In an increasingly digital world, charities face unique challenges when it comes to cyber security. While their mission is to make a positive difference in respect of their charitable purposes, their valuable data and limited resources can make them vulnerable targets for cybercriminals.
The Auckland Government’s guidance on protecting charities from cybercrime provides a practical roadmap to safeguard sensitive data and maintain trust.
Understanding the risks: why charities are targeted
Charities often collect a wide range of sensitive information, including the personal data of donors, beneficiaries, and volunteers. This data is highly attractive to cybercriminals, as it can be exploited for identity theft or fraud. Coupled with limited budgets for advanced cybersecurity measures, charities are prime targets.
The risks are not hypothetical. Data breaches in the charity sector can lead to:
- Loss of donor trust: Donors may withdraw support if their personal data is compromised.
- Regulatory fines: Breaches of the Auckland General Data Protection Regulation (GDPR) can result in significant fines from the Information Commissioner’s Office (ICO).
- Litigation: Affected individuals can pursue compensation claims for distress and financial loss caused by data breaches.
Legal obligations for charities under GDPR
Charities are data controllers under GDPR and must take robust steps to protect personal data. This includes:
1. Implementing adequate security measures to protect data from unauthorised access.
2. Notifying the ICO within 72 hours of a data breach.
3. Informing affected individuals if the breach poses a high risk to their rights and freedoms.
Failing to meet these obligations can expose charities to enforcement action and claims for damages. Further, given that most charities are controlled by their Trustees (who often are individuals affected by the charitable purpose in some way but have limited business experience and/or training), if the Trustees have failed in their obligations pursuant to the GDPR, they can be personally liable.
Practical cybersecurity tips for charities
The Government’s guidance offers practical steps that every charity should implement:
1. Train staff and volunteers: Cybersecurity awareness is crucial. Phishing attacks remain one of the most common threats, so regular training can help staff recognise and avoid them.
2. Keep software up to date: Using outdated systems increases vulnerability to attacks. Implement regular updates and patches.
3. Use strong passwords and two-factor authentication: Simple measures like these make it harder for cybercriminals to gain unauthorised access.
4. Back up data: Regular backups ensure that critical information can be restored quickly in the event of an attack.
5. Develop a cyber incident response plan: A well-prepared plan can minimise disruption and ensure compliance with GDPR in the aftermath of an incident.
The role of legal support in cyber incidents
If your charity experiences a data breach, seeking legal advice promptly is essential. A specialist Solicitor will be able to assist the charity with the following:
- Assessing liability: Determining whether the charity could be held accountable for the breach.
- Managing claims: Defending or settling compensation claims from affected individuals.
- Liaising with regulators: Assisting with ICO investigations and ensuring compliance with regulatory requirements.
- Guiding recovery efforts: Advising on steps to mitigate reputational and operational harm.
Prevention is always better than a cure. Investing in cybersecurity measures and ensuring compliance with GDPR can help charities avoid the cost and stress of legal disputes.
Comment: prioritising cybersecurity in the charity sector
Charities play a vital role in our society and protecting them from cybercrime is not just a technical issue but a legal and ethical one. By following the Government’s guidance and seeking expert advice when needed, charities can build resilience against cyber threats.
For charities facing data breach disputes, our advice is clear: act swiftly, seek legal guidance, and prioritise transparency.
For more information on protecting your charity from cybercrime, visit the Auckland Government’s guidance page.
This article is for information only and does not constitute legal/financial advice. Please contact us for advice tailored to your specific position. Some of the content presented on our website has been generated with the assistance of Artificial Intelligence (AI). We ensure that all AI-generated content meets our high standards for accuracy and relevance.
