Does a Church Need to Worry About Cybersecurity?
In this digital age, technology touches every aspect of our lives. People from all walks of life want to know their personal, financial, and medical information is being kept private and secure. Churches often store personal and financial information of their members, which can be tempting to hackers looking for easy targets. Since most church leaders don’t their organization as a business, but as a ministry, business practices such as cybersecurity is often not a high priority.
Talking with many church leaders, they feel they are a church and not a business. While this may be true in many aspects, a church’s “business” is providing ministry services. Therefore, the church’s business office and staff members need to think and operate as a business. Churches and ministries are just a vulnerable to data breaches as any other business or institution. A data breach is more likely than a terrorist attack, but many organizations are more prepared for physical security issues than digital ones.
It has been said many times that data is one of the most valuable assets businesses have. This would be true for a church as well.
- What kind of data could a church have?
- Membership & family records
- Notes on members
- Counseling appointments and notes
- Financial data
- Giving records
- Employee records
As a leader in a church, whether a senior, executive, or associate, or pastor, director of ministry resources, or bookkeeper, it is your legal, moral and ethical responsibility to keep congregants’ information private.
Data protection is about securing data against unauthorized access, or a technical issue, and data privacy is about authorized access – who has it and who defines it, or a legal issue. One doesn’t ensure the privacy of data without the other.
An article by The American Church Group, How Well Does Your Ministry Secure Personal Data, points out by protecting congregants’ personal information, you are exercising good business practices but also protecting yourself from crippling data losses, loss of public trust, and potential lawsuits.
Does the GDPR of the European Union apply to a church in California? Check out the blog post by Fishhook to see.
All staff members and volunteers that could come in contact with personal information need to have formal and recurring training on how to protect this information. Are pastoral counseling ministries subject to HIPAA? Generally not, but if a pastor has information about a congregation member’s medical condition, when, who, and how can this information be shared? Check out an article from Brotherhood Mutual.
It is generally agreed that churches are not required to meet HIPAA requirements unless they have a licensed counseling center; they do fall under state privacy laws.
One of the new laws is the California Consumer Privacy Act (CCPA) which went into effect in January 2020. In an article posted by Church Law Center of California, it mentions there are data privacy obligations even though the CCPA does not expressly include nonprofits.
Other California data breach laws that could apply to churches are the California Database Security Breach Notification Act and the California Confidentiality of Medical Information Act.
In recent years, there have been several churches that have experienced problems. Below are just a couple of examples.
In 2019, Bayside Covenant Church had an employee’s email account hacked. An article states they hired a third-party forensic investigator to determine how this happened, but they weren’t able to determine where the hack came from. That church is now paying for credit monitoring, fraud consultations, and identity repair services for all victims.
In 2018, a class-action lawsuit was filed against a church for a data breach where personal information was unlawfully obtained. The article states the church will be responsible to pay $2,500 per victim but didn’t say how many victims there were.
In 2019, a church fell victim to a cyberattack. Through an e-mail scam, the church lost $1.75 Million.
There are two things any business or church must do to protect themselves and their congregant’s data:
- Get a Cyber Liability Insurance Policy
- Work with a qualified Cyber Security company to implement all the necessary physical security, develop policy and procedure documents and response plans.
If you have any questions about your church’s vulnerabilities or compliance requirements please complete our contact form or give us a call at 805-489-2131. We offer a free consultation.