July 31, 2012
Cyber Risks at Church
New technologies bring new liabilities. Is your church exposed?
Church websites, Facebook pages, electronic fund transfers, online databases with sensitive information—churches using digital tools face new methods for operating, as well as new risks. And like all risks, the potential liabilities associated with technology use require a good risk management plan.
According to Paula Burns, a risk management expert with Insurance One Agency, cyber liability relates to the display, transmission, dissemination, or other use of “matter” in a cyberspace environment.
Computer viruses are one significant vulnerability for churches. For example, if a computer virus infects your church’s network and system, you could face significant loss or corruption of data—a first party loss. If someone on your church staff inadvertently spreads this virus to others outside your ministry, your church could be liable for a third-party loss. In either case, churches’ insurance policies frequently do not provide coverage for cyber liability like this.
“Few insurance companies have responded fully with policy language and coverage that addresses exposures to cyber liability,” Burns says. “Churches need to ask their insurance provider whether or not they offer coverage against first- and third-party loss for computer viruses and other technology-related incidents.”
Other cyber risks include intellectual property liability, such as trademark and copyright infringement. The risk of copyright infringement is high in an environment where what goes viral is most highly valued, regardless of who owns the content. Sermons, musical performances, images, video clips, and other forms of intellectual property can be disseminated instantaneously across the Internet.
Reducing the risk of cyber liability
Churches can reduce the risk of loss associated with viruses, copyright infringement, and other cyber risks by establishing a gatekeeper for technology—someone who is responsible for establishing and enforcing appropriate parameters for technology usage in the church.
“The gatekeeper monitors computers for viruses, keeps anti-virus software up-to-date, and stays current on risks associated with computer viruses,” says Burns. They can also monitor permissions for copyrighted material, such as licenses for music and video usage through outside sources, and ensure that the church has proper consent to use an individual’s picture on the church website or in other materials.
Burns suggests additional ways churches can reduce cyber risks:
- Limit access to the church’s webpage. Establish administration access so only a few key people can update the site and make changes to it.
- Limit access by staff to the church’s network. Churches gather and store reams of sensitive, personal information on members, including information related to their giving. Most data breaches, such as identity theft and embezzlement of funds, occur from the inside. Be sure your church staff only has access to areas of the network that are appropriate for their leadership level.
- Do not post any copyrighted material on your website without getting written permission. See Richard Hammar’s Essential Guide to Copyright Law for Churches for a comprehensive look at how to prevent sharing or using information without receiving the author or creator’s permission.
- For pastors, worship leaders, and other leaders who are creating original works, such as sermons, songs, or training curriculum for small groups and want to retain copyrights to their work, be sure to create these works outside of normal work hours, using your own computer. Otherwise, absent a contract, original works are likely owned by the church and not the individual.
- Do not post photos of a minor online without a written form of consent. Uploading pictures and tagging them on Facebook may be commonplace, but the Children’s Online Protection Act (COPA) requires that images of minors NOT be used unless written consent has been given. It also forbids including any identifying information of minors to keep pedophiles from finding them. Churches and other nonprofits are not obligated to follow COPA requirements, however, they would do well to implement them anyway. Turning off functions, such as geotagging on photos, and foregoing tagging minors’ names on Facebook photos are two ways churches can keep young people safer.
- Do not include names or other identifying information on public prayer lists. Church offices, too, need to take care not to post private information, such as who the pastor is visiting in the hospital, in a place where visitors to the office can learn about it.
- Churches MUST have a gatekeeper if they have a blog. Blogs that include comment fields are becoming a minefield for defamation, libel, and slander. Churches also need to consider implementing guidelines for leaders who publish personal blogs, including a disclaimer that their views are their own and not the views of the church where they lead. The downloadable resource, Using Social Media Safely, outlines parameters for using social media at church, including policies for blogging, e-mailing, and personal use of church computers.
To learn more about reducing the risk of cyber liabilities, see Preventing High-Tech Fraud and Best Practices for Technology Usage, two downloadable training resources from Church Finance Today and Church Law & Tax Report.