Plan to Fail

Date: February 24, 2016

Originally published in Associations Now Magazine, published by ASAE.

Your association will be hacked. Are you ready?

You often hear lawyers talking about risk -- potential legal and other problems that can arise for an association. Well, there is one new risk that isn't just a possibility: Your association will suffer a cybersecurity breach at some point in the future, and you'd better be ready.

A cybersecurity breach can be caused by bad guys, thieves, or hackers. Or it may happen because an employee leaves a laptop or personal device somewhere or because a staffer clicks on a phishing link that compromises your computer and management systems. But it will happen, and the best advice is this: Plan to fail well.

If you try to decide what to do after your organization has suffered a security breach, it's too late. Association executives must plan in advance for a breach; there is no reasonable alternative. Here's what to do:

Get buy-in from leadership. Make sure that the volunteer leadership and the C-suite comprehend the fact that the association will suffer a security breach and must plan for it.

Adopt a written information security policy. A WISP is probably already required of your association. Several state laws mandate that such a policy be in place if your organization has personally identifiable information on residents from that state.

Make sure that all of your technology vendors also have a WISP. And make sure that they are contractually required to take all necessary steps to ensure the security of your association's data and that they will indemnify and hold harmless the association if damages arise.

Get cybersecurity insurance. It's not automatically included in standard policies, so you have to ask for it. Make sure it's the right policy; if your agent doesn't know what you need, get another agent.

When you find out that all of your members' credit card information has been stolen or that personally identifiable member information has been compromised, you will know what to do. Follow your WISP, which will tell you whom to call (first your lawyer, then your insurance agent), how to investigate the breach, what public and member relations steps to take to minimize the damage, and what other federal or state reporting obligations the association might have. 

A breach will happen, one way or another, to all associations. Be prepared so that you know what to do when your organization has been hacked.