It has become common to hear about security or data breaches at large companies. Some breaches arise from ransomware attacks where information is held hostage in lieu of a payment of money. In other cases, the data is leaked to the public risking identify theft of the customers. Every organization is at risk.
Church leaders should consider what risks the ministry faces when it comes to security breaches. To a hacker, a church may be no different than any other type of organization.
North Carolina law creates an affirmative duty on businesses to protect customers’ information. The language in the statute defines a business as a corporation, association or other group. The business may or may not be organized to operate for a profit. The law includes churches.
State law applies to any personal information whether stored in computerized form or on paper. Personal information includes a person’s first name or first initial and last name in combination with identifying information. The identifying information includes numbers referencing social security, driver’s license, checking account, credit cards, and some passwords.
The law requires a church to provide notices to the affected persons of a security breach. The notices are due following discovery or notification that the breach has occurred. The disclosures must be made without unreasonable delay.
A church may delay providing notices to its members if a law enforcement agency informs the church in writing that a notification may impede a criminal investigation or jeopardize national or homeland security.
The notifications to church members of a security breach should be clear and conspicuous. The notices should describe the incident in general terms, reveal what type of personal information is involved, and what the church is doing to protect the information further. In addition, the notices should include a telephone number members may use to call the church for information. Finally, the notice should warn members to check their credit reports and provide information for free credit reports from the major credit reporting agencies.
Notices to church members may be in written form, by telephone or an electronic message. An electronic notice is for members who have a valid email address and have agreed to receive communications electronically. Telephonic notices are valid if made directly to the affected person. Other forms of communications include a notice on the web site page of the church and a press release to major statewide media.
If a church is compelled to provide notices of a security breach to its members, it must also notify the Consumer Protection Division of the Attorney General’s Office. The notice to the Attorney General should include the nature of the breach, the number of consumers affected by the breach, steps taken by the church, and information regarding the notices provided to the members.
A violation of this North Carolina law may come with heavy penalties and damages for a church. Church leaders may mitigate the risks to the ministry by having a data security process in place. The process should include an updated policy by the governing board, procedures that are regularly audited and data security systems to ward off intruders.
Church leaders may find value in taking inventory of what information it holds on its members. The more personal the information, the more vigilant the church should be about data security protocols. Risks can be reduced by eliminating storage of information not needed for strategic purposes.
A security breach can be a traumatic event for a church. Financial damages and statutory penalties are possible. Trust and transparency are at risk. Churches should work to reduce the risk by preparing for the worst.