Data Breach, Cyberliability, and Your Nonprofit

Since I’m not talking to anyone specifically, I’m going to dispense with the niceties.

cyberliability and nonprofits

photo from

You do have to worry about data breach and cyberliability issues.

I don’t care how small your nonprofit is. I don’t care how high-tech your IT guy is. I don’t care how much you think nobody is targeting you.

Here’s why: Cybercriminals and the malicious code they dispense into the world wide web do not care about those things and are looking for any hole they can find, regardless of who you are. 

Cybercriminals do not only done use the sniper method. They use all kinds of tactics and strategies to gain access to computers, servers, laptops, smartphones, and tablets.

And these tactics are being deployed continually.

I’ve known this fact. I’ve been the victim of this wide-net, shotgun approach to criminal data-gathering.

No cybercriminal is targeting some random insurance agent in the suburbs of Atlanta, yet my Yahoo email has been hacked, my Facebook passwords have been compromised, and my debit card has been stolen.

These things happen not because individuals are targeted. They happen because the internet is crawling with viruses and malware. Consider a kindergarten class where two kids have the stomach crud. That’s the internet.

Let me offer an initial recommendation to anyone who does work on a computer, smartphone, laptop, or has a smart refrigerator (all human persons in the western hemisphere):

If We’re Vulnerable, What Next? 

I’m about to commit a small cyber crime here and copy Marc’s ‘UPDATE’ protocol for some simple, basic risk management around your personal computing and smartphoning activities (please go listen to that podcast, though, to put this protocol into context):

  • The UPDATE Protocol
    Update – keep your software updated (otherwise it’s full of holes)
    Password – don’t use your Facebook account to login to other sites
    Download – from authorized sources only
    Administrator – don’t use your computer when logged in as admin (except when necessary)
    Turn your computer off – or at least the wifi
    Encryption – scrambles your data unless you have the password

As soon as I log off after writing this blog, I’m going to go buy Marc Goodman’s Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It (Amazon Affiiliate Link) to get a better handle on just how certain hacks and data breaches take place.

Did you know, for instance, that Target’s breach took place because the hacker gained entrance to Target’s servers via their HVAC contractor?  Who would think that? It was your basic random employee who clicked on one of those spammy looking links in an email. And bam. 1/3 of the United States gets affected.

Some Suggestions for Nonprofits’ Cyber Risk Management

Let me make some suggestions on how to respond to the fact that we are all vulnerable to a cyber attack or data breach:

  1. Be Honest with Yourself: Most computers have some form of malware or virus.  We have to start by being honest that criminals are to the market quicker with malware than our virus protection software is with protection for the new viruses.  In a word, we’re vulnerable.
  2. Enact the UPDATE Protocol: This protocol is the clearest, simplest approach I’ve seen to basic risk management. Make the protocol your new good habit.
  3. Purchase Cyberliability Insurance: Find some coverage for the events that might slip through. Cyberliability insurance helps pay expenses in the event your nonprofit or business is a part of the breach.  Remember that cyberliability not only addresses computer related breaches, but (normally) also includes paper documents.
  4. Train, Train, and Train: Continually keep these issues in the forefront of your employees’ minds. As annoying as it is (our IT folks bombard us often, too), remind them to not click spammy links, to update software, and to take special care of portables like laptops, phones, and tablets.

Data Breach Comes in Many Shapes and Sizes

Data breaches can be the result of hackers, stolen laptops, disgruntled employees, or simple employee errors. Don’t allow yourself to pigeonhole where a breach can come. When I speak with clients, they typically have a very narrow view regarding where a breach can come. Realize that there are a thousand ‘doors’ into your office. A breach only requires one door to be propped open with a cyber-brick (thanks to the Marc Goodman for that little analogy).

My guess is that insurance claims around our computers and other electronics will become more prevalent than many other types of claims (outside of auto related claims because, dang, people are dumb in cars).

Start developing a risk management stance towards you and your nonprofit’s use of all devices connected to the internet.

We love convenience, but convenience comes with added responsibility and a potential price.

Be prepared.


In case you missed my earlier recommendations, please go listen the podcast with Lewis Howes and Marc Goodman about cyber crime.

Nonprofits, Independent Contractors, and General Liability

do nonprofits have coverage for independent contractors

Are your independent contractors really independent contractors?  Photo Credit: TheeErin via Compfight cc

As a cost-saving move, many nonprofits pay employees as 1099 independent contractors.

There are quite a few ramifications of this practice (which I’ll dive into in another post), but I want to point out one key insurance gap that is created.

Under a general liability policy (and abuse and molestation liability and professional liability policies), the organization, employees, volunteers, and board members are covered as ‘insureds’ on the policy.

In other words, if the organization and any individual in one of those categories is sued for their work for the nonprofit, then the organization and that individual has defense under the policy.

Independent Contractors are NOT Insureds Under Most Liability Policies (without making changes)

Independent contractors DO NOT have that protection.  They are not automatically included. Some carriers will add them as additional insureds if you request, but others will not do so. Regardless, you’d have to ask.

The gap here is not about miscellaneous independent contractors – those folks who truly are independent contractors and have their own insurance.  You might not care if they have coverage under your policy. As a matter of fact, you probably don’t want to extend your policy over those 1099s.

The big issue here is when an organization pays its key employees, including it’s executive director, on a 1099 as an independent contractor. In that case, the main leader and decision-maker of the organization might not have coverage.

When you make the decision to pay your employees as 1099s, consider all the implications – not just the tax and cost-saving issues. You want to protect the people who help you do your work.  Take some time to evaluate whether or not each individual who receives money for work they do for your nonprofit is truly an independent contractor or much better described as a W2 employee.


Question: What is your experience with independent contractors as key employees for nonprofits? What should be considered when determining tax status?

A Radical Reset for You or Your Organization?

reset your life or organization

  A Radical Reset for You or Your Organization?  Have you ever stepped back from your work and decided to slay all sacred cows? If you were tasked to kill all programs and processes and start from scratch, which programs would you … [Continue reading]

Key Insurance Coverages for Nonprofit Residential Foster Care Providers

photo credit: Jaro Larnos via photopin cc

First of all, if you're reading this, you probably run or help run a foster care facility of some sort. Thank you for what you do. I know that it is a fulfilling job, but it is often a thankless job. And sometimes the thanklessness of things … [Continue reading]

Nonprofit Resource: Buffer for Nonprofits

buffer for nonprofits

One of the ways a nonprofit should protect its vision and mission is to be violently protective of how it spends its time. Many 501c3 organizations hire individuals to do the job of 3 to 4 people. You have a lot on your plate. Now everybody … [Continue reading]

Why Your Growing Nonprofit Needs Workers Compensation Right Now

purchase workers compensation early for your nonprofit

If you are a human services nonprofit (i.e. you work with at-risk populations, both human and animal), then you need to procure workers compensation as early into your existence as possible. Many nonprofits choose not to carry workers compensation … [Continue reading]