Cybersecurity and Privacy Risks for Nonprofits: Navigating the Minefield

Client Advisory

April 11, 2019


If you thought that cyber-criminals were morally opposed to targeting charities, foundations and other nonprofits, you would be very wrong. Such criminals do not discriminate. In fact, nonprofits are particularly vulnerable because they tend to collect and store sensitive financial and personal data (e.g., information about donors, members, and program beneficiaries such as children, students, seniors, patients, and grantees), and may lack adequate information security teams and other resources that protect large companies. These vulnerabilities, along with nonprofits’ strong online presence and the rise in online donations, make them an ideal target for cyber-attacks.

Yet nonprofits continue to lag behind for-profit entities in their data security efforts and preparations. According to a recent survey of more than 250 nonprofit organizations, approximately 40% of those nonprofits did not have policies to guide the handling of cybersecurity risk, technology use, and data privacy, and almost 60% provided no cybersecurity training for their personnel.[1]

Nonprofits also must stay informed about the ever-expanding patchwork of data privacy laws, including the European Union’s Global Data Protection Regulation (“GDPR”) and U.S. data breach notification laws.

Make no mistake – cybersecurity and privacy are Board-level concerns. Directors and officers owe fiduciary duties to the nonprofit organizations they manage. This does not mean that every Board member must become a cybersecurity and privacy expert. A Board may manage the corporation’s business and affairs directly, or designate a committee or other group to do so under the Board’s direction. In general, a member of the Board or committee will be protected in relying in good faith upon information provided by persons with professional or expert competence who are selected with reasonable care.

Although there is limited case law addressing nonprofit directors’ and officers’ fiduciary duties in the context of cybersecurity and privacy laws, there are a few guiding principles we can glean from the wealth of case law addressing fiduciary duties in other contexts. As a general rule, Board members should attempt in good faith to ensure that systems and controls are in place to manage cybersecurity risks and comply with privacy laws, and that those systems are adequate. The Board should remain reasonably informed of all material information reasonably available to it at the time of significant decisions about cybersecurity and privacy, and the Board cannot ignore “red flags.”

The remainder of this advisory describes some common cyber threats and provides an overview of privacy and data-breach laws, and the Appendix offers some recommended best practices.

Common Types of Cyber Threats and Risks

The following are a few of the more common types of cybersecurity attacks affecting nonprofits:

Malware attacks involve the use of malware (malicious software) to infect a victim’s computer system in order to disable the system, prevent user access, or steal sensitive or valuable data. It is often concealed in an email attachment, link, pop-up, or webpage. When the link or pop-up is opened, malware can spread. For example, in November 2018, Make-A-Wish Foundation’s international website was the subject of a crypto-mining malware attack, which then affected all users that visited the infected webpage and allowed the attackers to generate cryptocurrency from the users. The attackers exploited the charity’s website, likely because of the high number of users accessing the site during the holidays. The attack severely compromised the charity’s website operations and fundraising.[2]

Ransom malware, or ransomware, is a type of malware attack in which the hacker prevents users from accessing their system or data, or threatens disclosure of data, until or unless a ransom payment is made, often in the form of cryptocurrency such as Bitcoin.

  • In January 2017, a small cancer-related charity in Indiana was the victim of a malware attack which wiped its servers of information pertaining to operations, grant documents, donor names and contact information, and some employee social security numbers. The hacker threatened to release the data on the dark web and demanded a ransom of 50 Bitcoins, then valued at about $43,000, later reduced to about $12,000, for the return of the data. The charity refused to pay the ransom, but reportedly spent months rebuilding its data.[3]
  • In 2016, a Los Angeles nonprofit hospital suffered a ransomware attack and reportedly paid a ransom of 40 Bitcoins (then approximately $17,000) in order to access critical medical records that were rendered inaccessible by the attack.[4]
  • In May 2017, the global ransomware known as WannaCry struck the UK’s National Health Services (NHS), shutting down the computer systems and demanding Bitcoin ransom. According to a government report, no ransom was paid but the attack caused more than 19,000 medical appointments to be cancelled and cost the NHS over £90 million to restore data and upgrade its computer systems.[5]

Denial of Service (“DoS”) attacks disrupt web services by flooding web servers with traffic in order to prevent access to the site. A Distributed Denial of Service Attack (“DDoS”) is accomplished using multiple computers. These attacks can be easily engineered from nearly any location, and finding those responsible can be extremely difficult. For example, in 2018, a DDOS attack struck a crowdfunding website operated by an Irish group lobbying for removal of the constitutional ban on abortion, which caused the site to be shut down during a peak time for donations in advance of the national referendum vote.[6]

Password attacks use software or programs to learn a user’s password and then access sensitive or financial data.

In a phishing attack, a scammer typically obtains personal or financial information through trickery or false pretenses, such as impersonating a supervisor, financial institution, supplier, vendor or other person or entity. The attacker may mimic a charity’s brand to dupe donors into clicking a fake link to donate, thereby providing their financial information to criminals.

  • In 2017, after Hurricane Harvey, the U.S. Department of Homeland Security warned of scammers using email to send bogus links that promised to let users help victims; instead, the links led to fake websites soliciting credit card and personal information.[7]
  • In April 2019, a Massachusetts nonprofit hospital reported that it was the victim of a phishing incident which resulted in the unauthorized access to email accounts of several employees and exposed information of about 12,000 patients.[8]

Spoofing attacks similarly involve impersonation of a trusted sender in which the impersonator asks the user to perform a specific action, such as transferring money or providing the impersonator with access credentials.

Many of these attacks, particularly phishing and spoofing attacks, are caused by, or can be linked directly to, human error. Nonprofits should train directors, officers, employees and, where appropriate, volunteers, on the types of prevalent cyber threats, typical red flags, and the organization’s cybersecurity policies and procedures.

Privacy Risks and Regulations

Nonprofits must stay informed about the ever-evolving patchwork of privacy laws. Following the enactment of the GDPR in 2018, and sweeping proposals for similar legislation in several U.S. states, privacy will remain an area of focus for all companies, including nonprofits, for the foreseeable future.

The GDPR, which took effect in May 2018, applies to all entities throughout the world, including nonprofits, which do business with persons who are in the EU, regardless of such persons’ nationality or place of residence, or which directly or indirectly possess, collect, or otherwise process personal data of such persons (the GDPR refers to such entities as “data controllers” or “data processors”). “Personal data” is broadly defined to mean any information directly or indirectly relating to an identified or identifiable natural person, such as a name, an ID number, location data, online identifiers (e.g., IP and email addresses and cookie identifiers), or banking information.

Data controllers must minimize data collection and processing to only what is necessary, ensure appropriate security of data, keep accurate records of all processing of applicable data, and provide such records upon request. Lawful processing of personal data requires that organizations obtain consent of the data subject (the EU citizen) or have another authorized legal basis for processing. Consent must be explicit as opposed to implied, and must be “freely given.” In addition, data controllers must disclose to data subjects what data they collect, how it is stored and the purposes for which it is used, as well as the data subjects’ right to request access to their data, to withdraw consent, and to lodge a complaint with an EU state’s supervisory authority. Data controllers are required to report breach incidents under certain circumstances, and the penalties for GDPR violations can be severe. For a primer on the GDPR, see our April 2018 Advisory.

As discussed in our April 2017 Client Advisory, U.S. states, as well as the District of Columbia, have statutes requiring private entities, including nonprofits, to report security breaches involving personally identifiable information (“PII”) and notify affected individuals. State breach laws typically contain provisions regarding who must comply with the law, definitions of applicable personal information, what constitutes a breach, notice and reporting requirements, and exemptions.

Though not applicable to nonprofits at this point, the State of California recently passed the California Consumer Privacy Act of 2018 (“CCPA”), an expansive and landmark consumer privacy law which becomes operative on January 1, 2020. The State of Washington recently proposed its own sweeping privacy legislation, which, in its current draft form, would apply to nonprofits that meet certain criteria. Other states are likely to follow suit.

Meanwhile, consumer advocates have been joined by legislators and even technology industry leaders in insisting on some form of unified federal consumer privacy regime and accompanying regulatory framework to streamline compliance. For further information on the CCPA and federal law developments, see our January 2019 Client Advisory.


Given the increased threat of cyber-attacks, the ever-expanding privacy laws, the massive amount of personal data that nonprofits collect, and the costs of privacy violations and data breaches (financial, legal, reputational and otherwise), nonprofits must be proactive in order to minimize those risks and costs. Nonprofits are encouraged to consult counsel regarding the best practices listed in the Appendix to this advisory and other security and privacy initiatives.

* * *

For more information concerning the matters discussed in this publication, please contact the authors Matthew D. Dunn (212-238-8706, or Jeremy S. Steckel (212-238-8786,, or another member of the Cybersecurity and Data Privacy or Tax-Exempt Organizations Practice Groups, or your regular Carter Ledyard attorney.













Cybersecurity and Privacy – Recommended Best Practices for Nonprofits


1. Appoint a CISO. Appoint a Chief Information Security Officer or the equivalent.

2. Build Compliance into Governance Structure. Make sure it is clear whether the Board will manage cybersecurity and privacy compliance or will delegate this to a committee under the Board’s supervision. If the latter, include a section about cybersecurity and privacy in the committee’s charter, and require the committee to update the Board periodically.

3. Conduct Organizational Risk Assessment.

  • Identify the types of information maintained by the organization that may be prone to cybersecurity attacks and data breaches, and determine whether such information is protected by the GDPR or other privacy laws. Identify how and where such data is stored, and whether there are adequate security safeguards in place.
  • Conduct a technical vulnerability assessment, identifying weaknesses and risks associated with computer systems and websites.
  • Assess the organization’s existing cybersecurity and privacy policies or protections.
  • Conduct a risk assessment of third party vendors or professionals that have access to the organization’s data (e.g., fundraising counsel, online fundraising platforms, production/mailing services, caging, list management or brokers), and ask about their cybersecurity and privacy policies and programs.

4. Understand Legal Obligations. Evaluate which U.S. and foreign laws apply to the organization, and understand the organization’s obligations under such laws. Adopt/update cybersecurity and privacy policies and programs to reflect such requirements.

5. Understand and Comply with the GDPR, if applicable.

  • Adopt or update GDPR-compliant privacy or data protection policies.
  • Ensure that privacy policies disclose to data subjects the data collected, how it is stored, and the purposes for which it is used, as well as the data subjects’ right to request access to the data, to withdraw consent, and to lodge a complaint with an EU state’s supervisory authority.
  • Consider posting or providing a link to the privacy policy on the organization’s website and, if cookies are used to collect data on users, including a pop-up consent banner.

6. Data Storage and Security. Minimize the personal data that is collected and stored and the locations where such data is stored, and ensure that there are adequate physical and online security measures in place. Doors and offices should be locked. Only authorized personnel should have access to computer systems.

7. Train Personnel, Adopt Incident Response Plan, and Test Organizational Breach Response.

  • Conduct training to ensure personnel understand cybersecurity and privacy policies and how to identify red flags associated with phishing, spoofing, and other cyber-attacks.
  • Maintain an “Incident Response Plan” detailing steps to take in the event of a breach and allocating responsibilities to certain personnel. Run simulation exercises to practice the incident response plan. Review and update the plan periodically.
  • Conduct penetration testing that simulates certain cyber-attacks and tests the security of IT systems. This is typically done by a consultant or vendor.

8. Review Diligence of Third Party Vendors. Ensure that third party vendors and professionals with access to the organization’s data have cybersecurity and privacy policies that adequately protect such data. Include corresponding representations, warranties and indemnification provisions in third party contracts to protect the organization.

9. Network Security and Technology. Consider implementing technology such as a network firewall, anti-virus and anti-malware software, encryption of data in transit and at rest, unique login and passwords for personnel access to network, complex password protection with passwords required to be changed regularly, and dual factor authentication for remote access to the network, among others.

10. Consider Cloud-based Data Management. For an organization with a small budget, consider moving to a reputable cloud-based data management platform, which effectively allows the organization to outsource certain aspects of data security to such platform provider.

11. Assess Insurance Coverage. Review existing insurance plans to determine whether and to what extent they cover cyber-attacks or data breaches.

Carter Ledyard & Milburn LLP uses Client Advisories to inform clients and other interested parties of noteworthy issues, decisions and legislation which may affect them or their businesses. A Client Advisory does not constitute legal advice or an opinion. This document was not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. © 2019 Carter Ledyard & Milburn LLP.
© Copyright 2019

© Copyright 2019 Carter Ledyard & Milburn LLP