NGOs and Data Security: What to Do in the Aftermath of Data Breach


Written by Paul Diaz, VP of Policy, Public Interest Registry

This post is part of a Public Interest Registry series called “NGOs and Data Security” aimed at providing educational insight to noncommercial internet users around different data and information security themes.    

Part 1 of this blog series walked through best practices for preventing a data breach and Part 2 discussed the key elements of a data breach response plan. That said, all the preparation in the world may still not be enough to protect you from an attack. If you do find yourself the victim of a breach, you’ll need to act fast to minimize damage to your donors, employees and volunteers, and to protect your organization’s reputation.

Below are a few best practices to keep in mind if a breach does occur:

  • Quickly Contain the Incident. It may seem obvious, but as soon as a breach is detected your IT staff or representative must immediately begin conducting a comprehensive assessment to identify and address vulnerabilities in real-time. If resources allow it, your IT team should use advanced forensics to conduct a full-blown assessment of your systems, networks and data to identify the root cause of the breach and proactively locate any additional weak spots. Often a breach or hack can lead to follow-up attacks, so it’s critical that your team has rapid response protocols in place to address the threat and prevent additional damage to your systems. It’s also important to quickly determine the source of the attack (whether the breach is a result of a negligent employee or an outside party, for example), as well as to determine the type of information compromised. If highly sensitive personal data such as bank account numbers and social security information is at risk, that may impact your notification strategy and timeline.

  • Be Transparent and Open. You should have a clear communication strategy outlined in your action plan. Above all else, be sure you’re committed to a transparent and open approach. You’ll want to provide your stakeholders with all the facts they need about the breach as quickly as possible, the steps you as an organization are taking to swiftly remedy the issue, as well as how you’re planning to help those affected. In some cases, you also may be required to issue a press release or even notify government bodies.

  • Conduct a Post Mortem and Make Changes. If you’ve experienced a breach, it’s more essential than ever to bolster your defenses and assure your members and donors that you’ve not only sufficiently addressed existing vulnerabilities but are also putting additional measures in place to keep their information safe. This may mean bringing in outside experts to look at your systems and processes through an unbiased lens to ensure you’re meeting security standards. This is also a chance to introduce more preventative measures, such as frequent employee trainings and robust automated/continuous monitoring processes that detect attacks in real-time and keep tabs on your most sensitive information.

  • Become a Resource for Those Affected. If you can, provide recommendations and instructions to help members and donors determine whether they’re a victim of identity theft as well as next steps for anyone whose information has been compromised. It will help show these important stakeholders that you’re doing all you can to help. There are some steps that victims can take – such as changing passwords, putting a freeze on their credit cards, and contacting their credit bureau – that also can help mitigate the damage of an attack.


And remember –  the most important element of attack preparedness is accepting that it could happen to you. Taking these risks seriously and proactively putting plans and defenses in place could be the difference between sinking or swimming in the minutes, hours and days following a data breach.