I had the opportunity to attend two events last month that covered the topic of data security. The first was a luncheon sponsored by ACG Minnesota and featured personnel from well-respected legal and accounting firms, and the second was a breakout session at the 35th Annual Minnesota Society of CPA’s Not-for-Profit Conference featuring two individuals in the insurance industry.
If you are a not-for-profit organization you may be wondering what is the big deal surrounding data security? Aren’t data breaches confined to the big companies like Target, Home Depot, and Sony? Why would our mission-oriented not-for-profit that helps others be a target of an attack?
I’ll give you the reason, because it is easy to get in…. Not-for-profit organizations have a variety of potentially lucrative information that a would-be hacker can sell to those interested in buying. Examples include personally identifiable information of donors (including social security numbers), credit card and bank account information of donors, and personal information of the organization’s employees and board of directors.
What happens when a breach occurs? When a breach occurs, there’s costly notification requirements to those whose information was put at risk. Forty-seven states have specific requirements for the notification process, therefore your organization may be performing notifications in all states that your contributors are located in. In addition to notification costs, your organization will spend funds on forensics, legal guidance and defense and related settlements. An organization can easily spend a few hundred thousand dollars in costs related to a data breach and the related loss of reputation is considered to be priceless.
As you can see, the result of a data breach can have severe negative consequences to your organization’s financial health and reputation. While it is easy to put your head in the sand and do nothing, that is not an acceptable option. It is much better to develop a plan that you can tackle incrementally and make forward progress on strengthening your controls, thereby lessening your risk. (Think walks and singles instead of home runs, to use a baseball analogy).
The top takeaways and recommendations I had from listening to these speakers are as follows:
- Develop a directory of service providers to call when you suspect an attack to have occurred (IT professionals, attorneys, accountants).
- Conduct an IT Risk Assessment by engaging a qualified third party. Your cost may vary depending on the scope of the engagement and the size of your organization, but plan on spending between $5,000 and $15,000 for an assessment.
- Your employees are often your greatest source of risk. Training them on the importance of data security and the security needs that accompany “bring your own devices” is of great importance.
- Identify your most valuable information and concentrate IT resources and strategies on how to best protect these crown jewels.
- Maintain access logs for your firewalls and key databases. Storage costs have come down significantly and storage options should now be a cost-effective way to maintain logs for a given time. It is much more difficult to conduct a forensic investigation if access logs are not maintained.\
- Review insurance coverages with your carrier. Specifically discuss and review your risks for first party protection such as Breach Response Coverage, Cyber Business Interruption, Data Restoration Loss, Cyber Extortion and Third Party Protection such as Privacy & Network Security, Regulatory Coverage, PCI Fines and Penalties, and Website Media Liability
- If your organization’s website does not have foreign contributors or activities, block website access from overseas users.
On a related note, the U.S. Census Bureau was a victim of an attack to gain access to the Federal Audit Clearinghouse (FAC) in late July of 2015. The FAC is a necessary site for those receiving Federal funding, as the government uses this site to collect single audit reports from not-for-profit organizations, governmental organizations, as well as indigenous tribes. The FAC contains information not considered to be confidential, such as phone numbers, site user names, addresses, etc. As a result of this breach, borrowers and their auditors have not been able to complete the required forms for recently issued single audits. As a result of this, the FAC extended the deadline to file single audit reports that were due in the period July 22 to December 30, 2015 to December 31, 2015.
As you have read in this article or have heard in the news, the frequency and cost of data breaches are continuing to escalate and your mission-driven organization is at risk. It is not a question of if your organization experiences a breach, it is a question of when your organization will experience a breach. It is of paramount importance to perform a periodic review of your IT controls, train your employees on their responsibilities, and develop relationships with qualified contractors to assist your organization in developing a game plan to reduce your organization’s risk.
Daniel Owens, CPA and the Olsen Thielen Data Security Team can help you evaluate your data security policies. Contact Daniel at (651) 621-8623 or dowens@otcpas.com.