mission Matters Board Responsibility: What to do in the Event of a Cyber Breach July 01, 2021 Are board members legally liable in the event of a cyber breach? Find out here. Imagine starting your workday before you have even finished your first cup of coffee, and you realize something bad has happened. The flurry of texts, voicemails, and emails are bombarding your devices. In that moment of panic, all you can decipher is that the nonprofit Organization of which you are on the Board has been the victim of some type of cybersecurity attack! Ignorance of the Risks is No Longer an Excuse There was a time when an organization impacted by a cyber-attack could legitimately claim ignorance vs. negligence. Those days are long gone. The seriousness of cybercrime is no longer “new” information. In 2020 alone, there were over 1000 data breaches in the US and 155.8 million individuals impacted by data exposure. The Lack of Federal Regulations Complicates Matters Even though the risk of cyberattacks has never been greater, there is currently no comprehensive US federal legislation regarding data privacy. In truth, there is only a patchwork of sectoral laws governing privacy. The current Administration is expected to reestablish The White House Office of Cybersecurity, which was eliminated under the Trump Administration. However, state data privacy statutes and state laws on data breach notification are likely to continue to govern data privacy in the short term. All fifty US states have data breach notification laws for a breach that involves private, personally identifiable information (PII). These laws require private, nonprofit, and governmental entities to inform people whose data was potentially breached. Unfortunately, less than 25 of those states have data security legislation that specifies the required data security practices. California has the most comprehensive state data privacy statute. The California Consumer Privacy Act (CCPA) permits private causes of action for ‘consumers’ and requires companies to ask users for data collection/sharing permission. CCPA defines ‘consumer’ as a resident of California, meaning that only individuals who are domiciled in or are permanent residents of California can bring suit. CCPA applies to all nonprofit and for-profit companies. California consumers can sue if an eligible company fails to provide an option to opt out of third-party data sharing, or if they do not comply with a consumer’s request to provide a list of all stored personal data and/or a list of all third-party vendors with whom personal data was shared. Other states, including Nevada, Maine, and New York have enacted privacy statutes similar to CCPA, and many other states will likely follow. Attacks on Nonprofits All organizations, including nonprofits, are possible targets for cyberattacks. The most serious data breach that the nonprofit industry has ever seen happened in 2020 with the attack on Blackbaud, a cloud software provider with over 25,000 clients worldwide. These clients include many nonprofits and schools who use the platform for its fundraising platform. This attack began in February of 2020, was discovered in May, and in July, the company informed customers of the breach. They paid the ransom being asked for in exchange for the attacker's promise that a subset of the data they copied would be destroyed. Blackbaud has been named in dozens of lawsuits since this time. Many of the impacted organizations who used Blackbaud’s services have also been named in lawsuits by people whose data was compromised. The Blackbaud breach is a poignant example of needing to understand your own Organization’s cybersecurity strategy. The examination should also include the key vendors you work with, especially if your customers' and donors’ PII will be shared with those vendors in any way. Naming Boards in Lawsuits All organizations face the very real impact of reputational damage resulting from a data breach in addition to major disruptions in daily operations while dealing with the fallout of a breach. Additionally, data breach litigation has become increasingly complex in the absence of federal privacy laws. This uncertainly opens the door to the possible liability of corporate directors and officers for data breaches. What your Board can do to protect the Organization from a cyberattack Nonprofits are a favorite target of cybercriminals. To reduce the risk, the Board should implement and maintain a cybersecurity plan. Here are a few suggestions to incorporate into your plan to reduce your cybersecurity risk: Document Your Protocols: Many nonprofits don’t have any cybersecurity documentation in place, leading to chaos if an attack occurs. Documenting protocols can provide teams quicker access to information that can help minimize the effects of an attack. Train Your Staff: Training users on best practices and online hygiene can go a long way to reducing the risks of a cyberattack. User negligence and poor computer hygiene, such as weak passwords, are the leading cause of cyberattacks and data breaches. Create and Test Backups and Redundancies: You should create multiple instances of your Organization’s crucial data. System redundancies both in a physical server and the cloud, so if one instance gets compromised, you have backups ready to be deployed. Having backups reduces the damage that a cyberattack can cause to your Organization. Testing the backup is also a crucial step that should not be overlooked. Update Your Operating System and Patch All Software: Conduct regular updates to ensure you’re not vulnerable to hackers. Have a Dedicated IT Expert or Consultant: Having someone monitoring your system and network can help detect and fight threats as they arrive All organizations, nonprofits included, must abide by applicable statutory regulations and legal precedent. Directors must uphold their fiduciary duty by swiftly addressing data privacy vulnerabilities, breaches and maintaining strong cybersecurity measures. It is clear that part of a board’s responsibilities now centers around cybersecurity and data protection. If you are concerned about your Organization’s current cybersecurity strategy and your potential exposure to lawsuits in the event of a successful attack, we can help. Contact our team today to discuss how our security experts can help protect you and your Organization. Read our series, Ten Basic Responsibilities of Nonprofit Boards.