It is a common misconception that only IT firms or other companies in the technology sector are targets in data breaches. Businesses of all size across all industries are vulnerable to cyber-attacks and data breaches, and not even nonprofit organizations are safe.
Nonprofit and social service organizations in fact have their own unique set of cyber liability concerns. While Nonprofits do not operate under the same business model as “for profit” businesses, they still conduct many of the same operational activities and are subject to many of the same risks of data breach.
The National Council of Nonprofits has designated three key cybersecurity concerns for nonprofit and social services organizations:
- Conducting any sort of e-commerce, including processing donations and event registrations;
- Storing and transferring personally identifiable information (PII) belonging to donors and others; this includes driver’s license or state identification information, addresses, medical information, Social Security numbers, banking information, and more;
- Collecting information on the habits and preferences of people including donors, patrons, and subscribers.
It should also be noted that the loss of hard copy (paper) documents that contain protected information is also considered a data breach and has potentially the same exposure to statutory penalties and 3rd party claims. Organizations that do any of the above or utilize technology in any way in their day-to-day operations should ensure that they have an understanding of their risk profile and secure the appropriate insurance coverage for their operation. Coverage can be provided either under a stand-alone Cyber Liability policy or through endorsement to the General Liability or Directors & Officers Liability policy. Your insurance/risk management professional can assess the most appropriate coverage for your organization. The programs offered through BMTIA for nonprofits and social services include Cyber Liability coverage specifically designed to cover this sector’s unique needs.
First-Party Cyber Coverage
First-Party coverage strictly covers the cost of the data breach itself. If a breach occurs and information is compromised, this policy will cover the costs associated with:
- Data restoration and recovery
- Notifying clients and any other affected individuals
- Statutory fines and penalties
- Data forensics to determine the source of the breach
- Public relations campaigns to repair any reputation damage
- Credit monitoring services for affected individuals
- Cyber extortion demands
- Ransomware and potential payment to retrieve locked data
Third-Party Cyber Coverage
Unfortunately, the cost of a data breach does not just stop when the breach is contained and the incident has ended. It is not uncommon for an insured organization’s client to subsequently sue the organization to recover damages from having their information breached. This is where Third-Party coverage enters the equation, providing coverage from costs including:
- Attorney fees
- Court costs
- Settlements or judgments
While there have been very few successful third-party cases, the cost of defense can be substantial.