Church and Nonprofit Cybersecurity: What You Don’t Know Will Hurt You

Robert Showers, Esq. and Micah Schachtner, Esq.

In line with nearly all modern industries, nonprofits increasingly employ digital technology and online tools to expand their operational capabilities. But unlike larger corporations with more risk awareness and legal jeopardy, many nonprofits apply few security measures to their data storage and transactions. This common failure to address cybersecurity deficiencies creates fertile ground for hackers, who might target nonprofits’ digital frameworks to profit from them financially, disrupt their ministry, or both. The more these institutions use modern technology to facilitate their ministries, the more precautions they must take. If they physically lock their offices to prevent intruders from rifling through filing cabinets, they likewise should “lock” their digital storage spaces to limit hackers’ access. The only distinction is the means by which the data are stored.

Along with the security threat comes a growing risk that nonprofits could run afoul of state and federal laws that protect Personal Identifying Information (“PII”) or other sensitive data. Those laws impose obligations on many institutions—often including nonprofits—to safeguard information that donors, employees, and program participants have entrusted to them.

To protect sensitive digital information and ensure compliance with overlapping legal requirements, nonprofits should implement a Written Information Security Plan (“WISP”) and stay vigilant in their cybersecurity practices to protect against breaches before they happen—and mitigate the damage when they do. As Verizon CEO Lowell McAdam has often stated, “It’s not a question of if you’re going to get hacked. It’s when you’re going to get hacked” (emphasis added).1 Not protecting your computer systems and privacy data could be a ministry-ending event, not only for the church or nonprofit but also for the responsible parties.

I. Map Your Legal Obligations

Before nonprofits implement any security measures, they must know the law that applies in their jurisdiction and in any others in which they operate. To ensure total compliance, they should consult legal counsel to create a comprehensive checklist of any relevant federal and state requirements.

A. Federal Legal Requirements

Three federal laws that sometimes apply to churches and nonprofits are the CAN-SPAM Act (regulating commercial email),2 HIPAA (regulating health data privacy),3 and COPPA (regulating data collection from minors).4 Organizations must determine which of these apply to them or risk legal consequences that could cripple their ministry potential.

1. The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (the “CAN-SPAM Act”) requires honest subject lines and advertising in commercial emails, along with simple, clear opt-out processes.5 Nonprofits that do considerable advertising should ensure that they comply with these rules, or they risk penalties exceeding $50,000 per email.6

2. The Health Insurance Portability and Accountability Act (“HIPAA”) governs any organizations that handle “protected health information” (“PHI”).7 Nonprofits rarely are exempt from HIPAA, and they should comply regardless as best practices. Written policies that comply with HIPAA are crucial to avoid breaches and severe legal consequences.

3. The Children’s Online Privacy Protection Act (“COPPA”) requires organizations to protect online data collected from children under age 13 and provide clear notice to parents and an opportunity for consent.8 The Federal Trade Commission enforces COPPA vigorously, so a nonprofit that runs afoul of these rules could face backbreaking civil penalties akin to the CAN-SPAM Act.

B. State Legal Requirements

Many national nonprofits and some larger churches are subject to various state data privacy laws that often apply even to out-of-state organizations. Twenty states now have passed comprehensive data privacy frameworks that can easily affect nonprofits whose donors or beneficiaries are subject to those laws.9 Some states (like Nebraska) provide limited exemptions for nonprofits,10 while others allow almost none at all (including Colorado and Oregon).11 These state laws usually involve more granular regulations on the collection, use, and sharing of PII. But nonprofits should note that these rules vary wildly from state to state, meaning that for an organization with national operations, some classes of donors, for example, will receive privacy benefits different from others.

California’s data privacy law deserves special attention here: the statute applies to any website or online service that collects PII, and requires conspicuous notice of privacy rights and the nature of the information collected, among other things.12 Thus, any nonprofit website that interacts with California donors or beneficiaries would be subject to state penalties if it does not comply strictly with the state’s data privacy law.

Other states differ in their data storage rules, data breach notice laws, and revenue or numeric thresholds that determine which nonprofits cybersecurity rules will govern. The result is a matrix of data privacy laws that do not affect only the organizations in their respective states—rather, a nonprofit could be subject to one or subject to all, depending on its size and the extent of its operations. Nonprofits have two choices—they can either use data privacy policies that comply with every state’s law (an exhausting and burdensome process) or they can determine which specific states exercise jurisdiction over their cybersecurity practices. Qualified legal counsel is mandatory for either route. 

II. Conduct a Data Inventory 

After determining the law that applies, nonprofits should conduct an inventory of the data that they collect and store. This step is crucial because it heavily affects legal obligations and the practical scope of any protections needed. 

Before drafting its WISP, a nonprofit must understand what types of information it is handling that could be subject to privacy concerns. The organization should start by identifying all employees, donors, program participants, and beneficiaries of its mission. This step requires mapping all names, addresses, contact information, financial details, and any other personal data into exhaustive categories to facilitate secure storage and transactions. Nonprofits should know (a) where they are collecting their data, (b) where they are storing their data, and (c) who has access to their data. 

Organizations should also verify every third party that handles PII for them, which could include payment processors or data storage in the cloud. This check should include evaluation of the security measures that those third parties employ for PII, because a nonprofit that affiliates with questionable partners may be held liable for neglecting due diligence. 

The last step before drafting a WISP should be to assess unique risks posed to the nonprofit’s data security. These may include human error or external breaches from hackers, either of which would result in financial and reputational harm to individuals and the organization. 

III. Draft a WISP 

A church or nonprofit’s Written Information Security Plan (WISP) need not be overwhelming—but it must be clear and must account for the applicable law in every jurisdiction where the nonprofit pursues its mission. 

First, the WISP should define exactly the types of data protected (and the classes of individuals associated with that data). The WISP should describe the nonprofit’s cybersecurity objectives that it will operationalize daily, in line with its written policies. These objectives should include, among other things, legal compliance and the integrity of the organization’s mission. 

The WISP should identify the roles and access levels for any personnel tasked with protecting PII (which includes essentially all employees and many volunteers). Pursuant to explicit terms in the WISP, the nonprofit should appoint an Information Security Coordinator who will enforce the WISP, report on compliance, and conduct breach prevention and response training. The WISP should also detail the access levels that lower-ranked personnel will have regarding PII, because security breaches can start anywhere along the chain. 

Finally, the WISP should outline the nonprofit’s safeguards that it actively implements to prevent breaches and mitigate damage after a breach. Sections V–VI below describe these measures in detail. 

IV. Create or Update Privacy Policies 

Notifying constituents and employees of their privacy protections and rights is always good practice for nonprofits—and may even be legally required depending on the jurisdiction and the nonprofit’s classification. 

Most obvious is the privacy policy on the organization’s website; this policy should be clear, conspicuous, and easily accessible to all visitors. This policy should plainly describe the details collected from each person, including the nature of any personal information, disclosures of any information shared with third parties, users’ rights to access and edit their data, and any other rights or privileges that the website visitor may receive under the relevant law or the nonprofit’s security/privacy framework. 

If applicable, organizations should also align their policies with the CAN-SPAM Act (described briefly above). They should strictly enforce their email/communications policies to comply with CAN-SPAM; this can include using truthful subject lines, easy opt-out processes, and other transparent marketing tactics. Notably, the Telephone Consumer Protection Act 13 extends similar rules to text messages, so nonprofits should determine whether that Act applies to them, and, if so, their duties under the law. 

V. Implement Technical Safeguards 

A church or nonprofit can know its legal duties, categorize its PII, draft a WISP, and promulgate its privacy policies—but the organization must actively implement its written procedures, or the previous steps are wasted. 

The first step of implementation is determining the most secure storage and transaction spaces for digital information. This, like the law, changes often. Thus, just as nonprofits employ lawyers to regularly audit their legal compliance, they also should contract with experienced IT personnel to keep their cybersecurity airtight. 

Organizations should set up strict access controls for PII, using unique user IDs, high password complexity with regular changes, and multi-factor authentication. They should keep IT systems updated and install reputable anti-virus and firewall software to prevent small breaches from taking over their networks. Nonprofits should also use secure third-party payment processors, when possible, which will limit the amount of data that the organizations stores on its own devices. Finally, nonprofits should ensure that every data transaction leaves “breadcrumbs,” which will allow auditors to identify and track down suspicious activity. 

VI. Develop a Response Plan for Data Breaches 

When the inevitable data breach happens, nonprofits should be ready to act immediately; this requires a clear procedure that everyone involved can access and follow. 

When an organization detects a data breach, it should have simple criteria and pre-approved templates for escalating the breach to authorities. The Information Security Coordinator should quickly issue an internal alert to the executive team and legal counsel, who can begin investigating and determining the appropriate state deadline for reporting the breach to regulators. 

In conjunction with reporting, the nonprofit’s cybersecurity team should work to contain the breach and restore all affected systems to full capacity. Although not always possible, the team should work to claw back any PII lost in the breach, hiring outside help for more sophisticated breaches. 

After determining the cause and extent of the breach, the team should incorporate any lessons learned into its drills to prepare for future incidents. Those drills should include IT staff, legal counsel, and anyone else who may benefit from being up-to-date on the latest intrusion tactics. 

VII. Train Employees and Volunteers 

All individuals who handle PII at a nonprofit are responsible for protecting that information; this necessitates regular training on the latest security procedures and incident reporting guidelines. 

An organization should run annual workshops to help its people identify red flags, handle data securely, and respond competently when a breach occurs. New hires, of course, should receive this training immediately as part of their onboarding. Monthly bulletins with updates on emerging security risks will keep people refreshed on their duties as PII caretakers. 

This training should include hard metrics to test whether individuals understand cybersecurity threats and how to respond. Nonprofits would do well to bring in outside help that can record objective test results and identify weak links. 

VIII. Monitor and Audit Everything 

Nonprofits who truly wish to protect their digital data must routinely check and re-check their systems for optimal security. Every year, the board should approve the WISP and privacy policies, updating them if needed to keep pace with attacks. This reapproval process should factor in legal counsel’s suggestions and IT’s experience accumulated over the last year. 

A nonprofit should also scan for vulnerabilities regularly, using penetration testing to get a realistic picture of its systems’ flaws. Furthermore, organizations should be sure that all access rights are current, so that outdated user IDs and passwords are not floating in “cyberspace” without a trustworthy assigned user. 

Finally, nonprofits should occasionally check that their vendors (especially payment processors) continue to meet rigorous security standards, and should consider moving on to other vendors if concerns arise. 

IX. Acquire Cyber Liability Insurance 

Nonprofits should consider buying insurance to cover some of their liability in the event of a data breach. They should look for policies that cover the costs of legal compliance, investigations, and breach notification. 

Along with finding dedicated cyber insurance, organizations should ensure that their Directors and Officers (“D&O”) insurance does not exclude cyber-related liability. Of course, the cost of a breach should be weighed against the cost of maintaining an insurance policy—depending on the nonprofit’s size and geographic extent of operations, buying insurance may not make sense for some organizations. 

Conclusion 

Churches and nonprofits in the 21st century suffer from the same cybersecurity maladies as any other organization with digitally stored data. However, they have become more of a target as hackers become more unscrupulous, leading to new forms of liability that many nonprofits have not encountered—but certainly will. By drafting and implementing a legally compliant and tailored WISP, ensuring compliance with state and federal laws, and stress-testing their systems rigorously, nonprofits can better safeguard their missions for the sake of their donors, their beneficiaries, and the public. A WISP and its rigorous implementation are requirements, not options, for organizations that want to prevent ministry-ending events such as cybersecurity attacks that expose donor and confidential information. 

 Disclaimer: This memorandum is provided for general information purposes only and is not a substitute for legal advice particular to your situation. No recipients of this memo should act or refrain from acting solely on the basis of this memorandum without seeking professional legal counsel. Simms Showers LLP expressly disclaims all liability relating to actions taken or not taken based solely on the content of this memorandum.  

If we can answer any further questions or provide additional information about this process, please do not hesitate to contact our attorneys Robert Showers, Esq. at hrs@simmsshowerslaw.com or Micah Schachtner Esq.  at mjs@simmsshowerslaw.com or call 703.771.4671.