Best Practices for Avoiding Cyberliability Problems

No amount of cyberliability insurance coverage can protect a church against a damaged reputation and loss of trust. That’s why it’s important to take steps to keep data breaches and other technological mishaps from happening in the first place. “Prevention is extremely important, and it doesn’t have to be that expensive,” stressed Nick Nicholaou, cofounderof Ministry Business Services, Inc., a team of IT strategists serving ministries, and author of Church IT: Using Information Technology for the Mission of the Church.

Something as innocent as offering free public wireless networking can get a church in trouble, according to Nicholaou.

Nicholaou gives the example of a Missouri church that neither password-protected nor adequately managed its open Wi-Fi by turning it off when it wasn’t needed. “There was a guy that was pulling into their parking lot in the evenings, and he was distributing child porn through their public Wi-Fi connections,” Nicholaou said. “When the FBI determined what the IP address the child porn was coming from, they knew it was such-and-such church, so they swooped in and confiscated all the computers” and the church’s servers.

Even though no one with the church was involved in the crime, the church ended up on the news and staff members lost access to their computers for months. “That was a very heavy cost for that church, and it could have been prevented very easily and for almost no cost,” he said.

Along with addressing potential hacking and cybercrimes, churches also must work hard to maintain their integrity in copying and sharing information online, said Frank Sommerville, an attorney and senior editorial advisor for Church Law & Tax. “No church would knowingly steal someone else’s property and use it in their newsletter,” he said. “But [they think], ‘Oh, it’s on the internet, so it must be free.’”

In reality, most copyright laws do apply to churches, said Susan Fontaine Godwin founder of Christian Copyright Solutions. “Many churches and church leaders have a lack of knowledge,” she said, “and they sometimes just don’t even think about the way they might be using copyrighted material, and that they could be at risk of infringement.”

“There are some exemptions which cover churches and religious organizations,” she added. “But for the most part, a church would be viewed under the copyright law pretty much in the way that any business or organization would.”

Another crucial issue for churches to take into consideration is member privacy, according to Sommerville. He cited the case of a church that posted Vacation Bible School pictures and then discovered that some of the children were part of a family in a witness protection program.

“What we recommend is, if you’re going to take pictures, whether it’s broadcasting your Sunday services or Sunday school activity, you post signs in your parking lots and at your entrances,” advised Sommerville, noting that “the signs give people an opportunity to turn around and go home if they don’t want to be photographed or recorded.”

Jeremy Thompson, an information security expert, offers these tips:

• Engage third parties to host payment information and Social Security numbers so that this sensitive information does not reside with the church. Utilize established firms who have an established presence. Do not look to be anyone’s biggest customer. Find someone for whom these transactions are a core competency. It may be your local financial institution, it may be a niche-specific provider, or it may be a nationwide presence, like PayPal.
• Use strong security defense tools to protect your device and data. Enabling software firewalls on your device will help fend off hacking attempts and use of encryption for sensitive data is the best method to protect it, especially if the data must be stored on a computer by a church staff member (for example, a youth pastor who needs to bring medical information about youths on his laptop for a missions trip overseas).
  
  Keeping antivirus, anti-malware up to date and having a personal firewall enabled are the bare minimum tactics you should always consider when connecting to a public network or internet. Ensure all software has current security patches or fixes applied. Use strong passwords on all laptops and desktop computers, and ensure all accounts have strong passwords. When possible, utilize multifactor authentication, such as a fingerprint swipe or “soft token,” and use disk encryption to protect sensitive information.
• Educate staff to exercise caution when opening and clicking through email.Be suspicious of email you aren’t expecting, either based on the sender or content. Do not click on unfamiliar links. If you have doubts, follow up with the sender via a separate, new email (not a reply) or via phone to verify the legitimacy of a request. Follow the safety practices outlined by the National Cyber Security Alliance.
• Develop prayer request distribution best practices. Keep any personal or sensitive details out of the distributed prayer request. Do not pass along anything other than publicly available information without written consent. (You can learn more about privacy rights at PrivacyRights.org.)
• Establish or enforce a social media use policy. A social media policy should include a list of do’s and don’ts to guide acceptable behavior. It should specify who can publish content on the church’s behalf. It should give guidelines as to the use of parishioners’ names or sensitive information. Social media are more akin to a press release rather than a church newsletter, so keep in mind that your messages and posts may be read by the general public, as well as your members.