Nonprofits hold something remarkably valuable — not just donations, but the personal data of every person who has ever given, volunteered, or attended an event. Names, home addresses, email addresses, phone numbers, employer information, and in many cases, full credit card or bank account details.
Yet nonprofits are often the least resourced when it comes to protecting that information. Limited IT budgets, small staffs wearing multiple hats, and a culture of trust over verification create an environment where data breaches thrive.
Why Nonprofits Are Increasingly Targeted
Cybercriminals have realized that nonprofits combine high-value data with low-maturity security. The 2025 Verizon DBIR found that attacks on nonprofits increased 38% year-over-year, with ransomware and business email compromise leading the way.
The reputational damage alone can be existential. When donors learn their personal and financial information was compromised because an organization lacked basic protections, giving drops precipitously. A 2024 study by the Nonprofit Technology Enterprise Network found that organizations experiencing a publicized breach saw a 22% decline in donations over the following 12 months.
What Donor Data Are You Actually Storing?
Before you can protect donor data, you need to inventory what you have. Most nonprofits store far more than they realize:
- Contact information: Names, addresses, phone numbers, email addresses
- Financial data: Credit card numbers, bank account details for recurring gifts, payment histories
- Demographic data: Age, employer, income estimates, family information
- Engagement data: Event attendance, volunteer history, communication preferences
- Relationship data: Board connections, peer-to-peer fundraising networks, gift officer notes
Data Minimization Principle: If you don't need it, don't store it. Every piece of data you retain is data you must protect. Review your intake forms and CRM fields annually — if a data point hasn't been used in fundraising or stewardship in 24 months, consider whether you truly need it.
Securing Your Donor CRM
Your CRM (Bloomerang, Salesforce Nonprofit, DonorPerfect, Little Green Light, or similar) is the heart of your donor data. Securing it requires:
Access Controls
- Enforce role-based access — development staff see donor records; program staff see only what they need
- Remove access immediately when staff or volunteers leave
- Require MFA for every CRM login — no exceptions for board members
- Audit access logs monthly to identify unusual patterns
Data Handling Policies
- Never export full donor lists to personal email or USB drives
- Prohibit storing donor data in personal spreadsheets outside the CRM
- Encrypt any reports containing PII before sharing internally
- Delete exported files after use — don't let donor CSVs accumulate on desktops
Payment Processing Security
If your organization processes donations online, you likely fall under PCI DSS requirements. The simplest path to compliance:
- Use a PCI-compliant payment processor (Stripe, PayPal Giving Fund, Square) that handles card data on their servers — your systems never touch full card numbers
- Never store credit card numbers in your CRM, spreadsheets, or paper files
- Use tokenization for recurring gifts — store tokens that reference the processor, not actual card data
- Secure your donation pages with HTTPS and ensure they are hosted on PCI-compliant infrastructure
Red Flag: If any staff member can view a full credit card number in your system, you have a serious compliance gap. Modern payment processors never expose full card numbers — if yours does, it's time to switch.
Email Security for Fundraising Teams
Development teams send and receive sensitive information constantly — gift discussions, pledge agreements, estate planning documents. Protect these communications:
- Enable email encryption for messages containing financial or personal information
- Train staff to recognize phishing — attackers often impersonate major donors or board members requesting wire transfers
- Verify unusual gift instructions by phone before acting — especially changes to recurring gift payment methods
- Use secure file sharing (SharePoint, Google Drive with restricted access) instead of email attachments for sensitive documents
Volunteer and Event Data
Donor data gets the most attention, but don't overlook:
- Volunteer applications — may include background check results, Social Security numbers, or health information
- Event registration data — dietary restrictions can reveal health conditions; emergency contacts are PII
- Youth program data — subject to COPPA if collecting information from children under 13 online
Building a Data Protection Framework on a Nonprofit Budget
You don't need enterprise-grade spending to protect donor data. Here's a prioritized approach:
Phase 1: Immediate (Free to Low Cost)
- Enable MFA on all accounts (CRM, email, cloud storage)
- Review and restrict CRM access permissions
- Conduct a data inventory — know what you have and where it lives
- Write a basic data handling policy and share with all staff
Phase 2: Near-Term ($500-2,000/year)
- Implement a password manager for the organization
- Enable email encryption and DLP policies in Microsoft 365 or Google Workspace
- Conduct annual staff security awareness training
- Set up automated backup for your CRM data
Phase 3: Ongoing (Managed Services)
- Partner with an IT managed services provider for continuous monitoring
- Implement endpoint protection on all organizational devices
- Conduct annual security assessments and penetration testing
- Develop and test a data breach response plan
Many IT managed services providers in Northern Virginia offer nonprofit-specific pricing that makes professional security accessible even for organizations with annual budgets under $1 million.
When a Breach Happens: Notification Requirements
Every state has data breach notification laws. In Virginia, if you experience a breach affecting donor personal information, you must notify affected individuals "without unreasonable delay" and no later than 60 days after discovery. If more than 1,000 individuals are affected, you must also notify the Attorney General and credit reporting agencies.
Having a response plan in place before a breach occurs is the difference between a manageable incident and an organizational crisis.