Recent events in the news illustrate the damage a data breach can cause to an organization. Churches are subject to many of the same risks that plague most businesses. One type of risk is the threat that unauthorized persons will gain access to private information. I raise this issue because this is a real risk that should have the attention of church leaders. Further, there are corporate governance implications for not taking prudent actions.
Most churches have private information in their possession. Some of the confidential information includes business records on internal operations. Other information includes files on dealings with church members. These files may include personal, private information not otherwise available to the public.
Members share a variety of non-public information with their church. Confidential information includes financial records, health and medical disclosures, employment needs and family matters. Church members probably rely on the church’s ability to safeguard the confidentiality of these files.
Church management should review its policies and procedures for the protection of confidential records. These guidelines should take into account the various ways a data breach can take place at the church. Unauthorized data loss can occur with online files as well as physical records.
Some churches rely on Internet or local computer files for their official records. With technology, churches can be at risk of electronic data breaches. Data breaches can lead to public embarrassment, legal liabilities and loss of membership.
There is an operational cost to online or offline data breaches. Operational costs increase when church staff has to react, repair and respond to the public when there has been a data security incident. The Ponemon Institute released a study in May 2013 that looked at the costs associated with data breaches. The study provided the average cost to a business for a data breach is $188 per record. Leaders may consider this number times the number of members to get a sense of how costly it could be to their church.
Electronic data breaches can occur though the malicious acts of outsiders. Outside intrusions include attacks by hackers and software viruses. Electronic breaches can also stem from the action of insiders. Staff and volunteers can mistakenly release confidential data to outsiders when duped by emails and other forms of communications.
Church management should develop policies and procedures to address their exposure to data breach risks. The policy should guide the church’s position on processes and approaches. The church policies should provide standards on how it will provide notifications to members if a breach happens. The procedures provide a framework for how the church will respond and recover.
Churches may be able to mitigate the cost of a data breach with insurance. Churches that have liability insurance should talk with their providers. Some policies include provisions that cover data breaches. Just as important, the insurance policy may defend the church should a data breach lead to a legal action for damages.
The best defense for data breaches is to take precautions that avoid a loss in the first place. If the unthinkable happens, a church will be able to rebound faster if it has effective plans and procedures.