Do Nonprofits Need to Worry About Data Breach Lawsuits?

Photo by Aleksi Tappura, Unsplash

Photo by Aleksi Tappura, Unsplash


I hate when people worry about anything. My advice to you: Don’t worry about data breach lawsuits.  That’s just wasted energy.

But you should take precautions, and you shouldn’t file the idea of a data breach lawsuit into the ‘That Won’t Happen To Me’ storage box and put it up in the attic.

Data Breach Liability Payouts… to Plaintiffs Who Lost No Cash

If two recent court decisions are any indication, the legal landscape is skewing towards plaintiffs in cases around identify theft or loss of individuals’ personal identifiable information. In the two situations cited by an article in Claims Journal, the plaintiffs experienced no (or very limited and vague) financial consequences as a result of the data or privacy breaches.

In one case, two laptops were stolen that provided access to private client information. $3,000,000 was paid in a class action lawsuit before any identity theft (i.e. stolen funds) had even taken place. Any individuals who later might have had their identity stolen would be able to submit claims for reimbursement (in addition to any share in the class action lawsuit).

From the Claims Journal article: “The ruling cited negligence, breach of contract and “breach of fiduciary duty” as just some of the reasons the court felt [the defendant] failed to properly secure data that had been entrusted to them.”

How Many of Your Employees or Volunteers Drive around with Laptops in their Cars?

We’ve had plenty of clients call in with the ‘we lost the laptop’ claim. Luckily, this hasn’t happened recently with the proliferation of data breach issues.

But think about all of the private information that is accessible. Could a thief steal your laptop and gather information about donors or mental health clients or employees?

What is a Breach and How Much Would it Cost?

Not surprisingly, there’s not a simple one-size fits all answer regarding what constitutes a data breach. Each state differs. And each state has different requirements as to what you would have to do as far as that state is concerned. Fun stuff, isn’t it?

[Click here for a resource from global law firm Weil that provides information for each state.]

Estimates range anywhere from $150 to $250 per record just to do basic notification and forensic work around the data that might have been lost. That cost might or might not have anything to do with actual liability claims from the injured party. And the costs will vary by state.

So, Do Nonprofits Need to Worry about Data Breaches?

Like I said above, don’t worry about them. That’s no way to live.

But do realize that you probably have personal information either in paper or digital form. Donors, clients, students, patients, employees, volunteers, and other stakeholders have trusted you with their information.

You don’t insure the likelihood of the claim. You insure what you have. You have private information. You need to, at the very least, have a risk management to help lessen the possibility of a claim

Don’t Worry, Just Prepare

I’ll make a couple suggestions here, but make sure to do a Google search on ‘best practices on preventing or handling a data breach.’

Here are some suggestions:

  1. Take the possibility seriously: You are NOT immune. Whether you’re a large nonprofit and have top of the line firewalls or whether you’re a small nonprofit and assume no one would care to grab your data, you need to be prepared. Everybody is vulnerable on some level. Even if you have great firewalls, what might happen if a few laptops went missing?
  2. Determine best practices: Now that you take the possibility seriously, decide on best practices. Consult with experts. Put controls in place. Invest in the appropriate infrastructure and software.
  3. Educate your people: Best practices are useless if you don’t implement them. And one weak link can invite in a world of worms, bugs, viruses, and angry Ukrainian hackers hiding out in a basement somewhere. Make sure to keep your employees and volunteers up-to-date on what you expect of them, even if it’s annoying. We all know how the IT people can be annoying. That’s our problem, not the tech person’s problem.
  4. Have a disaster plan: You have one for other possible catastrophes. Have one in place should a data breach happen. Respond quickly and swiftly to lessen the possibility of class action or other lawsuits or identify thieving.
  5. Consider cyber insurance: You didn’t think I’d go the whole article without suggestion insurance, did you? One great thing about this type of insurance is that it forces you to evaluate your basic risk management. Even if you don’t buy the coverage, find an application and use it as your initial policies and procedures manual.  Be aware, though, that one size does NOT fit all. There are a lot of moving parts in these policies, and most data breach endorsements that come with general liability aren’t sufficient.

Hopefully such a situation won’t happen in your world. But with progress comes new ways that people do horrible things.

I’d love to hear your thoughts.

What have you done in your organization to help prevent or mitigate a possible data breach lawsuit?

Speak Your Mind