Board Liability for Data Security Breaches (Guest Post)

By Deborah Shinbein, Esq., CIPP/US
Data Law Group, LLC

Directors of nonprofit organizations should be aware that in the for-profit sector, there has been increasing litigation against the board of directors with regard to data breaches and failure to implement reasonable data security measures. It is therefore quite possible that similar litigation could arise in the nonprofit sector, and boards should consider steps they can take to minimize the organization’s risk, and their own potential liability if a breach does occur.

It is an unfortunate fact that data breaches are increasing. In a recent study entitled 2014: A Year of Mega Breaches, the Ponemon Institute, which surveyed 735 IT/security practitioners, estimated that 45% of respondents knew their company had experienced a data breach in the last 24 months. Estimates from other sources are significantly higher, including a quote from Dave DeWalt, CEO of cyber security firm FireEye, who stated during a recent 60 Minutes segment that 97% of companies are currently being “hacked.” Of course, many companies are not aware that an incident has occurred, which can potentially lead to significant ongoing damage.

Although there are many laws that protect or limit directors, especially volunteer directors, from liability, they can face exposure the event of a breach of their fiduciary duties to the organization, misuse of the organization’s assets, violation of state or federal laws, and other circumstances. Accordingly, to both protect the organization’s confidential and personal information, and minimize potential liability for both the organization and the directors, boards of nonprofits that gather or maintain personal or confidential information (and particularly financial information of donors) should consider the following measures:

  1. Engage an outside consultant (potentially legal, technical, or both) to evaluate the organization’s data security measures and provide a plan for compliance with applicable data security laws, PCI requirements (for entities accepting credit cards) and industry standards.
  2. Document any compliance gaps identified by the consultant(s) and document all remediation measures taken by the organization.
  3. Implement data security policies and procedures specific to the organization and its unique data, including an incident response plan with details regarding what to do if a security breach is suspected.
  4. Establish an incident response team, including representatives from IT, legal, PR, and others as applicable to the organization, which will manage investigating and responding to any suspected data security breaches.
  5. Regularly discuss data privacy and security at board meetings, and make sure board members understand the resources the organization has allocated to those areas. Presentations should be made by those knowledgeable about the subject within the entity (e.g. representatives from IT, legal, and other departments as applicable).
  6. Designate one of the organization’s board committees to oversee data security and ensure that data security measures are evaluated and implemented in accordance with applicable laws and industry standards on an ongoing basis.

Shareholder derivative lawsuits against boards in the for-profit sector have been dismissed in several instances where the boards followed measures such as those listed above, so these measures may be equally successful among nonprofits, if they are diligently implemented, followed, and modified over time as needed (due to changes in the law and technology).

In addition, board members should evaluate the organization’s current insurance policies, to determine whether breach scenarios are covered, and if not, whether special insurance is necessary or appropriate under the circumstances. Increasingly, insurance providers are requiring separate cyber liability policies to cover data security breaches, rather than including coverage under general liability policies. Board members are also advised to review their D&O policies to determine whether they include coverage for an affirmative response to lawsuits against the company’s directors and officers resulting from a breach or other cyber liability incident.

This article should not be construed as legal advice, and no attorney-client relationship is formed by reading this article or contacting the author.

For further information, please feel free to contact Deborah Shinbein at or visit

See Our Services