Cybersecurity: A Big Threat

Date: November 2, 2015

This article appeared in Association TRENDS and is reprinted with permission of the publisher.

Many association employees may think that cybersecurity is a matter to be handled only by the IT staff. CFOs, however, know that nothing could be further from the truth as cybersecurity is not just an IT issue, it is also a money issue.  For instance an association that falls victim to a cybersecurity breach may spend thousands of dollars to repair its compromised computer system, may expend significant funds providing notification to those whose information was released, and be forced to pay even larger sums of money to defend or settle law suits initiated by those whose personal information was compromised.  

For these reasons, tt is critical to protect the “personally identifiable information” (“PII”) of association members.   PII is generally defined to be a person’s first name or first initial, plus last name, combined with other identifying information such as a Social Security number, driver’s license number, or a financial account number.  Almost all states now have strict laws regarding the safeguarding of this type of data, and require businesses, including nonprofit associations, that store PII to take specific steps to protect the information.  Some states (such as Massachusetts and Maryland) require organizations to design and implement a written information security plan (“WISP”) for safeguarding PII.   Various states also require organizations that provide member PII to third-party vendors to include very specific provisions in their contracts with the vendors to ensure the vendor takes steps to protect the PII.  A cybersecurity breach of the vendor’s system could subject the association to liability if these provisions are not included.  

To protect the association from the risks from a cybersecurity breach incurred by a vendor, the association should take the following steps:

Become familiar with your state’s cybersecurity laws.  Laws vary from state-to-state and each state will require different security measures.  Remember, even if the association has only one member in a state, it must comply with the data security laws in that state. 

Develop a WISP.  Numerous states throughout the country now require organizations to have a WISP.  Developing a WISP helps associations to identify and evaluate security risks, aids in the implementation of measures to protect against risks, and provides clear procedures for the association to follow should it fall victim to a cyber-attack. 

Minimize risk through contract provisions.  If vendors have access to the PII of members, contracts with those vendors should contain the following provisions: 

  1. The vendor agrees to comply with all data security laws of all applicable states,  and shall indemnify and hold the association harmless for the vendor’s failure to comply; 
  2. The vendor shall use the members’ PII only for purposes specified in the contract; 
  3. The vendor shall develop and implement its own WISP and provide the association with a copy;  
  4. The vendor must provide procedures it will take to notify the association in the event of a data security breach; and 
  5. The vendor shall return, delete, or destroy all of the members’ PII upon termination of its contract with the association and upon request of the association.

Make sure your insurance policy covers cyber-attacks. Many organizations assume their general liability insurance policy will protect them from any damage or liability resulting from a cyber-attack.  This is an ill-founded assumption, however, and associations should also confirm with their insurance providers whether the association’s general liability policy covers damage to the association’s computer system caused by cyber criminals as well as liability incurred as a result of an attack.