The Donor Data You Forgot You Were Holding

"We don't really have any sensitive data."

I have heard that sentence in a lot of conference rooms, almost always said with confidence, often by someone who runs a good organization and means every word of it. A small leadership team, a board that shows up, a mission they believe in completely. Then I ask a few questions, and we open a few files, and the confidence drains out of the room.

Here is what tends to be in those files. Donor records going back a decade or more: names, home addresses, giving histories, and often the card numbers and bank details behind recurring gifts. The identities of major donors who gave on the explicit condition that no one would ever know. And then the records that should keep all of us up at night, the ones about the people the organization exists to serve. For a shelter, that can mean the home and work addresses of people hiding from someone who has promised to hurt them. For a clinic, it can mean diagnoses. For a legal aid group or a refugee organization, it can mean immigration status and the names of family members still living in a country someone risked their life to leave.

That is the thing we get wrong about data in mission-driven work. We picture sensitive data as something that belongs to banks and hospitals and technology giants, the kind of organizations with a security team and a budget to match. We do not picture it as the contents of our own development database. So we tell ourselves a comfortable story: we are small, we are doing good work, we have nothing anyone would want. Every part of that story is wrong, and the last part is the most expensive.

Start with the belief that we are too small to be a target. It assumes someone sat down and chose us, weighed our organization against larger ones and decided we were worth the effort. That is not how this works anymore, and it has not been for years. The people who steal data at scale are not choosing anyone. They are running automated scans across the whole internet, looking for the unlocked door, and they do not know or care whether the door belongs to a bank or a food pantry. To the person who eventually buys a stolen identity, a donor's information is worth the same whether it came from a multinational or from a nonprofit with four people on staff. The only difference is that the nonprofit was easier to reach. Being small does not take us off the list. It often moves us up it.

So the real question was never whether we are a target. The question is what happens to the people who trusted us when their information gets out. This is where our sector differs from almost every other, and where the stakes are easy to understate. When a retailer is breached, a customer cancels a card and grumbles, and the cost is measured mostly in money and inconvenience. When a shelter is breached, someone may have to leave their home in the night. When a clinic is breached, a diagnosis someone told no one becomes a thing other people know. We are fond of saying that we aren't protecting data, we're protecting people. In our sector that is not a turn of phrase. It is the literal description of who absorbs the harm, and it is almost always the person who already had the least protection to begin with.

This is the part where the boards I sit with tend to go quiet, because once you say it plainly the gap is hard to look away from. The organization holds some of the most sensitive information about some of the most vulnerable people it could possibly hold, and it protects that information with whatever was left over after the programs were funded. Security shows up in the budget the way overhead always does, last and least, because it does not move any of the numbers the board reviews each quarter. No one decided to underprotect the people they serve. It happened the way most quiet failures happen, one reasonable tradeoff at a time, until the cumulative result is an organization carrying a risk it never actually chose to accept.

I want to be careful here, because the answer is not fear, and it is not spending money you do not have. Most mission-driven organizations cannot buy their way to safety, and they do not need to. What they need first is to stop pretending the data is not there. You cannot protect what you will not admit you hold, so the first move costs nothing but honesty: write down what you actually have. Where the donor financial data lives, who can reach the beneficiary records, which spreadsheet on which laptop holds the thing that would do the most harm if it walked out the door. Most organizations have never made that list, and making it is often the most clarifying afternoon a leadership team will spend all year.

Then triage by harm, not by volume. A list of ten thousand newsletter signups matters far less than a single file naming the people in your shelter, even though one is large and the other is small. Protect the records that would hurt a real person most, and protect them first. That is where the limited dollars belong, and a board can understand that logic immediately, because it is the same logic the mission already runs on. We do not serve the easiest people. We serve the ones who need it most. Protect their information the same way.

Then take the honest picture to the board, and ask the question that actually surfaces the risk. Not "are we secure," which no one can answer and which lets everyone nod and move on. Ask instead: if this specific information were exposed tomorrow, who gets hurt, and how badly. That question turns an abstract line item into a decision about real people, and it is the only version of the conversation that has ever moved a budget in my experience. Compliance, by the way, will not get you there. Meeting the minimum a regulation requires tells you that you have cleared the legal floor. It says nothing about whether the people who trusted you are safe. Compliance is a floor, not a ceiling, and in our sector the distance between the two is measured in human beings.

The confidence that drains out of that conference room is not a bad thing. It is the beginning of a better story, the one where an organization finally sees the weight of what it has been carrying and decides to carry it well. The organizations that protect their people best are not the ones with the largest budgets. They are the ones that stopped insisting they had nothing worth protecting.

You have something worth protecting. It is the same thing your mission already exists to protect. If you do nothing else after reading this, make the list. Find out what you are holding. Everything good starts there.