Equifax Inc. announced today that approximately 143 million US consumers had their records compromised in a breach that occurred between May and July 2017. Equifax has set up a website where you can check to see if your data was compromised – https://www.equifaxsecurity2017.com/. Additionally, you can enroll in free credit monitoring after checking to see if you were impacted.
Many nonprofits are at high risk for a data security breach and even higher risk for a reputational and financial damage following a breach. The Nonprofit Risk Management Center has an excellent article on the risks and techniques for handling those risks (Data Privacy and Cyber Liability: What You Don’t Know Puts Your Mission at Risk).
Cyber insurance is confusing and many nonprofit package policies include some cyber coverages so you may think you are adequately covered, however many of those policies only cover expenses for notification and response by your agency. There are other areas of exposure that should be considered:
- Notification Costs – Sending proper notification to all parties that were affected by the data breach can be very costly. The average cost in 2017 is tracking at $225 per affected record (per Ponemon & IBM Data Breach Study).
- Regulatory Investigation Expenses – Governmental or regulatory bodies can levy fines or charge the organization with investigation costs, some policies will include coverage for these costs.
- Data Breach Liability – If any of the affected parties sue the organization for damages, this coverage will defend the agency and pay for the loss if the agency is found to be negligent.
- Content Liability – The nonprofit may be liable for copyright infringement and intellectual property claims related to the content on the organization’s website or social media sites.
- Crisis Management – Nonprofits are at greater reputational risk when a breach occurs. Donors, potential donors, board members, grantors, and program participants may be reluctant to continue to support the organization if they believe the organization was negligent in protecting their information. Some cyber liability policies include coverage for public relations assistance to minimize reputational damage.
- Credit Monitoring and Cleanup – The organization may be required to provide credit monitoring and clean up to those affected by the loss of personally identifiable information.
- Business Interruption – The organization may have a different type of data breach or hack such as a virus, worm or ransomware attack. Some nonprofits may lose income if they have to shut down their computer systems or operations due to the breach, some policies can provide this coverage.
In addition, CyberScout has provided 5 Steps to Protect Yourself from the Equifax Breach. There are many steps that can be taken to protect data in your organization and the number one risk management technique is to train your staff! Employees and volunteers are the single biggest exposure. Many breaches and attacks occur through human error. If your nonprofit has a comprehensive Cyber Insurance Policy, the insurance carrier will likely offer proactive risk management tools and training for your nonprofit and your staff – take advantage of these tools to protect your data and reputation.