By David A. Jones
Damages can result in irreversible harm to a congregation’s image and sustainability.
Worldwide cybercrime, the theft and abuse of personal identification information, is a billion-dollar business now surpassing illegal drug trade.
In April 2012 Robert Mueller III, director of the FBI, reported to The New York Times,“Cyber attacks [will] soon replace terrorism as the agency’s No. 1 concern.”
Congregations are cast as easy targets for data theft. Frugal budgeting and limited resources in technological intelligence inherent with religious organizations often lead to weak security controls. The risk of losing data is high, given the scope of programs happening at all hours on and off campus. Furthermore, the high concentration of children under 18 – their stolen-identity value is higher than adults – makes churches more appealing to cyber thieves.
A data security breach occurs when an unauthorized person inadvertently receives or steals any nonpublic, personal identifiable information from an electronic system or mobile device. An example of a breach is when a youth pastor misplaces his iPad containing a youth group’s medical information while on a mission trip, or an executive pastor leaves his iPhone in an airplane seat pocket, providing access to reports with church members’ birth dates, phone numbers and addresses.
Churches are vulnerable to a breach if they:
- Record or store credit card, tax identification information and birth dates on donors, staff, members or volunteers.
- Maintain drivers’ licenses, insurance or Social Security information.
- Obtain medical information or histories on any church member for mission trips or youth activities.
- Issue smart phones, iPads, laptops or other electronic devices to staff.
An organization can incur several costs following a data breach, such as expenses for defense counsel and payments to a third party or victims of identity theft.
Depending on the jurisdiction, civil fines and penalties will be assessed for not reporting a data breach accurately and promptly to victims and to certain governing agencies. Forty-six states have enacted laws holding data owners responsible for a breach and requiring notification to the injured parties.
According to the Ponemon Institute’s 2010 Annual Study of U.S. Companies, tangible activities such as forensic detection and then the response — including legal advice, invitation to a credit report and monitoring service for the affected persons, mailing costs and public relations — consulting — quickly add up to an average of $73 per breached record. Indirect damages such as lost business and overhead expenses can cost on average an additional $141 per record.
Organizations can implement controls to reduce exposure and their data breach liability:
- Ensure all agreements with outside vendors, contractors and cloud computing providers include strong hold-harmless and indemnity clauses.
- Maintain a single computer exclusively for banking and donor information. Limit access to drives.
- Require, by contract, that all outside data providers and merchants stress-test their data systems for data breaches.
- Use complex passwords and current encryption software on all data devices; more importantly, know where confidential data is stored.
- Along with a “who-to-call” sheet following a breach, line up qualified consultants in PR and legal communication who have cyber expertise before an actual breach occurs.
- Conduct simulation exercises on lost data and penetration tests on data systems.
- Consider a data security or privacy liability insurance policy, which can restore a financial loss, cover notification expenses, and provide access to experienced legal, information technology forensic and PR advice.
It is critical that churches maintain the highest internal standards possible for protecting their members’ records. It is part of their fiduciary duties. Being good stewards of funds also means being good stewards of private information.
David A. Jones is a vice president at Lockton Companies, a privately owned, independent insurance and risk management broker. www.lockton.com
Cyber liability possibilities
Reckless posting of Internet content can lead to civil suits as well as image damage.
The risk is increased if a church conducts the following activities:
- Maintains a pastor’s blog, a social network page such as Facebook, an online book store or webcasts of services.
- Posts songs from an audio file on a social media website like YouTube or a pastor’s blog.
- Loads pictures of congregation or staff members on the organization’s website.
- Permits free local Wi-Fi access to the organization’s wireless router or cable modems.
Internal controls include:
- Enact peer review of all posted Internet content.
- Enable strong firewalls that are tested frequently.
- Control distribution of Wi-Fi passwords.
- Maintain records on photography or music releases and in-source website programmers.