Cybersecurity and Protecting Donor Data

It has been said that donors give with their hearts first and then with their wallets. Nonprofit organizations understand this concept, which is why they work so hard to stay connected with their donors. Building and maintaining solid relationships throughout the year. Today’s technology has simplified this process, allowing nonprofits to collect and store information to stay in contact with major donors, as well as to aid in the procuring of new ones. However, along with this process comes the responsibility of data protection.

Understanding the liability

Federal and state privacy regulations require that nonprofit organizations protect the personally identifiable information (PII) of their donors. If the data that an organization stores contains a donor’s first or last name and any combination of information such as a Social Security number, driver’s license or state identification number, or financial information such as a credit or debit card, it is subject to state liability laws. So, if a breach were to occur, the organization will be held responsible. The protection of PII applies to all networks that the organization uses, including devices that volunteers and staff use remotely, as well as paper records and files.

Organizations that collect, store, process, or transmit the credit or debit cardholder data or sensitive authentication data of donors must also be compliant with the Payment Card Industry Data Security Standard (PCI DSS) — regardless of the number of cards or the manner in which they are processed. According to the website Lexology, even if a nonprofit outsources its cardholder data environment or payment operations to an outside vendor, the nonprofit remains responsible for ensuring the outside vendor abides by PCI DSS requirements on its behalf. If the vendor fails to comply with PCI DSS, payment card companies may also hold the nonprofit responsible.

Keeping donor information safe

Nonprofit organizations have become prime targets for hackers. However, despite this fact, it is possible for your nonprofit clients to better safeguard the PII of their donors.

Perform regular software updates. Delayed system updates and outdated security patches can make the organization’s data platform more vulnerable to an attack.

Use antivirus and anti-malware technology for safer internet browsing. Not everyone in an organization is going to be diligent when it comes to best practices for preventing a cyberattack. Antivirus and anti-malware technology can help significantly reduce the risk of becoming vulnerable to viruses and malware attacks by automatically blocking suspicious downloads and scanning for threats.

Consider a virtual private network. Virtual private networks allow staff and volunteers to access a secure connection to the organization’s network — wherever they are and on any device. This allows remote work to be done with the same privacy and security features that are in place at the office.

Encrypt stored data. While not foolproof, encrypting donor data that is stored on the organization’s system can add an extra layer of protection. Should a cyberattack occur, the PII stolen by hackers will be encrypted and, hopefully, be unusable.

Create a culture of privacy prevention. Establishing an enterprise-wide program of privacy prevention essentially puts data security in the hands of everyone at the organization. This includes training staff and volunteers on how to recognize and avoid phishing scams and the importance of a strong network password and best practices for safeguarding physical files and other forms of hard copy that contain PII.


With the many tasks nonprofit organizations must perform every day, it can be easy to become lax with data management. The fact is, no method of protection can provide a guarantee against a cyberattack. For this reason, it is vital to educate your clients regarding the importance of having cyber insurance to help mitigate the risk.

For resources that can help your nonprofit clients learn more about how to address cybersecurity risks, visit the National Council of Nonprofits.

About Charity First

The incredible services that nonprofits provide come with unique and complex risks that are part of their everyday work in serving the elderly, children and other vulnerable populations. It is why Charity First is committed to providing our retail partners across the country with best-in-class underwriting, consistent and responsive service, and risk management services that include comprehensive cybersecurity coverage that can be customized to meet the individual needs of their nonprofit clients. To learn more about our cyber coverage or other products, please contact us at 800-352-2761 or