Protecting Donor Information: Is their identity at risk?

Online giving has grown considerably over the last several years. For nonprofits without the appropriate IT infrastructure and security policies, these increased online donations can also mean greater risk for cybercrimes.

While all businesses are at risk for cyberattacks, organizations with budget constraints and lack of skilled tech support are even more vulnerable to cyberattacks. Hackers target charities because they’re widely thought to have less-than-robust payment security and data storage protections in place. And with nonprofits collecting extensive personal information on their donors, these detailed data files are prime targets for hackers.

Ransomware is also on the rise, where hackers access stored data, encrypt it and then demand a ransom for its release. The ransom demand might be relatively low but after you agree to pay it, there’s no guarantee that additional demands won’t follow or that the data returned to you won’t be damaged or distributed to identity thieves.

Cybercriminals increasingly take advantage of nonprofits’ reliance on automated clearing house (“ACH”) transactions, which require donors to submit their bank routing numbers. Donors like ACH payments because they’re useful for making automatic, recurring gifts and hackers like them because they can provide access to the donor’s individual bank accounts.

If donors find that their personal information has been compromised, they will likely think twice about providing future donations.

Create layers of protection

You can reduce your organization’s risk, even with a limited budget by implementing the following policies and best practices:

• Restrict access to network administration to only those staff members who require access.
• Ensure that your payment processing system follows industry standards such as security protocols that encrypt data and authenticate transaction parties.
• Update antivirus, antimalware and antispam software as soon as patches become available.
• Require complex passwords across your systems and change them frequently.
• Educate staff and volunteers about ways criminals might try to gain password access.
• Always use caution. Never open an attachment or click on a link for something you were not expecting, even if it is from a known sender.

As an added precautionary measure, consider implementing two-factor authentication. Two-factor authorization shields networks with both a regular password and another challenge, such as a temporary password texted to a mobile phone.

Limit data collection

Excessive collection of unnecessary data is also a threat to your donors. The type and amount of data you collect and store could put them at greater risk of identity theft. In general, collect only what you absolutely need and store what you’re certain you can keep safe and confidential.

Make your donors aware and state on your website what data is collected, how it’s processed and how it’s stored. Provide a mechanism to allow donors to opt-out of data collection. Also, remind donors of the risk of transmitting sensitive information while using public Wi-Fi. Lastly, provide a telephone number and mailing address should donors decide they’d prefer to give the old-fashioned way to limit their risk.

Have a disaster recovery plan in place

You may not want to think about it, but your nonprofit should be prepared in the event cybercriminals breach your network or payment processing system. Time is of the essence if you are attacked. A good disaster plan includes detailed procedures for limiting damage, fixing vulnerabilities and communicating with those who might be affected.

The negative publicity of such an attack could do more damage to your organization than the cyber attack itself, which is why it’s important to include PR and communications specialists when responding to an incident.

We can help you with assessing your organization’s vulnerability to identify potential risks and opportunities for improvement. Contact your BMF Advisor to discuss how we can help so you can focus on your mission.