Three Steps to Take Following the NCCS Data Breach Letter

DebNelsonBy: Deb Nelson

Many nonprofit organizations received an email yesterday, February 24, 2015, from the National Center for Charitable Statistics (NCCS) informing them of a data breach within NCCS’ Form 990 Online and e-Postcard filing systems.

Hackers accessed usernames, first and last names, email addresses, IP addresses, phone numbers and passwords for approximately 700,000 registered users of these sites. Other publicly available information specific to nonprofits was also accessed, such as employer identification numbers and names and addresses for organizations. NCCS has confirmed no social security numbers or credit card information was obtained through the breach.

The investigation into who is behind the hack is still active and NCCS is working with law enforcement and a cybersecurity firm as part of this process. The Form 990 Online and e-Postcard filing systems have been rebuilt on new, secured servers and users are able to access and timely file their tax information without interruption.

What should you do if you received the letter?

  1. Change your Password: NCCS is requiring all registered users to change their passwords. In addition, if users use that same password for other sites, NCCS is encouraging them to change it on those sites, as well.
  2. Communicate with your Board: Whether through a short email or quick phone calls, let your board members know what happened and help them put the risk in perspective.
  3. Prepare a Plan for Donor Communication: NCCS is not currently aware of any compromised Schedule B information, but stated the investigation is ongoing. Schedule B is part of the Form 990 and Form 990-EZ and is not available for public inspection. The schedule contains names and addresses of contributors. If NCCS determines that that information was obtained, then having a donor communication plan that is ready to launch will save you from strategizing under intense time-pressure.

If you haven’t recently undertaken an IT risk assessment, or a full risk assessment of your organization, now is the time to consider this endeavor.

Our recent blog post on Safeguarding Trust with IT Security, provides a starting point of considerations as you evaluate your current IT security strategy.

Safeguarding Trust with IT Security

Hand pushing virtual cloud security buttonBy:  Shelley Earsley

The risk of cybercrime is real and present in today’s ever-technology based life. In fact, according to a new report from the Ponemon Institute, last year, 43% of businesses experienced a data breach, up over 10% from the year before. Moreover, 71% of those affected were small businesses. And while you may assume the compromised data is your biggest area of risk in the event of a security hack, the true threat an IT security breach poses is to your organization’s reputation and your ability to maintain the trust of your donors and board – although, with an average cost of $201 per stolen record in the United States, there’s a substantial financial risk to your organization as well.

Trust is the currency today, and when that trust is broken, it can be extremely challenging to rebuild. It is shocking to find that 27% of organizations today do not have an established security strategy despite the steady rise in threats.

Security and privacy begins in the boardroom; it cascades over the leadership team and trickles down through the organization where it ultimately rests upon the shoulders of every single employee within your organization. As you evaluate your current IT security strategy, the following are important – and often overlooked – aspects to consider.

Security begins with the right leadership. It is critical that you have your organization’s leadership determining the level of risk you will assume; the technology department should never lead security and privacy efforts.

  • Be intentional. Many organizations simply put IT security tools in place and then stand back and wait for something bad to happen. Be intentional, proactive and constantly monitoring the effectiveness of your security tools so that you can continually improve process and procedures while staying ahead of risks with the latest tools and technology.
  • Make it a regular board discussion. Security needs to be a regular aspect of every board strategy and risk assessment meeting. Board members need to be educated on what the risks are and what is being done to mitigate those risks.
  • Put the right tools and policies in place – and monitor their effectiveness. Security measures may work properly in theory, but fail if humans do not use them correctly, alter them, or fail to understand the human factor involved in safeguarding electronic information. As an organization, it is important to remember that the right tools and policies are only as effective as the individuals who monitor them.
  • Solve for mobile. Mobile devices are an integral facet of everyday life for both your staff and your donors. They are also an emerging technology platform for hackers, and they pose a significant security risk within your organization. It is important to find a BYOD solution that functions correctly within your space and allows your organization to interact efficiently with donors. Don’t be afraid of the security aspects of mobile technology; rather, manage those risks appropriately and frequently.
  • Train, train, train. Every employee needs to understand the risks and their role in safeguarding the trust of your organization’s donors. Regular training on policies, procedures and the human behavioral element of security is imperative, particularly during this period of rapid, evolving technological presence in the marketplace.
  • Test. Regular internal and external security testing of your tools, policies and people is truly the most effective method of assessing hidden areas of high risk within your organization. Whether you conduct these tests internally or hire a white-hat hacker to provide an additional perspective is determined by the ability and bandwidth available within your organization.

IT security is about safeguarding trust and deterring breaches. Organizations who take an intentional, proactive stance have the opportunity to drive trust and lead the market in setting the standard for exceptional security. Ultimately, high levels of trust result in higher board and donor satisfaction, staff retention and reduction of organizational risk – all of which are essential in today’s evolving nonprofit landscape.

Collaboration … Consolidation … Coalition

non-profit_many hands-all inBy:  Peggy Jennings

Despite an increase in competition for public and private funding and contributions during the recent economic downturn, a recent study by The Urban Institute reports that “the number of US nonprofits actually grew 7 percent between 2007 and 2011 to 1.58 million, an average of nearly 40 nonprofits per US zip code.” This means that there are a lot more nonprofits competing for the same resources.

Collaboration might be one answer; by working with others in the industry, you may be able to:

  • Take advantage of best practices
  • Build a coalition around a common goal
  • Share services to enhance economies of scale

Alternatively, a nonprofit might consider a consolidation or merger to capitalize on synergies, cost savings or other efficiencies. In doing so, be careful of emotionally charged issues such as creating alignment between boards, ensuring compatible cultures and blending the brands. Further, a due diligence study will help you to determine whether the merger or acquisition is in your best interest.

Formed in 1917 by the merger of two competing firms, Eide Bailly understands how similar transactions can increase, not diminish, your impact to your mission.  Let us know if your strategic plan includes consideration of collaborative or consolidating ventures – we can share our experiences, assist with due diligence and help you achieve your mission and goals.


Opportunity, Actually

In the spirit of Valentine’s Day, we start this post with a quote from the feel-good movie Love Actually:Sunset in frame

Whenever I get gloomy with the state of the world, I think about the arrivals gate at Heathrow Airport. General opinion’s starting to make out that we live in a world of hatred and greed, but I don’t see that. It seems to me that love is everywhere. Often, it’s not particularly dignified or newsworthy, but it’s always there – fathers and sons, mothers and daughters, husbands and wives, boyfriends, girlfriends, old friends. When the planes hit the Twin Towers, as far as I know, none of the phone calls from the people on board were messages of hate or revenge – they were all messages of love. If you look for it, I’ve got a sneaky feeling you’ll find that love actually is all around.

Hugh Grant’s character points out that though gloom is so often the focus of our attention, good overshadows bad – if you just look for it.

And there’s no better industry, as far as we’re concerned, than the nonprofit industry when it comes to finding the good and the opportunity in all situations. We are constantly inspired by the things we’re hearing, so the short summary below is just a small taste of what we’ve heard about recently that has us nodding, smiling, and doing little fist pumps in the air.


Two brothers out of Utah built an app called KiwiTree, which allows users to donate their “change” by rounding up each purchase to the next dollar. It’s still in beta testing, but will provide a new vehicle for facilitating donations.


A group of a dozen Community Foundations convened to discuss shifting investments toward place-based impact investing; this means pulling investments out of Wall Street and focusing on their own communities instead.  A Huffington Post article reporting on this meeting notes that, “The opportunity – or better yet imperative – ahead is the alignment of assets to mission:  the integration of philanthropic gifts and investments for the health of all people in the community where you live.”

Similarly, the Hutton Parker Foundation, out of California, uses commercial real estate as a philanthropy tool and a method for investing in community. As an example, the Foundation recently purchased a building that will be used to create a “foundation center” that will allow the sharing of resources and networking benefits, similar to what you see with start-ups in a tech incubator.  Read more about this exciting approach in this article.


In their 2015 Annual Letter, the Bill and Melinda Gates Foundation outline their “Big Bet”:  that in the next 15 years, we will see major breakthroughs for most people in poor countries.  Their big bet requires the involvement of people and they place a call to action for involvement and sign up at, a website that goes beyond one organization and, instead, pulls together the work of many to reach the common goal of ending extreme poverty.  This is a good reminder that there is opportunity to achieve mission outside of an individual organization’s “walls.”


What opportunities are you seeing in the industry that have you feeling googley-eyed?

Successful Lawsuit Could Mean Digitally Searchable Form 990s

DebNelsonBy:  Deb Nelson

All exempt organizations are required to make their current year Form 990 and two prior year returns available for public inspection. In addition, organizations exempt under IRC Section 501(c)(3) must make the current year Form 990-T and two prior year returns available. These forms contain a wealth of information including financial information, compensation information, listing of board members, grantee information, and information on policies and procedures. In addition, the IRS is required to provide copies of these returns upon request under the Freedom of Information Act (FOIA). Up until now, the IRS has only made the returns available in an image format which is not digitally readable.

Currently when the IRS provides returns to the public, they remove confidential information from the returns; e-filed and paper-filed, and convert them to image files. This image file is not easy to navigate and does not allow for data manipulation. As a result, watchdog groups like GuideStar, Charity Navigator and Urban Institute who receive these files from the IRS, spend significant time and money manipulating the image files prior to making the information available to the general public. For example, GuideStar converts the image files to PDFs for individuals to access. Charity Navigator inputs information from the returns into their own database to analyze nonprofits according to their standards.

Carl Malamud, of Public.Resource.Org., recently filed a lawsuit against the IRS to obtain Form 990s in a computer readable format for nine nonprofit organizations under the FOIA. Public.Resource.Org won the lawsuit against the IRS. The IRS has 60 days to produce Form 990s in a digitally readable format for the nine organizations named in the lawsuit.

This ruling could have a large impact on nonprofit organizations. Digitally readable formats will allow public users of these forms to more easily search for particular items to compare across organizations, such as compensation and lobbing expenses. Users of Form 990s can include prospective board members, current and former employees, reporters and media, and watchdog groups. In addition, his ruling may open the door to more requests by outside groups for digitally readable data. For example, GuideStar, Charity Navigator and Urban Institute may request computer readable format for all returns allowing them to minimize the time and effort required to provide the information currently available, or to offer more information. As a result, nonprofit organizations may be subject to a deeper level of scrutiny by individuals and groups and, therefore, should continually review their Form 990s from a public perception and be proactive and prepared to answer questions that may arise.