You may think that most cyberattacks happen to for-profit businesses and government agencies. But don't be lulled into a false sense of security; when it comes to collecting and storing valuable data, many trade associations and nonprofits could give a like-sized corporation a run for its money.
However it happens, a security breach can compromise the personal information of your employees or members, have drastic effects on your nonprofit mission, and push you into the blinding glare of a viral media storm – responding to accusations, fending off the press, and struggling to bolster customer confidence, comply with legal requirements and avoid lawsuits, money damages and enforcement actions. How could this happen to you? Easily. A laptop is stolen from an employee's car. A compact disc is lost in transit. A disgruntled employee walks off with association financial data – including member credit card information – on a flash drive. Students at a local school get unauthorized access to the IT system. A member's Social Security number is visible through the window on an envelope. A hacker taps into your technology system. Your cloud vendor suffers a security breach. However it happens, a security breach can compromise the personal information of your employees and members and have drastic effects on your association, leaving you stunned and the world angry at you.
While many of the U.S. federal privacy laws have been around for years and were designed to protect limited kinds of information, more recent "data security breach laws" adopted in most U.S. states and territories tend to be broader and to govern any business – for-profit or not – that holds the personal information of a resident from a particular state.
If your business has not yet suffered a security breach, count yourself lucky – the Privacy Rights Clearinghouse now conservatively estimates that a whopping 230 million records have been compromised since January 2005. But don't count your blessings for too long; instead, spend your time wisely by preparing for the worst. Doing so will help you minimize the likelihood of a breach by bolstering your security systems and policies, ensure that you comply with applicable state data security breach laws (and any other applicable U.S. or international privacy laws), and establish safeguards and plans that will bolster customer confidence, both in good times and in bad.
Make no mistake, prevention and planning for a security breach can be a big and complex job, but so are the stakes. Here is a four-step prevention and planning process:
1. Audit – audit your security practices and how you collect, share and use personal information, and learn which laws apply to your association.
2. Implement – design and implement a privacy and security plan that complies with applicable laws, limits exposure, and increases customer confidence.
3. Comply – follow the plan, but update it as technologies and laws change.
4. Mitigate – prepare a risk mitigation plan; swiftly implement it if the worst happens.
It also is important to evaluate and obtain appropriate liability insurance to cover claims that might be brought against your association, as well as first-party insurance to cover the costs of compliance to handle a security breach.
No security system, not even Google's, is perfect. But in view of the complex patchwork of state-level data security laws (and other privacy laws), taking preventive measures to minimize the likelihood or scope of a future security breach, and establishing contingency plans in case a breach occurs, is most likely to ensure legal compliance, not to mention a win-win outcome for your members and your association. If your organization has not yet suffered a security breach, count yourself lucky. But don't count for too long; instead, spend your time preparing for the worst.
This article was originally published in the Association TRENDS newsletter.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.