Blackbaud is familiar to many nonprofits and universities as one of the world’s leading cloud software companies for fundraising, relationship, and financial management. Now they are in the limelight after a highly publicized ransomware attack in which perpetrators obtained a copy of a subset of data from its Raiser’s Edge and NetCommunity products that track clients’ donors and fundraising activities. Although Blackbaud maintains that no personal information (such as credit card numbers, banking information, or social security numbers) was compromised in the attack, Blackbaud users impacted by the breach have since filed a class-action lawsuit for negligence, breach of contract, and other allegations.
Some have also criticized Blackbaud for their several month lapse in notifying its nonprofit users of the breach; the company maintains that because the breached data was eventually recovered from the hackers, that no nonprofit or donor information was compromised and thus did not require notification under data privacy regulatory regimes such as the EU’s General Data Protection Regulation (GDPR) or California’s Consumer Privacy Act (CCPA). So where does this leave small nonprofits whose donor and client information may have been compromised and what lessons can we learn from the Blackbaud mishap?
Why Your Nonprofit Should Care About Cybersecurity
In today’s hyperconnected world, businesses and consumers are increasingly falling victim to digital attacks. The consequences can range from interruption of important business functions and deletion of critical information to identity theft and extortion. But along with the practical ramifications are the affirmative obligations of businesses to comply with new data privacy regimes such as the GDPR and CCPA.
Data Privacy Laws and Nonprofits
The EU’s GDPR, effective May of 2018, is considered the leading global standard governing the treatment of personally identifiable information (PII)–PII can include anything from IP addresses, social media posts, digital images, and geolocation to mailing and email addresses, dates of birth, social security numbers and credit card information. Although the GDPR only governs PII collected about EU residents, digitization has globalized business reach, making it increasingly probable that businesses and nonprofits may fall under the GDPR’s purview.
Many states have followed in the EU’s footsteps, with California recently enacting its own consumer privacy protection scheme, the CCPA. The CCPA applies to anyone who collects or processes data about California residents. And while nonprofits are not directly covered by the CCPA, the regulation applies to for-profit vendors (such as fundraising software providers and marketers) who collect, maintain or use such information on behalf of a nonprofit. With many states trailing California with their own regulatory schemes, the scrutiny on data privacy practices is only poised to increase. That’s why it’s implicit on nonprofits to conduct a searching inventory of their data privacy practices and identify and address gaps in their cybersecurity and data privacy programs.
Still, a recent 2018 survey of nonprofits indicates that over two-thirds (68%) have no documented policies and procedures in the event of a cybersecurity attack and over half (59%) do not provide regular training to their staff. Understandably, many nonprofits have few resources and the whole data privacy thing can seem a bit overwhelming. Here are a few practical steps to get started.
Shoring Up Your Nonprofit’s Data Privacy Risks
Initiate a Data Audit. What type of data does your nonprofit collect, from whom, and how is your nonprofit using it? Who has access to that data? What is the lifecycle for that data (i.e. where is it stored, when is it deleted)? And don’t forget about third-party vendors who also collect or use that information on your nonprofit’s behalf.
Update Policies and Procedures. Once you understand your nonprofit’s current data ecosystem, you can better understand which regulatory regimes may apply and what risks are most salient. With that in mind, you can update or create actionable policies and procedures to guide your nonprofit’s data privacy and cybersecurity practices.
Train and Educate. Nonprofit policies and procedures are only as effective as the people who are implementing them. That’s why it’s important that you take time to regularly train and educate your nonprofit’s employees AND volunteers about your nonprofit’s data privacy and cybersecurity policies and procedures.
Monitor and Evaluate. The scope of cybersecurity threats and regulatory requirements are quickly evolving. Likewise, as your nonprofit grows and changes, so will your data privacy and cybersecurity risks. Your nonprofit should have a process in place to regularly monitor changes in your nonprofit’s cybersecurity ecosystem and to evaluate the relative effectiveness of your nonprofit’s policies and procedures, making changes as necessary.
Consider Insurance. Once you’ve assessed your nonprofit’s relative cybersecurity risks, you may want to explore insurance options. Policies are available to cover everything from the costs of noticing donors and clients in the event of a breach, to the pecuniary effects of a shutdown, loss of data, or payment of ransomware demands.
Ellis Carter is a nonprofit lawyer licensed to practice in Washington and Arizona. Ellis advises tax-exempt clients on federal tax matters and fundraising regulation nationwide.