Best Practices for Avoiding Cyberliability Problems

Steps to take to avoid data breaches and other mishaps.

No amount of cyberliability insurance coverage can protect a church against a damaged reputation and loss of trust. That’s why it’s important to take steps to keep data breaches and other technological mishaps from happening in the first place. “Prevention is extremely important, and it doesn’t have to be that expensive,” stressed Nick Nicholaou, cofounderof Ministry Business Services, Inc., a team of IT strategists serving ministries, and author of Church IT: Using Information Technology for the Mission of the Church.

Something as innocent as offering free public wireless networking can get a church in trouble, according to Nicholaou.

Nicholaou gives the example of a Missouri church that neither password-protected nor adequately managed its open Wi-Fi by turning it off when it wasn’t needed. “There was a guy that was pulling into their parking lot in the evenings, and he was distributing child porn through their public Wi-Fi connections,” Nicholaou said. “When the FBI determined what the IP address the child porn was coming from, they knew it was such-and-such church, so they swooped in and confiscated all the computers” and the church’s servers.

Even though no one with the church was involved in the crime, the church ended up on the news and staff members lost access to their computers for months. “That was a very heavy cost for that church, and it could have been prevented very easily and for almost no cost,” he said.

Along with addressing potential hacking and cybercrimes, churches also must work hard to maintain their integrity in copying and sharing information online, said Frank Sommerville, an attorney and senior editorial advisor for Church Law & Tax. “No church would knowingly steal someone else’s property and use it in their newsletter,” he said. “But [they think], ‘Oh, it’s on the internet, so it must be free.’”

In reality, most copyright laws do apply to churches, said Susan Fontaine Godwin founder of Christian Copyright Solutions. “Many churches and church leaders have a lack of knowledge,” she said, “and they sometimes just don’t even think about the way they might be using copyrighted material, and that they could be at risk of infringement.”

“There are some exemptions which cover churches and religious organizations,” she added. “But for the most part, a church would be viewed under the copyright law pretty much in the way that any business or organization would.”

Another crucial issue for churches to take into consideration is member privacy, according to Sommerville. He cited the case of a church that posted Vacation Bible School pictures and then discovered that some of the children were part of a family in a witness protection program.

“What we recommend is, if you’re going to take pictures, whether it’s broadcasting your Sunday services or Sunday school activity, you post signs in your parking lots and at your entrances,” advised Sommerville, noting that “the signs give people an opportunity to turn around and go home if they don’t want to be photographed or recorded.”

Jeremy Thompson, an information security expert, offers these tips:

  • Engage third parties to host payment information and Social Security numbers so that this sensitive information does not reside with the church. Utilize established firms who have an established presence. Do not look to be anyone’s biggest customer. Find someone for whom these transactions are a core competency. It may be your local financial institution, it may be a niche-specific provider, or it may be a nationwide presence, like PayPal.
  • Use strong security defense tools to protect your device and data. Enabling software firewalls on your device will help fend off hacking attempts and use of encryption for sensitive data is the best method to protect it, especially if the data must be stored on a computer by a church staff member (for example, a youth pastor who needs to bring medical information about youths on his laptop for a missions trip overseas). Keeping antivirus, anti-malware up to date and having a personal firewall enabled are the bare minimum tactics you should always consider when connecting to a public network or internet. Ensure all software has current security patches or fixes applied. Use strong passwords on all laptops and desktop computers, and ensure all accounts have strong passwords. When possible, utilize multifactor authentication, such as a fingerprint swipe or “soft token,” and use disk encryption to protect sensitive information.
  • Educate staff to exercise caution when opening and clicking through email.Be suspicious of email you aren’t expecting, either based on the sender or content. Do not click on unfamiliar links. If you have doubts, follow up with the sender via a separate, new email (not a reply) or via phone to verify the legitimacy of a request. Follow the safety practices outlined by the National Cyber Security Alliance.
  • Develop prayer request distribution best practices. Keep any personal or sensitive details out of the distributed prayer request. Do not pass along anything other than publicly available information without written consent. (You can learn more about privacy rights at
  • Establish or enforce a social media use policy. A social media policy should include a list of do’s and don’ts to guide acceptable behavior. It should specify who can publish content on the church’s behalf. It should give guidelines as to the use of parishioners’ names or sensitive information. Social media are more akin to a press release rather than a church newsletter, so keep in mind that your messages and posts may be read by the general public, as well as your members.

This content is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional service. If legal advice or other expert assistance is required, the services of a competent professional person should be sought. "From a Declaration of Principles jointly adopted by a Committee of the American Bar Association and a Committee of Publishers and Associations." Due to the nature of the U.S. legal system, laws and regulations constantly change. The editors encourage readers to carefully search the site for all content related to the topic of interest and consult qualified local counsel to verify the status of specific statutes, laws, regulations, and precedential court holdings.

ajax-loader-largecaret-downcloseHamburger Menuicon_amazonApple PodcastsBio Iconicon_cards_grid_caretChild Abuse Reporting Laws by State IconChurchSalary Iconicon_facebookGoogle Podcastsicon_instagramLegal Library IconLegal Library Iconicon_linkedinLock IconMegaphone IconOnline Learning IconPodcast IconRecent Legal Developments IconRecommended Reading IconRSS IconSubmiticon_select-arrowSpotify IconAlaska State MapAlabama State MapArkansas State MapArizona State MapCalifornia State MapColorado State MapConnecticut State MapWashington DC State MapDelaware State MapFederal MapFlorida State MapGeorgia State MapHawaii State MapIowa State MapIdaho State MapIllinois State MapIndiana State MapKansas State MapKentucky State MapLouisiana State MapMassachusetts State MapMaryland State MapMaine State MapMichigan State MapMinnesota State MapMissouri State MapMississippi State MapMontana State MapMulti State MapNorth Carolina State MapNorth Dakota State MapNebraska State MapNew Hampshire State MapNew Jersey State MapNew Mexico IconNevada State MapNew York State MapOhio State MapOklahoma State MapOregon State MapPennsylvania State MapRhode Island State MapSouth Carolina State MapSouth Dakota State MapTennessee State MapTexas State MapUtah State MapVirginia State MapVermont State MapWashington State MapWisconsin State MapWest Virginia State MapWyoming State IconShopping Cart IconTax Calendar Iconicon_twitteryoutubepauseplay