Cybersecurity is a growing concern for all nonprofit organizations, especially those that store, process, and transmit sensitive data. While it is common to think of the cyber issue as relevant to digital communications and networks, the rules and the issues apply with equal force to plain old hard-copy content that is delivered by the Postal Service, such as subscriber information, marketing mail, and nonprofit fundraising solicitations.
Increasingly, federal and state laws require that such information be protected with cybersecurity safeguards and require notification to consumers in the event of unauthorized access or breach. Liability and loss of donor and member confidence are important risks that organizations often manage by updating their legal and technical processes to better reflect the modern cyber threat environment.
As commercial mailing and publishing continue to digitize, business operations rely on sharing growing volumes of data. This includes, for example, sharing subscriber and mailing information with the U.S. Postal Service (USPS), data aggregators, and other partners.
Nonprofit organizations' ability to keep such data confidential from competitors, and to protect the data from unauthorized access or breach, often depends on the resilience of not only the organizations' cybersecurity programs, but also those of the partners with which they share data.
Compounding this challenge, a growing number of regulations require nonprofit organizations and other entities to maintain internal safeguards for sensitive information, and to ensure that partners and service providers protect such information. However, it is not always clear how partner organizations adequately safeguard shared data from unauthorized access, breach, and misuse.
For example, the inspector general (IG) for the USPS recently released an audit report that raised serious concerns regarding USPS security. The report noted that USPS cybersecurity "lacks maturity, which limits its ability to fully understand its risk exposure and protect the agency from cyberattack." According to the IG, these and other issues expose USPS to potential exploitation by threat actors, which could result in data breaches and major disruptions.
Although the extent to which such alleged gaps in USPS security put donor/member and other personal information at risk is unclear, organizations should evaluate their legal liability, security posture, and processes to ensure they minimize risk and respond to security breaches and other incidents, including those that may occur with fundraising contractors. The integration of digital and hard-copy communication has only just begun, and the issues that participants in these markets face are also just starting to surface. Now is the time to take steps to protect your data.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
