Data Security Breaches - Not Just for Dot.Com Companies
Every organization has some level of exposure to the unintentional release of sensitive data. Most experts believe that its not if a breach will occur within your organization, but when and how damaging it can be. Most organizations have data that is useful to criminals contact and financial information for employees, clients, donors, funders, members and vendors.
What's at risk?
Breaches can come in all forms human error, lost or stolen flash drives, laptops, smart phones and paper files. If these devices do not have robust password controls and encryption, the companys data can be breached. Organizations must consider what their potential exposures are, and how many records could be exposed in the event of a breach. Most nonprofits have more records than they originally thought.
In 2010, the average cost per compromised record was $214 per the Ponemon Institute, LLC. These costs can include investigative costs, attorney fees, cost of notification of the breach, call center support, crisis management, credit monitoring and possible indirect costs, such as damage to reputation. For a relatively small amount of records (about 1,000) the financial and operational stress to an organization could be in excess of $214,000.
How do I evaluate my exposures?
It is recommended to start with a comprehensive audit of your entire computer system and/or other systems that hold sensitive data. The review can be done by an internal team, or what many experts recommend, an independent firm that specializes in computer security evaluations. Once the audit is complete, improvements to the system should be made as soon as possible. Recommendations may include items that are procedural based or it may be a combination of other actions, including new hardware and software. Verizons Data Breach investigation report stated that 96% of breaches were avoidable by implementing simple measures.
Should I purchase insurance coverage?
Since there is no such thing as perfect security of controls, every nonprofit organization should at least consider purchasing some form of data breach/cyber security insurance coverage. Most insurance companies take the position that neither commercial general liability policies nor traditional property policies cover data breaches or cyber liability.
Regardless of your size, need or systems in place, there is an insurance product that can be tailored for your organization. The coverage is available to address first and third-party risks with network security, privacy issues, crisis management, media and intellectual property issues and technology errors and omissions. However, even with all this coverage flexibility, a Business Insurance magazine survey stated that about 70% of companies are not buying the coverage.
Nonprofit organizations need to combine the efforts of risk management and data breach/cyber liability coverage to protect some of their most important assets. Like it or not, your responsibilities to protect this information are growing on a daily basis. And for every proactive measure taken, there is a criminal mind working even harder to undo your work. Breaches are increasing every year and nonprofit organizations are not exempt.
ABOUT THE AUTHOR