Data security should be a top concern for fundraisers collecting personal identifiable information about their donors, experts say. Cybercrimes are a real threat, with the potential to compromise not only donors’ names, Social Security numbers, and contact information, but also details on how frequently they give and the value of their contributions.
Want bigger gifts? Combine data analysis with fundraising. Read more:
“We are somewhat late, as a sector, to recognizing that the data that we collect and house is valuable, that bad actors want it,” says T. Clay Buck, a fundraising consultant.
Ransomware attacks — like the one fundraising technology provider Blackbaud experienced in 2020 — shake donors’ trust in organizations and cost a lot of money to resolve. Blackbaud has not disclosed how much it paid the hacker to destroy the copies they made of stolen data, but cybercriminals are exacting more money through ransoms.The total value of ransoms paid to cybercriminals was more than $600 million in 2021 — 70 percent higher than the previous year’s total, according to technology company Chainalysis.
The legal fallout costs money, too. A handful of donors sued not only Blackbaud, but also the charities that used the company’s technology to store their personal data.
“If we are going to honor and respect our donors,” Buck says, “data privacy and security has to be among the forefront of our conversations now because of the world we are all living in.”
Keep Security Top of Mind
Buck says fundraisers are still far too cavalier in how they handle identity information, even emailing unencrypted files of donor data. When this happens, Buck says he not only has to refuse and destroy the files, but he also needs to walk the fundraiser through the process of re-securing the database they just breached.
Going forward, data security must be top of mind for every fundraiser, says Michal Heiplik, president of the Contributor Development Partnership, which analyzes donor data for public-media organizations.
“Nonprofits in general just need to spend more time bringing their own teams up to par in terms of what data security is,” he says.
One nonprofit Buck works with formed a data-governance committee on its board to communicate new data-security guidelines from the top down. “That changed drastically the way that organization used and thought about data at every level, because, of course, in forming the governance committee, they had to review policies and procedures at the board level,” he says.
Getting the board involved and identifying key people to handle questions about data security made all the difference, Buck says. “Slowly but surely, it changed the attitude, and it changed the organizational culture around data.”
While some nonprofits are tackling the topic willingly, others are being forced to do so by legislation in states such as California and New York. Heiplik says nonprofits should expect federal involvement eventually, as European Union organizations already experienced with the passage of the General Data Protection Regulation in 2016.
Sound data-security practices are not only legally compliant with new data-privacy legislation, Heiplik says, but they’re also part and parcel of fundraising’s first principles. “It’s just being observant to the donor,” he says. “People are donating money; they expect a certain level of care and diligence from the organization.”
