The Evil Opportunists: Please Donate Your Personal Details

The ABC recently revealed that a number of popular Australian not-for-profit charity organisations (NPCO’s) were inadvertently involved in a data leak when a Brisbane based telemarketing company that contacted potential donors was hacked by cyber criminals. The data leak led to the personal information of the charitable benefactors being uploaded to the dark web.[1]

Well known charities such as the Cancer Council, Canteen and The Fred Hollows Foundation were confirmed as having donors’ personal data compromised. However, it is understood that more than 70 other Australian charities use the company responsible for the breach to contact potential donors.

In light of such data breaches, should Australian NPCO’s place greater priority on measures that safeguard donor data and maintain public trust?

Australian Charities Snapshot

Australians have a long history of supporting charitable causes with the first Australian private charity dating back to 8 May 1813, when what is now known as the Benevolent Society was formed, which was the first charitable organisation dedicated to meeting the needs of vulnerable groups.[2] Today, the list of NPCO’s in Australia has expanded to include:

• approximately 60,000 charities, which equates roughly to one charity for every 433 Australians;
• the employment of 1.42 million Australians, which account for 10.5% of all Australian employees;
• the collection of $13.4 billion in donations in 2021 alone;
• holding approximately $31 billion in assets; and
• the distribution of $9.7 billion annually through grants and donations.[3]

These statistics highlight the willingness of Australians to donate, and how prevalent charities are in Australian society. Therefore, given the recent data breach (and how many more have there been that we aren’t aware of), should Australian’s be concerned with the governance, structure and security of NPCO’s?

What defines an NPCO?

There a very strict compliance rules and obligations for an organisation to be recognised, and operate, as an NPCO in Australia. NPCO’s are governed by the Charities Act 2013 (Cth) (Act), which is administered by the Australian Charities and Not-for-profit Commission (ACNC). The Act states that to be recognised as a charity, an organisation must:

• be not-for-profit;
• have only charitable purposes that are for the public benefit;
• not have a disqualifying purpose (which are engaging in, or promoting activities that are unlawful or contrary to public policy; and promoting or opposing a political party or candidate for political office); and
• not be an individual, a political party or a government entity.

How to create an NPCO

Firstly, anyone who wishes to create an NPCO must have the correct legal structure for their specific organisation, as different legal structures create different legal obligations and provide different benefits and drawbacks. When deciding on a legal structure, any potential NPCO must consider (among other things):

• the charity’s size and how complex its activities will be;
• whether it will have employees or volunteers;
• the potential personal liability of members or office holders; and
• any eligibility for tax concessions.

The most common legal structures for an NPCO in Queensland are an incorporated association or a company limited by guarantee (CLG). However, others include charitable trusts, indigenous corporations and trade unions (among others).

One key difference between an incorporation and a CLG is that an incorporation can only operate in the state in which it is registered, whereas a CLG can operate Australia wide. Focusing on a CLG, it must (among other things):

• have at least three directors and one secretary;
• have at least one member;
• have a registered office address and principal place of business located in Australia; and
• be governed by a constitution.

Whichever legal structure is chosen, once established, the new legal entity must then be registered with the ACNC to be recognised as a charity in Australia.

Governance Standards

The ACNC Governance Standards (Governance Standards) are a set of core, minimum standards relating to charity governance and how a charity is managed, which includes its processes, activities and relationships. NPCO’s must meet the Governance Standards to be registered as a charity with the ACNC, albeit that nothing formal need be submitted, but an NPCO must be able to provide evidence of meeting the required Standards if requested.

Responsible people are the people who manage the NPCO, such as company directors, and under the Governance Standards, responsible people have a duty to:

• act with reasonable care and diligence;
• act honestly and fairly in the best interests of the charity and for its charitable purposes;
• not misuse their position or information they gain as a responsible person;
• disclose conflicts of interest;
• ensure that the financial affairs of the charity are managed responsibly; and
• not allow the charity to operate while insolvent.

As explained below, the Governance Standards combine with legislative and regulatory instruments to administer and protect NPCO’s.

Rules of an NPCO

When registering with the ACNC, an organisation must submit a company constitution, which among other things must include the charitable purpose of the organisation. In addition, all Responsible People within an NPCO must have a level of financial understanding that will enable them to make informed decisions about their NPCO’s finances.

Charities have an obligation to ensure they have the resources they need to fulfill their charitable purpose. Responsible People obviously play a key role in managing the charity’s finances, ensuring they are used correctly and protected from abuse, while also identifying and managing strategic risks, such as fraud.

Raising Money

Responsible People must understand how their charity raises funds, while also ensuring they appropriately store and safeguard information collected from donors. Any use of personal data must adhere to applicable Australian laws. Even if outsourcing fundraising (as noted above), Responsible People are not released from their obligations, they remain ultimately accountable for the safety of donors’ personal information.

Clearly, handling personal information and data poses inherent risks, as the abovementioned data leak highlights. Recognising the risks and implementing measures to minimise them are critical for effective and applicable charity governance.

Some potential risks associated with information and data management include:

• inadequate procedures or training for staff handling personal information or data;
• loss or theft of personal information or data, either physically or electronically;
• concerns regarding the policies and practices of external service providers entrusted with managing personal information or data;
• non-compliance with applicable laws;
• the failure of physical data security systems; and
• malicious external cyberattacks, such as hacking or malware infections.

A charity’s reputation is particularly susceptible to the repercussions of failing to mitigate information and data management risks, which in turn creates mistrust, reputational damage and the loss of charity funds and resources.

Why do Hackers Target NPCO’s?

Most charities are considered small, with one third of Australian charities having an annual turnover of less than $50,000.  Therefore, NPCO’s tend to prioritise directing limited resources into work that achieves its mission over enhancing cyber security. Further, charities have a high volume of staff who work part-time, including volunteers, generating less capacity to upskill in digital areas.

The nature of NPCO’s is often to fill a crucial gap in services and support where government or private business alternatives are not sufficient, where information can easily be lost. Charities (or third parties engaged by charities) collect and store a wealth of personal information about donors, volunteers and beneficiaries. This can obviously be a valuable resource for hackers to carry out identity theft, fraud or blackmail[4]

Cybersecurity for NPCO’s

There are a number of laws Australian NPCO’s should be aware of, and comply with, regarding cyber security and the loss of personal information, including:

• the Privacy Act 1988 (Cth) (Privacy Act) which is the national law regulating how private organisations collect, use, disclose, secure and dispose of personal information;
• the Security of Critical Infrastructure Act 2018 (Cth) which imposes enhanced cyber security obligations on relevant entities for systems of national significance in order to improve their preparedness for, and ability to respond to, cyber security incident; and
• ACNC Governance Standards, in particular Governance Standard 3 which requires charities to comply with Australian laws.

In order to mitigate their exposure to cyberattacks, NPCO’s can:

• invest in cybersecurity measures by installing security software, training staff and developing incident response plans;
• raise awareness of cybersecurity risks by educating staff, volunteers and donors about cybersecurity threats and how to protect themselves;
• implementing strong data security practices and limiting access to sensitive data; and
• regularly reviewing and updating their cybersecurity policies and procedures and cyber threats evolve.

Penalties for Cyber Breaches

As mentioned, Responsible People are ultimately responsible for the theft of personal data, even if the data leak came from a third party. In addition to the potential harm to beneficiaries, reputational damage and loss of funds, NPCO’s face regulatory and civil action in the event of a cyber security breach.

In Australia, the Office of the Australian Information Commissioner (OAIC) is the regulator who has the authority to investigate suspected breaches of the Privacy Act. Upon finding non-compliance, the OAIC can take enforcement actions, which include issuing determinations, enforceable undertakings, injunctions, and penalty orders against organisations. The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 aims to substantially increase the maximum penalties for organisations (including charities) for severe and repeated privacy breaches.

Furthermore, non-compliance may also trigger ACNC investigations, which can be lengthy, demanding and resource-intensive, resulting in the ACNC potentially issuing directions and enforceable undertakings.  Furthermore, in severe cases, deregistering charities if their Responsible People fail to comply with the governance standards.

In Conclusion

In the face of recent data breaches, Australian charities must step up their cybersecurity policies and procedures to protect donor data and maintain public trust. The governance framework exists to provide NPCO’s with legislative and regulatory rules and regulations that should ensure compliance and install trust in benefactors.

While the charitable sector’s altruistic nature may make it an easy target for hackers, charities must adopt a business-like approach to cybersecurity, investing in robust defences and educating staff to avoid becoming the next headline. After all, when it comes to cybersecurity, it’s not just about protecting the charity’s reputation; it’s about protecting the trust and generosity of the people they’re trying to help.

Salerno Law has a high level of direct interaction with not for profit organisations. This includes from the initial set up stage and thereafter as required to ensure that any legal issues or requirements which arise are met and actioned in the most effective manner.

Author: Christopher Horn

[1] https://www.abc.net.au/news/2023-08-23/pareto-phones-data-breach-canteen-cancer-council-fred-hollows/102763776

[2] https://www.benevolent.org.au/about-us/our-history

[3] Australian Government, Australian Charites and Not-for-profits Commission, Australian Charities Report 9^th Edition 2023.

[4] https://probonoaustralia.com.au/news/2023/01/charities-more-vulnerable-to-cyber-attacks/