In this age of heightened transparency and Form 990 disclosure rules, many nonprofit executives and board members might see their organizations as public entities. As a result, they might not be as protective of donor privacy as they could (or maybe should) be. However, most donors rightfully expect their personal information to remain confidential. As nonprofits seek to meet aggressive fundraising goals, they can solidify donors’ loyalty by keeping their names and other identifying information a well-kept secret.
The Not-So-Secret Effects of Violating Donor Privacy
Nonprofits are subject to many of the same privacy laws as for-profit businesses and face many of the same financial, regulatory, and reputational risks from the potential loss of confidential data. Consider the following recent examples of data breaches affecting nonprofits:
- During an 18-month period from 2013 to 2014, more than 330 Goodwill locations nationwide suffered breaches that exposed almost 870,000 payment cards. Malware on a third-party payment vendor’s system led to the breach, Goodwill said in a press release.
- A data security incident involving Utah Food Bank exposed the personal and financial information of more than 10,000 donors over the course of nearly two years. In addition to initiating an investigation by an independent IT forensics expert, the food bank announced last year that it was not only notifying affected individuals, but also providing credit monitoring and identity restoration services at no cost for one year.
- In early 2015, the Urban Institute informed users of its Form 990 Online and e-Postcard that hackers accessed the system and compromised users’ first and last names, email addresses, IP addresses, phone numbers, usernames, and passwords. The Institute encouraged users to change their passwords and engaged a cybersecurity firm to “analyze the situation and strengthen security.”
- In May 2019, People Inc. notified 1,000 current and former clients that personal information, including names, Social Security numbers, driver’s licenses, and health information, were exposed during a data breach as the result of unauthorized access to an email account belonging to a People Inc. employee. People Inc. reset the password, hired a cyberforensics firm, shut down a second email that may have been impacted, offered credit monitoring services to impacted clients, and reported the matter to the FBI.
From breach notification and credit monitoring costs to fees for lawyers, forensic consultants, and public relations advisors, the financial impact of these security events can be substantial. But at the end of the day, it is the erosion of donor trust that can be most devastating.
Take Steps to Secure Donor Information
Safeguarding personal donor information requires nonprofit executives and board members to take the following key steps:
- Recognize the value of confidentiality. When it comes to data security and confidentiality, keep in mind that different circumstances and donor bases call for different approaches. Some donors announce their contributions publicly while others choose anonymity. Knowing the level of privacy that each donor expects is just one step toward tightening up data security.
- Know where personal information lives within your network and in your business partners’ networks. To understand where your organization is vulnerable, identify all of the locations where your donors’ personal information is stored, as well as who accesses or uses that information. Keep in mind that some of these locations might be outside your organization’s networks, such as with third-party vendors that accept online contributions.
- Understand threats that could put donors’ information at risk. These threats often stem from the actions of employees or business partners. Given these individuals’ close proximity to donor information, consider how to implement internal controls– or improve existing controls – to help ensure that these team members will protect the information. For example, requiring a service organization control (SOC) report of your third-party vendors enables you to better assess their processes and systems for maintaining data confidentiality, integrity, privacy, and security.
- Provide training for employees and volunteers. Those who handle donor information need to understand their responsibility to maintain its confidentiality – and the steps they can take to do so. That training should include real-world scenarios so that employees and volunteers know exactly what to do if they are victims of social engineering or other attacks.
- Remain vigilant. Threats to the confidentiality of personal information are constantly evolving. Assess and update confidentiality policies, systems, and training on at least an annual basis.
CRI Can Help You Maintain or Strengthen Your Nonprofit Donor Privacy Measures
To fulfill your not-for-profit’s mission, you must keep your promises to the individuals who help sustain your organization’s efforts. Increasingly, this need means assessing and strengthening your organization’s practices to keep donors’ personal information under “lock and key.” If you need further guidance regarding ways to better prioritize donor privacy, then contact CRI’s nonprofit CPAs and advisors