Focus On
People in a gear with puzzle background

Critical privacy, security risks for charities, not-for-profits

Thursday, June 10, 2021 @ 8:31 AM | By Esther Shainblum


Esther Shainblum %>
Esther Shainblum
Like their counterparts in the for-profit sector, charities and not-for-profits (NFPs) have experienced an abrupt pivot to working from home as a result of the COVID-19 pandemic. And, like their for-profit counterparts, many charities and NFPs face an uncertain future in terms of whether the shift from office to remote will be permanent or whether workers will want to return to the office on a part-time or full-time basis.

The huge increase in remote work has exposed organizations, including charities and NFPs, to additional privacy and security risks. As it is unclear how long this “new normal” will continue or what working arrangements will look like when things finally settle down post-pandemic, charities and NFPs likely face ongoing privacy and security risks associated with working from home for some time to come.

Ironically, although they are now more reliant on technology and their IT infrastructure than ever before, having multiple, dispersed, remote workplaces means that it is more difficult for charities and NFPs to maintain security, monitor and enforce employee compliance with policies and procedures, keep track of sensitive information and who is accessing it and find out about and respond to privacy breaches.

At the same time, there has been a huge surge in cybercrime globally as cybercriminals capitalize on the pandemic by leveraging the massive shift to poorly secured home networks and devices to attack and compromise organizations’ systems and by using deception and manipulation to bypass organizational defences and safeguards.

Employees of charities and NFPs working remotely lack protections present in the workplace environment, including technological safeguards, face-to-face contact and policies and procedures designed to prevent or mitigate cyber and privacy breaches. Working from home can isolate workers and make it more difficult for them to communicate with one another, rendering them more susceptible to phishing and social engineering scams. Working from home also makes it harder for organizations to reinforce the need for vigilance and strict processes.

Weak passwords, out of date or insecure devices and software and the lack of layers of authentication or protection can also make an organization vulnerable to attack. Additional risk factors that could heighten the risk for charities and NFPs, especially those facing diminishing revenues and financial constraints, include:

  • not having adequate or ongoing cybersecurity awareness training for remote workers;
  • stretched or inadequate IT support;
  • remote workers setting up and managing their own remote connections;
  • employees using personal devices, such as laptops, phones and USB drives, to access core IT systems and sensitive information;
  • not having secure remote access, such as virtual private networks (VPNs) and having employees access core IT systems or sensitive workplace information using poorly secured home Internet connections;
  • employees sharing computers, devices and workspaces with family members/roommates;
  • employees installing software on corporate devices;
  • remote workers not following the usual processes or policies;
  • not having a clear plan for what to do in case of an incident when working from home; and
  • corporate policies that do not address or reflect remote work.

Charities and NFPs should consider a number of measures to mitigate the risk of data loss, privacy breach or cyberattack. Such measures could include, without limitation:

  • providing remote workers with corporate owned devices managed and controlled by the organization;
  • proactively auditing and testing for vulnerabilities and deploying updates and patches to address them;
  • using VPNs to create a secure connection between remote workers and the organization’s network/sensitive data;
  • requiring strong passwords for all accounts and devices and enabling multifactor authentication;
  • implementing mandatory ongoing cybersecurity awareness training;
  • following privacy best practices, including limiting the collection, use and disclosure of personal information to the minimum necessary;
  • adapting and enforcing privacy policies to ensure that employees working remotely continue to comply with privacy law and policies;
  • having clear privacy breach and security incident response protocols in place; and
  • obtaining adequate cyber insurance coverage to protect the organization against cybercrime and fraud.

Working from home is here to stay. Even though many charities and NFPs may currently be struggling due to the knock-on effects of the pandemic, these measures should be seen as priorities in light of the potentially catastrophic impact of privacy and data breaches.

Esther Shainblum is a lawyer with Carters Professional Corporation and practises in the areas of charity and not for profit law, privacy law and health law.

Photo credit / Eva Almqvist ISTOCKPHOTO.COM

Interested in writing for us? To learn more about how you can add your voice to
The Lawyer’s Daily, contact Analysis Editor Richard Skinulis at Richard.Skinulis@lexisnexis.ca or call 437-828-6772.