Churches, like many organizations, keep private information on their members. As leaders, you should consider the impact to your church should the sensitive information you have on your members be made public due to your negligence. Mistakes with member data could be a significant legal liability to a church, its leaders and congregation.
Church leaders have a responsibility to safeguard the private information entrusted to them by their members. Private information is that which would not ordinarily be discovered in the public realm. Private information includes members’ social security numbers, unlisted telephone numbers, account details, tithes and offering records and facts relating to sensitive circumstances. Notes kept on counseling sessions with church officials are private information. One could argue the fact that someone sought counseling should be kept private.
In order to protect members’ privacy, the church should understand where all sensitive data is kept. Church leaders should conduct a survey of systems used to store member data. The first place to look is computers and computer files. Computers and their backup files should be secure from electronic intrusions. Church leaders should be aware of how sensitive data is transported and stored. Church officials who routinely store sensitive information on unsecured USB devices and can pose a significant liability risk.
There is another risk to private data called social engineering. Social engineering is the risk that people will make mistakes that could pose a risk to member data. For instance, a vendor could accidentally or intentionally gain access to member data because an employee did not safeguard his/her password. Data breaches have occurred because passwords were written on the side of the computer that contained sensitive information. Churches can face liability for the lack of physical security to prevent trespassers from gaining access to office files.
To protect your church and officials from legal liability, develop a comprehensive program to safeguard your member data. It could be wise to hire an outside firm to give you an objective assessment of where you stand. Failure to protect member sensitive data could be a costly lesson to learn.
There need not be a particular contract involved to have an obligation to protect private information. There may be an implied duty to do such. In any event, the unintended breach of member data by the church could be an embarrassment at best, a legal liability at most.