the healthcare industry that any entity covered by HIPAA will be held accountable for safeguarding patient health information.
Not only did HONI have to pay $50,000 to HHS out of its operating budget, it also bore the cost of notifying patients that their personal and health information could have been compromised, and providing credit monitoring to the patients whose information was on the stolen laptop.
- Understand laws and regulations that impact your organization’s data security standards. (see external page)
- Perform a risk assessment. Identify your organization’s weaknesses and take steps to strengthen the weak areas. Consider physical security of documents and IT equipment, as well as electronic security. The latter includes networks, passwords, laptops and other portable devices, wireless/remote access devices, and peripheral devices such as digital copiers and printers.
- Develop policies and procedures, and have employees and volunteers sign an agreement that they understand and will follow your organization’s data security safety standards.
- Create a “culture of security” through regular employee training and updates. Train employees in security measures, and then train them again, and again.
- Establish a plan for identifying and responding to a data breach, both technical and PR aspects.
Verizon reported 855 data loss or breach incidents in 2011, and 174 million compromised records. Incidents involving hacking and malware were both up considerably in 2011, with 81 percent utilizing some form of hacking, and malware was incorporated in 69 percent of data breaches. Verizon reported that 97% of the breaches were avoidable through simple or intermediate controls. In fact, 63% of controls were considered “simple and cheap” such as easily guessable administrative passwords and inadequate firewalls.
Your organization cannot afford to expose itself to the financial and reputational costs of a data loss or breach. Ensure you understand the risks and take measures to prevent this type of incident.