SourceAmerica links business and government clients to its nationwide network of about 700 nonprofit agencies that hire people with disabilities. This creates jobs and increases inclusion for this sector. On March 25, 2021, the organization announced that it is issuing the SourceAmerica Cybersecurity Maturity Model Certification (CMMC) Grant for nonprofits in its network. This financial aid will help them follow the requirements of the U.S. Department of Defense’s (DoD) CMMC which will be mandatory for all its contractors starting in the fiscal year 2026.
The CMMC ensures that all the DoD’s contractors have the necessary cybersecurity policies and controls that are up to the Pentagon’s security standards. The SourceAmerica grant will total seven to nine million dollars spread out in five years. It will reimburse the costs of nonprofits as they engage third-party vendors to strengthen their cybersecurity skills and systems to earn certification.
The DoD’s CMMC and the SourceAmerica grant highlight the urgent need for cybersecurity measures and updates even among nonprofit organizations. Nonprofits deal with both government and private entities and, thus, process a large volume of valuable data that they are accountable for.
The EU General Data Protection Regulation
Nonprofit organizations in the U.S. and elsewhere around the world must comply with the European Union’s (EU) General Data Protection Regulation (GDPR) if they have partners or members in any EU member state, they offer goods or services to people in the EU, they seek or receive donations from people in the EU, or they gather, view, process, or store personal data from the EU. This includes website analytics that tracks the online behavior of people in the EU.
Nonprofits must study the requirements of the GDPR which include the subject’s informed, specific, freely given, and demonstrable consent to data processing, as well as lawful basis and transparency of data processing, data security, privacy rights, and accountability and governance. The organization is responsible for keeping the data secure and any breach will result in penalties. The maximum fine for a serious infringement can go up to €20 million or four percent of the organization’s global annual revenue, whichever amount is higher.
According to a report by BDO, the Portuguese hospital Centro Hospitalar Barreiro Montijo had to pay a fine of €400,000 to the EU for violating the GDPR. Its data security measures were not enough to protect patient data. This resulted in unlimited access instead of limiting access to its 296 doctors.
U.S. State Data Privacy Laws
All non-profit organizations must also comply with the various U.S. state data privacy laws that cover them. The California Consumer Privacy Act (CCPA) applies to businesses but nonprofits working with corporate partners will also need to comply with its requirements. The CCPA guidelines are close to the GDPR. Effective January 1, 2023, the California Privacy Rights Act of 2020 (CPRA) will also take effect.
Various U.S. states have breach notification laws that apply to nonprofits as well as businesses. These require the organization or company to notify the individuals involved and the State Attorney General whenever breaches occur that compromise social security numbers, driver’s license numbers, passport numbers, state identification card numbers, or financial account numbers with a password, access code, or security code that allow access to financial accounts. Violations of these laws will incur penalties, and individuals involved can claim restitution. Among the states that have breach notification laws are Alabama, Arizona, Delaware, District of Columbia, Illinois, Oregon, South Dakota, Texas, Vermont, and Washington.
U.S. Federal Privacy Laws
Several federal privacy laws may apply to some nonprofit organizations, as well. Nonprofits must determine what applies to them and comply accordingly.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects individuals’ health information. The Children’s Online Privacy Protection Rule (COPPA) regulates operators of websites or online services that are for children younger than 13 years old or collect personal information from them. The Family Educational Rights and Privacy Act (FERPA) protects students’ education records in schools that receive federal funding.
What Nonprofits Must Do
Nonprofits need protection from cyberattacks because hackers know that they have funds, and these are mostly allocated to projects, hence, cybersecurity has low priority. To counteract this, nonprofits must invest in a robust cybersecurity system and keep it regularly updated against new forms of attacks.
Organizations must get professional training for the entire team so that every individual is fully knowledgeable about cybersecurity measures. They must not overlook the simplest things like regularly changing passwords and using complex passwords because a single person’s weakness is all that hackers need to get in.
Non-profit organizations must also limit access to sensitive data to a few key people. This greatly minimizes the risk of exposure.
It is vital to have a secure cloud file server solution that offers uninterrupted backup and unlimited data retention. In case of an attack or any physical hardware crash, this will ensure that data is not lost and restoration is immediate.
In this time of widespread cyberattacks, nonprofits cannot afford to be complacent with their data. They are accountable to all their stakeholders and must consider data security and protection as part of their mandate.