Churches are no different from businesses when it comes to being vulnerable to cyber attacks, both from internal and external sources. Unfortunately, many churches lack full-scale cybersecurity policies to ensure the safety of private employee, volunteer, and member information, especially smaller congregations that often outsource their technology needs to third-party vendors.
Data breaches are not the only type of cyber danger that can threaten a church. Other cyber risks include malware and viruses that can hold a church’s data hostage until a ransom is paid and phishing emails that cybercriminals use to defraud unknowing victims who will receive an email that appears to be coming from a church authority but is in fact from a criminal.
Cyber Liability Insurance
Cyber liability insurance can protect churches from the fallout of a data breach. Coverage typically includes expenses for notifying those affected by a data breach, credit monitoring, compensable losses from identity theft, defending against litigation from victims or state regulators, plus any fines or penalties associated with a breach. In addition, cyber liability insurance will pay for losses from data destruction or loss, computer fraud, business interruption losses, and cyber extortion.
Cyber Security Guidelines
In addition to having the proper cyber liability insurance, churches need to ensure that staff and volunteers are trained on ways to reduce the risk of a data breach or cyber attack. Here are some guidelines:
- Establish policies to protect from attack, data breach, and data misuse,
- Identify responsibilities and assign roles to management,
- Verify qualified persons are retained to monitor privacy and security,
- Establish periodic reviews of internal and external risks and regulatory compliance,
- Establish policies to respond to an attack or breach, 6) Provide adequate budgeting to allow sufficient response to risks,
- Conduct annual audits to determine the effectiveness of controls, and
- Evaluate the adequacy of insurance coverage.
Although a church may outsource its IT support functions, church leadership is still responsible for developing and enforcing policies to protect from cyber attacks or security breaches. Vendor contracts need to be scrutinized for data security protection measures, insurance, and indemnification for losses associated with compliance costs, theft of intellectual property, cybercrime, and operational downtime.
Provident Law’s nonprofit attorneys can help churches and religious organizations and their boards. We stand ready to counsel and serve churches, charities, and foundations, as well as private schools, colleges, universities, and other types of nonprofit organizations—providing broad transactional and general counsel services in Arizona and surrounding areas. Contact us to learn more.