Cybersecurity & Nonprofits: A Matter of Time?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/cybersecurity-nonprofits-a-matter-of-50407/

The ever increasing cyber-attacks and data breaches targeting the private
sector and government agencies, and the increased focus on cybersecurity
plans and preparedness, may seem like remote risks for nonprofit
organizations.  Because nonprofits have not been as vigorously targeted for
attacks as their for-profit and government counterparts, the sector has
been slower to adapt to the threat environment and allocate their often
scarce resources to cyber preparedness and protection.  Perhaps this can be
explained, in part, by a nonprofit’s organizational focus on mission and
programming, limited resources (underscored by pressure to reduce
administrative, overhead, and compliance costs in favor of programmatic
expenditures), and a sense of their charity status, or “halo,” providing
protection from any risk.

But nonprofits remain as vulnerable as their for-profit and governmental
brethren.  As more nonprofits are targeted, it is critical for
organizations in this sector to understand the risks posed by cyber
breaches and data hacks, to engage their boards and leaders on these
issues, and to allocate funds and resources to cybersecurity.  Equally
important, and as part of this process, nonprofits need to understand how
the many issues and aspects of cybersecurity play out differently in the
charitable sector.

For example, recent litigation has focused on the duties of officers and
directors in preparing for and responding to cyber threats.  Of what
relevance are these cases to nonprofits?  In the for-profit context,
directors are generally considered to have a duty to maximize shareholder
value and act in the best interest of the corporation, which includes
ensuring that reasonable steps are taken with respect to data security. But
how should we approach this analysis in the context of nonprofit
organizations (which do not have owners or shareholders) where directors
and trustees have similar duties to act in the best interests of the
organization, but in furtherance of charitable purposes or the public
good?  Here, the “fiduciary” choice between allocating limited resources to
cyber preparedness and insurance premiums rather than activities that
directly serve to accomplish the organization’s charitable mission (e.g.,
serving meals to the homeless), may not be so straightforward.

Other significant differences include the consequences of a data breach for
nonprofits, and who/what regulator has investigative and enforcement
powers.  Nonprofits aren’t within the jurisdiction of the Federal Trade
Commission.  And, poorly handled cybersecurity might not result in
enforcement actions, major fines, or penalties, but could attract an
onslaught of media attention and scrutiny, with the fall-out including
jeopardized donor/funder relationships that form the lifeblood of
nonprofits, and investigations and review by state regulators with ever
expanding powers.

In the coming months, we will explore these issues and more, mapping out
the issues for nonprofits and highlighting the application and translation
of for-profit lessons to the charitable sector.  In particular, we will
discuss:

• Duties of nonprofit board members, including applicability of recent
cases addressing board duties in the for-profit context;

• The regulatory players in this sector, and their potential jurisdiction
over (and responses to) nonprofit data security and breaches;

• The potential consequences of a nonprofit cyberattack or data breach; and

• Cybersecurity readiness and priorities for nonprofits (including cyber
insurance), with a focus on preparedness for smaller organizations with
limited budgets.

To set the stage for these discussions, it is important to understand the
risks and the vulnerabilities.  Nonprofits collect and store data that are
potentially vulnerable to attack and disclosure.  These include:

• Mailing lists (which can include personally identifiable information
(“pii”), and also affiliations and donor attributes that the individuals or
organizations might prefer to keep confidential);

• Donor/funder information (which, although publicly available in the case
of private foundations, is not for public charities and other types of
Section 501(c) organizations, including 501(c)(4) social welfare
organizations);

• Donor/funder credit card details;

• Grantee information (which can include non-public reports and contact
information and, for individual grantees, social security numbers and other
pii);

• Employee records and personnel files;

• Educational and medical data (which might be an issue for colleges and
universities, hospitals, research organizations, and private foundations
offering scholarships and other assistance to individuals); and

• Internal governance materials (including confidential emails, reports,
board/executive session minutes, communications with auditors, and other
sensitive information).

Like for-profits and governmental agencies, nonprofits, too, have multiple
points of exposure, including:

• Software and tech systems;

• Cloud services;

• Third-party vendors and service providers, including

• IT consultants

• Payroll services

• Data storage/input temps

• Bookkeepers

• Outside professionals and service providers;

• Grantees with access to the organization’s grants portal or other
databases and platforms;

• Project collaborators;

• Licensees; and

• Employees and fiduciaries (both those who may at some point have an axe
to grind or, more commonly, those who are lax with passwords and security
measures, or who are otherwise susceptible to phishing and other social
engineering tactics)

We will explore these issues in the coming months.  First up:  the role of
fiduciaries in nonprofit cybersecurity (and why this should be on your
agenda, whether you are the general counsel of a nonprofit or serve on your
local PTA board in your personal capacity).

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!