Cyber Security for Nonprofits - Successful Nonprofits

How to Prevent a Data Breach at Your Nonprofit with Spencer Pollock

Are You Protecting Your Data?

How to Prevent a Data Breach at Your Nonprofit with Spencer Pollock

Are You Protecting Your Data?

by Ro

Many nonprofits think they are safe from cyber-attacks because of their missions and small budgets (at least compared to Fortune 500 companies). But today’s guest says that, unfortunately, hackers don’t care. They look for low-hanging fruit. And if you aren’t taking precautions now, that means you.

Spencer Pollock is an attorney who specializes in cybercrime and cyber law. He joins us to share simple precautions you can take to protect your nonprofit and what to do if you experience a data breach. So listen in right now and make sure your organization is high-hanging fruit!

Listen to the Episode Here!

Links

Website: Niles, Barton, & Wilmer

Spencer’s Bio

Spencer’s LinkedIn

Podcast: Cyber Law Revolution 

Podcast: Ep 164: How to Love Your Next CRM with Maureen Wallbeoff

Podcast: Ep 114: Everyone Must Get On Board the Tech Train…or It’s Not Leaving the Station with Peter Gross

Timestamps

(03:41) Cyber scam vs data breach and your liability

(09:40) Why nonprofits are low-hanging fruit

(12:47) What to do during a data breach

(16:39) What to look for in a cyber insurance policy

(20:19) How to prevent a data breach

(24:40) Vetting your vendors 

(29:44) Employee training

(33:33) Passwords

Transcript

Dolph Goldenburg (0s):
Welcome to the Successful Nonprofits® Podcast. I’m your host, Dolph Goldenberg. Listeners, we have a really great conversation coming up today with Spencer Pollock. We are going to be talking about cybersecurity, what you need to know about it, how not to be vulnerable, the hidden costs, and everything else you need to know right up front about cybersecurity. Before we talk about that, I have to reflect that it is March and many boards are scratching their heads and saying, “Should we be having some type of board retreat in the spring or the early summer?” 

Dolph Goldenburg (43s):
If your board is thinking that and you’re looking for a facilitator, I would encourage you to go over to successfulnonprofits.com. I do a lot of board retreat facilitation. I’ve got some out-of-the box packages and some customized packages. Regardless of what your board needs this time (whether it’s transition, planning, or building board expectations), we can probably help you out. Again, head over to successfulnonprofits.com. Now, it is my distinct pleasure to introduce Spencer Pollock to you. He and I had an incredible conversation last week that I wish I could have taped because it would have been the entire podcast episode. 

Dolph Goldenburg (1m 27s):
Spencer is an attorney who graduated from the University of Baltimore and specializes in cybercrime and cyber law. He is the person you want in your corner, not if something happens, but before something happens. Now, I know some people might already be thinking, “I don’t know if this episode really applies to me. We’re not a big organization. We’re not anybody’s target.” I want to share a quick story with you. In 2017, there was a small nonprofit in Indiana that served people who are cancer patients. 

Dolph Goldenburg (2m 17s):
One day, they came into the office and there was a message on their computer screens that said, “Cancer sucks and we suck more.” Their system had been hacked, and the hackers had encrypted all of their client information. They also took a copy of all of their client information for themselves and held that client information ransom. The organization, which was not a large organization, ended up having to pay the hackers $43,000 to get their information back with a promise that that information would never be released somewhere in the dark web. 

Dolph Goldenburg (3m 2s):
That should strike fear in the hearts of every nonprofit because cybercrime is far more common than we think it is. One reason for that is, we don’t really talk about it. If it happens to our organization, often we’re ashamed or we think, “Let’s not tell anybody.” This is far more common than we think it is. Spencer, welcome to the podcast. 

Spencer Pollock (3m 32s):
Thank you so much for having me. I need to show that introduction about me to my family and friends. So they know I’m an okay person at times. I appreciate it. 

Dolph Goldenburg (3m 41s):
I love it. In our conversation last week, we talked about the difference between data breaches and cyber scams. Since we’re going to be focusing on data breaches today, it might be helpful for us to define both to give some context for our conversation today. 

Spencer Pollock (4m 10s):
It’s a great question. And it’s something I run into a lot. I put it into two buckets. You get the data breach and the cyber incident, or cyber scam. All data breaches are going to start with a cyber incident, but not all cyber incidents become data breaches. This is a really important distinction, because that’s where you’re going to get into the legal areas. When I’m talking about a cyber incident, there are thousands of cyber attacks a day and attempted cyber-attacks. Think about the scams that we all have to deal with, like a call from the social security administration saying to call us back or from your mortgage company to discuss refinancing. 

Spencer Pollock (4m 52s):
You call them back. You make the mistake of giving your social security or a bank account number. That’s a scam. Or a hacker emails a nonprofit and says, “We need a thousand gift cards.” Maybe it looks like a legitimate partner that the nonprofit works with. I said, “Okay, we’ll send you a thousand Walmart gift cards.” That’s a scam. The question to ask is: Is this affecting individual information or things that are public or have no individual information. If I give my social security number myself, it doesn’t impact my law firm. It impacts me. If I send a gift card from a nonprofit out, it’s not going to impact donor lists, employee information, or bank account numbers. It is isolated. 

Spencer Pollock (5m 41s):
When you think about a data breach, that’s where we really start getting into organization-wide impact. That means somebody has control of your systems and then basically downloads all of your information, like your donor list. That information might then include information like social security numbers, bank accounts, or health information, anything that is going to cause harm to your clients, your donors, your employees. You gave a good example about the 2017 breach and $43,000. While it seemed like a lot, it is very much on the low end of these data breaches. The average data breach is about $3.86 million and nonprofits are not immune to it, unfortunately. 

Dolph Goldenburg (6m 38s):
To drive this point home, it’s not only client data. It could be our employee’s data. We have enough data on all of our employees to be able to steal any of their identities. I know some listeners might be thinking, “We’re okay because we don’t have an onsite server. All of our data’s in the cloud.” Should they feel better about that? 

Spencer Pollock (7m 6s):
No. When I talk about this, people think I’m trying to scare them. Honestly, I’m not. Unfortunately cyber impacts everybody. When we’re talking about the information – past and current employees, clients, donors – the fact that they don’t work for you anymore, doesn’t mean you’re not liable for them. Even if you got their information 10 years ago, do you really want their name getting out? In terms of the cloud-based versus local, we’ve become such a decentralized society. 

Spencer Pollock (7m 48s):
Before, it was very much centralized. Everything was in the back office. We controlled the port of access to basically everything. We did all the payroll and data management in house, so it was very secure. Imagine that I’ve got a house with one door. I can really make that door secure. If I’ve got a house with 50 doors, I’m a lot more vulnerable. Now, organizations have farmed data out. While they don’t have it on their servers, they’ve enlisted help from an IT firm or website to host it. And then they think, “I’m not liable for these vendors who have my information. They’re hosting it.” But in fact they’re liable.

Spencer Pollock (8m 27s):
Let’s say there wasn’t that legal obligation. What are you going to say to your donors? If you’re using Spencer’s IT service and you get hacked, the donor list goes out and all your donors’ names are now out and they were anonymous. Are you going to go to your donors and say, “No, not my fault. It was Spencer. Spencer did it.”? They don’t know who Spencer is. They’ve never worked with Spencer. They didn’t donate to Spencer. They didn’t trust Spencer. They only care that they gave it to you. 

Spencer Pollock (9m 7s):
It is a false sense of security. And I see this with a lot of nonprofits, unfortunately. Nonprofits have two false senses of security. One is that they have outsourced it so they’re not responsible. And then two that they’re doing good so they’re not going to get hit. Unfortunately, hackers don’t care. They love low-hanging fruit. Nonprofits are low-hanging fruit because of how vulnerable they are and because of how the information they have can be used against them. 

Dolph Goldenburg (9m 40s):
So hold on. Let’s talk about that. Why are so many nonprofits low-hanging fruit? What’s causing this? 

Spencer Pollock (9m 46s):
Nonprofits are there to help society. There’s a belief within nonprofits that being a nonprofit keeps hackers from seeing them as a juicy target. So then they don’t put resources towards cybersecurity infrastructure, policies, or being compliant. Many nonprofits don’t put resources towards all of this because of financial constraints, too.

Spencer Pollock (10m 27s):
Hackers don’t discriminate. They care if you have information. Information becomes currency, Currency becomes money. So they look at nonprofits and say, “This is easy. They don’t have these firewalls. They don’t have the policies. They haven’t trained their employees. They’ve got their guard down. So we’re going to be able to launch less sophisticated attacks, take over their systems, put them over a barrel and get as much money as we can from them.” It’s sad ,but unfortunately, the adversary we’re facing is very sophisticated and very much dedicated to their craft. 

Dolph Goldenburg (11m 5s):
And so when you’re saying the hackers, think to themselves, “We’re going to get as much money as we can.” How much money are we talking about? 

Spencer Pollock (11m 12s):
An average data breach costs about $3.86 million globally. In America, it’s $8.1 million. I know some people are like, “That’s really high”. Well, let’s go to the lower end. Can a nonprofit organization afford $500,000 in costs if they have a data breach? The data breaches I’ve worked on have legal costs that are tens of thousands and the forensics are hundreds of thousands. And that’s not even public relations. Think about your brand. Think about sending these notifications out to people that are impacted and how much it costs per person to send a notification. And there’s credit monitoring. So it’s not one little cost. It all adds up. 

Spencer Pollock (11m 52s):
So when I talk to organizations, they’re like, “I’m not the $3.86 million. I’m not the $8.1 million.” Great. I don’t want you to be, but you’re going to be in the six figures. If you don’t have the proper procedures, protocols, and policies in place; if you don’t have the insurance; if you don’t have the legal or forensic expertise then you’re looking to basically take it on the chin when it comes to the cost. Of the nonprofits I’ve advised, their reputation is the most important. It’s so important to me to get that message across. Your name and the trust that you have in a community is everything. When you lose that by not taking cost-effective and easy measures to better protect yourself and the information, you can’t turn around and tell your donors and employees that you did everything you could within your means. 

Dolph Goldenburg (12m 47s):
When you’re working with nonprofits and they have a data breach, what do they need to be doing? How do they need to be handling it? 

Spencer Pollock (12m 53s):
It’s a two track process. Those who have insurance and those who don’t have insurance. For those who don’t have insurance, a lot of this needs to be done before a data breach happens. If you’re doing it on the fly, you’re going to make mistakes. When a data breach happens, it’s not like a car accident or a construction defect or a hurricane where you have time to prepare. This is a tornado, and there’s no alarm. If you don’t have a plan, it exacerbates everything. To give you an example, in terms of average costs, organizations that have a data breach plan in place with people identified to be accountable for it and test it, save on average $1.2 million per data breach. You can scale that up or down based on where you think you fall in the average scale. Before a data breach, nonprofits need to look at themselves and ask, “Do we have internal legal help?” If we don’t, we need to get external legal help. The other part is with forensics. You have to be careful if you have your own cyber company externally that’s already working for you, you’re running into legal complications because you need external counsel to retain people on your behalf after a data breach.

Spencer Pollock (14m 23s):
To start, nonprofits should look at what information they’re taking in. Do they have credit card numbers? Do they have social security numbers? At bare minimum, they’ve got donor lists. They need to start developing policies and procedures. It’s incorporating legal and forensics together at that point. So when a data breach happens, they know the first call that they need to make is to their attorney. The attorney is basically a coach at that point. When I come in, I’m basically going to quarterback everything to start. I’m going to go retain Dolph’s cyber forensic company on my client’s behalf. Because everything we’re doing is going to be protected under attorney-work product. 

Spencer Pollock (15m 3s):
Granted, there are always exceptions. I’m going to be bringing in the data mining company, if it comes to that. Making sure the ransom is taken care of if we’re going to go down that route. It’s getting counseling immediately who then can get you to the right people, because cyber is special ops with this. If you call a random person, whether it be forensics or law, it’s not going to go as well as it should. Those who have insurance, call your carrier immediately. I mean immediately. Because then they’ll get you to an attorney like me or someone that has handled these things before and they’ll run the same process we did. 

Dolph Goldenburg (15m 41s):
So you call your carrier and they essentially find an insurance defense firm. 

Spencer Pollock (15m 48s):
Yes. They have a list of preferred providers who they’ve vetted. We’re on 10 different carrier panels. When it comes to cyber law and cybersecurity, you need people that are really focused on this because of how fast the ball is moving. This is not like other forms of law that stay the same for 200 years. This changes every six months. You need forensic people who are keeping up with it because the hackers are moving faster than we can keep up with. Insurance people are the same way. You want brokers who know what they’re dealing with in cyber specifically. It’s that niche that you really need to incorporate into your association. 

Dolph Goldenburg (16m 39s):
We’ve talked a good little bit about cyber insurance. If I’m the executive director of a nonprofit or the CFO of a nonprofit, and I’m looking through different cyber insurance policies, what options are most important in that policy? 

Spencer Pollock (16m 56s):
The first thing is you want to make sure ransomware is covered. If that’s not covered and you get hit with a ransomware attack, it doesn’t matter how much money you’ve got for defense, for forensics, for credit monitoring, or for business loss income. If they are not paying the ransom, you’re paying the ransom. Then there are the post-breach costs, the legal costs, the forensic costs, and the notification costs. Make sure that those limits are high because of how much things cost. The forensics cost is the highest because it’s such a specialized thing. You’re talking about $100k, $150k or $200k. So it adds up. So if you have a lower limit, all of a sudden it goes from it being covered to you paying everything out of pocket. That’s not what you want. 

Dolph Goldenburg (17m 48s):
I don’t fully understand this. What are these forensic specialists doing when they’re coming in that warrants $100k in fees? 

Spencer Pollock (17m 58s):
What makes forensics unique is they’re on-call 24/7 and they are specialists. They’ve handled thousands of cases of ransomware before. They literally have playbooks about every different hacking organization that is known. They’re worth their money. It’s a large price tag, but I can guarantee you involving someone like that versus your run of the mill IT is worth it. You’re going to be very happy that you did pay the money that was needed, because if not, your systems are going to be completely decimated, the information is going to be leaked, and it trickles out from there. 

Dolph Goldenburg (18m 47s):
That makes sense. So make sure your insurance covers ransom. Make sure that your insurance covers all those post-breach activities. What else should your insurance cover? 

Spencer Pollock (19m 1s):
For nonprofits, reputational damage. Because once again, I feel like reputational damage is a very big thing. Business loss income is probably not that important for nonprofits based on the income they have coming in, but you want to make sure you’ve got the wire fraud. That’s when your business email becomes compromised, meaning someone gets into your email and is stealing funds that way, like wiring funds to the wrong people. For example, I email Dolph’s nonprofit and say, “I’m going to donate $50,000.” Then I donate $50,000. The very next day, I email again and say, “I only meant to donate $5,000, can you reimburse me?” So Dolph goes ahead and reimburses $45,000, only to find out the initial $50,000 never even cleared. Your insurance won’t reimburse you unless you have wire fraud. Those would probably be the four biggest things I would want as a nonprofit. And system restoration too. 

Dolph Goldenburg (20m 19s):
We’ve talked about insurance and post-breach. Let’s go back before a breach. So what are some of the policies and procedures that every nonprofit should have in place to protect their data? 

Spencer Pollock (20m 42s):
So I look at it as basically three core functions. The first one is an umbrella. It’s called the written information security policy. That’s basically going to outline everything that you’re going to do to protect your data. It’s basically going to say who’s accountable, what you’re doing to protect your data, what laws you’re complying with, how many times you’re going to review it, and the different policies within that. 

Spencer Pollock (21m 22s):
The second part would be the incident response plan. It’s folded within the written information security policy. As I said before, people who have that plan in place and test it for data breaches, save $1.2 million. Think about this plan as writing down who I need to call when the data breach happens, how I know it’s a data breach, what I have in place to prevent it, who is accountable, and who I need to involve within the organization. Taking out all the fancy terms, the incident response plan is just writing down: If this happens, what will I do with X, Y, and Z? 

Spencer Pollock (22m 8s):
The next one is vendor management meaning your external vendors. The question then is: how are we vetting our vendors? We’ve already talked about the legal responsibility about that, but pre-breach stuff involves going in to figure out what your vendors are doing. So go in and do due diligence saying, “Alright, have you had prior data breaches? Do you have insurance? Do you have policies, protocols, procedures? Are you testing it? Are you training your employees? Who do you work with? Who are your friends?” 

Spencer Pollock (23m 30s):
I would stop working with anyone that gets defensive when you ask those kinds of questions. Those who don’t get defensive and explain what they do understand and respect the situation. And then finally, employee training. You want to have the training in place. You want to have a playbook about how you’re going to keep your employees updated and aware. Because your employees are your gatekeepers. I would say 40 to 45% of data breaches start with internal negligence, not with somebody who’s maliciously waiting to get your organization. 

Dolph Goldenburg (24m 40s):
So I want to go back to the vendor piece and then let’s talk about employee education. Is it fair or is it a best practice to ask your vendors for their certificate of insurance for cyber liability and asked to be named as an additional insured? 

Spencer Pollock (25m 2s):
I always tell my clients to go back to their vendors, get their insurance, and get added. Then make sure you actually review their policy, because if their policy does not include external parties that are impacted, that means you’re not going to be under their umbrella. Also, different organizations are going to define a data breach differently. So you want to make sure they’re defining it the same as you. Also, think about data disposal, meaning those donors that donated 10 years ago. Even though they haven’t donated recently, their information is at risk during a data breach, too.

Dolph Goldenburg (26m 17s):
If you’re a nonprofit that already has a cyber liability policy, can you ask your insurance company to help you with some of these things? 

Spencer Pollock (26m 25s):
You can. I don’t think a lot of them will. There are some that are more cutting edge that are getting out in front of this. They’re seeing that 60% of data breaches start with the vendor. When a data breach starts with a vendor, it increases the cost by about $370,000 because of the amount of data people have and the lack of understanding of the responsibility. I think it takes longer to get notified and then more people are involved. Some insurers are getting ahead of the curve and looking to get more involved with this. You’re probably going to have to get a lawyer to come in with you to do these kinds of deep dives with vendors. 

Spencer Pollock (27m 12s):
Again, ask a couple of questions and see if they get defensive. I think that’s my biggest and easiest telltale sign for me. Unfortunately, I don’t know about any carriers that will be proactive and go do the due diligence. But there are a couple that are making programs right now that might roll out next year. 

Dolph Goldenburg (27m 36s):
Are there any carriers that will come in and help you do a cyber risk audit? 

Spencer Pollock (27m 41s):
Yes. So all carriers offer a free consultation. They’ll do a mock breach round table with you. I’m on a couple where we’ll do vendor due diligence. I’ll sit down with you and I’ll literally go through your vendor inventory to figure out who you work with. We look at who would cause the most problems if a data breach were to happen. We go over everything we’ve discussed today – easy ways to do diligence and contractual provisions. Another thing you should ask about is a policy review. It’s helpful to have somebody who knows what they’re doing come in for free and review your policies and help you develop them more. It’s critical and crucial. I know a lot of the carriers have these, but most people don’t utilize them. I guess people think they don’t need to do it because they have insurance so they think they are covered. 

Dolph Goldenburg (28m 48s):
So should nonprofits be at all concerned that if they have their insurance carrier do a mock audit or review policies that the carriers would then say, “Wow. This nonprofit has more risk than we thought. And we’re going to increase their rate or cancel their policy if they don’t make these changes.” 

Spencer Pollock (29m 5s):
That would be a pretty sneaky thing to do. I can’t speak to every carrier, but the ones that I work with do not do that and I do not know about any others that do that. They’re looking to reduce risk for them and the client. We want you to have better procedures and protocols. The more awareness that they have about how to deal with a breach, the lower the cost is going to be in the end for everybody. 

 

Dolph Goldenburg (29m 44s):
Got it. Let’s shift and talk for a few minutes about employees. What are some important training policies for staff? 

Spencer Pollock (30m 3s):
There’s the formal and the informal. It needs to start with the policy, though. And you need to be incorporating HR if you have it. Even if you don’t, you definitely have some sort of employee manual; you need to start incorporating your data breach policies and plans. And how you’re going to enforce them. To do that, you have to have consequences. Consequences don’t have to mean you’re getting fired, but they have to mean, “Okay, I clicked on the wrong link. It then buzzed my IT people. I need to go have a conversation with employee X and tell them what happened.” That’s a consequence. 

Spencer Pollock (30m 45s):
In terms of the formal aspects, it’s the annual training and paying for software to test your employees or run phishing exercises. You want to share things for them to be aware of – like getting an email where someone is trying to impersonate their boss – and how to identify potential scams. Bring in external cyber and legal to talk to your employees about these threats and to educate them about how to be more aware. Informal is important too. Like having a poster campaign. Or an email campaign, now that so many are working from home.

Spencer Pollock (31m 25s):
Carve out two minutes of your next staff meeting and say, “Hey everyone, this is what we’re talking about today, but we want to talk about some more cyber stuff. Have you been looking at these emails? Have you heard about this?” It’s discussing the nerdy stuff too, but it’s also about changing your culture. It’s doing these phishing tests. It’s so cheap to get software to do these tests. It’s so annoying, but it’s so helpful because your employees are going to start changing their mentality. It’s about the conversation you’re having with your employees. The more repetition you have in this, the more likely an employee will not click on a link that lets in a hacker to your system. 

Spencer Pollock (32m 32s):
One easy thing that none of us like doing anymore, is using the phone. We all despise using the phone. We want to click it and be done with it. But pick up the phone when you get that email saying, “Send me a thousand gift cards.” Just call and confirm. And take a second to take that deep breath. The reason hackers do so well is because they have the time to stay ahead of us. But they want you to move fast. They’re banking on you doing a hundred things at once and making that one click. Take a deep breath before you do it. That’s going to help. 

Dolph Goldenburg (33m 33s):
And, and as you said, hackers are looking for the low hanging fruit. So if it’s slightly difficult, they’re more likely to move on to another target. I would also imagine something like using different passwords for different sites helps, too.

Spencer Pollock (33m 51s):
Password policy is cost-effective. It doesn’t cost any money to basically tell your staff to change their password once a month. And the password better not be ‘password’ or better not be ‘OrganizationsName2020.’ You need to make it complex. If you want to spend a little money, get one of the password managers. I can’t say enough about that because that makes life so much easier. In doing that, it’s going to make life a lot more secure than those who have no policy. If you want to spend more money, talk about multifactor authentication.

Dolph Goldenburg (34m 48s):
A few years ago, I was doing an interim chief executive engagement and the organization had really bad password hygiene. We implemented a password vault. One of the things that I love about it is it enables an audit on the individual level in terms of password security. We created our policy which included no repeated passwords or really simple passwords. We’d run reports and share the results with staff. 

Spencer Pollock (35m 34s):
Exactly. The password managers make it so easy because you hit a little dice and get a 16 character password, which is going to take a million years to break. 

Dolph Goldenburg (36m 4s): 

Spencer, I want to make sure that I ask you the off-the-map question and I understand that you had a very memorable hike in high school and I’m hoping you’ll share the story with us. 

Spencer Pollock (36m 20s):
This is one of the best stories in my life. It was in October of 2001 – almost a month after 9/11. I was on a school hiking trip up in Catoctin Mountains It was 15 students and two teachers. I was not the best hiker. Probably not in the best shape. So I was more towards the back with the two teachers and another student. We were about an hour into the hike and we came across a fork in the road and there’s another student standing there. The student says, “I think Johnny went down the wrong path.” 

Spencer Pollock (37m 4s):
So the Teacher X says, “Okay, I’ll go get him. You all wait here.” A minute later we hear people, “Get on the ground *expletives* *expletives*. I’m going to shoot you *expletives*.” And we’re all looking around like, “Wait, what’s going on?” Teacher Y is like, “Alright, stay here. I’ll go check on Teacher X.” Teacher Y leaves – 30 seconds later comes back. He’s sprinting. He’s out of breath, sweating profusely, pale white. And he goes, “Okay, Teacher X is being held hostage by men with rifles. I think they’re terrorists. I need you all to go hide behind that large rock and I’m going to go check it out.” 

Spencer Pollock (37m 49s):
As a caveat, I don’t know what Teacher Y thought he was going to do against four or five armed men. But that’s beyond the point. I appreciate his heroics. He’s like, “Go hide behind this rock, whatever you do, don’t call your parents.” So, we go hide behind the rocks. I didn’t have great cell service, especially in 2001. So it takes me about 5 or 7 minutes to get ahold of my mom, because of course I disregarded that order. And I said, “Mom, look, don’t freak out. We’re being held hostage by terrorists. They have weapons.” And then all of a sudden I looked up and I saw a gentleman walking towards us wearing camo with a gun. And I said, “Mom, I’ve got to go. A man is coming with a gun. I love you.” 

Spencer Pollock (38m 30s):
And I hung up. Luckily it was a military officer. We had stumbled too close to Camp David when Dick Cheney was there. So everything was fine. The problem was I didn’t call my mother back because I forgot. In a 15 minute span of telling her I was about to die and where I generally was, she had called the school, the local police, the state police, and the FBI and told them we were under attack by terrorists, which then pretty much triggered a widespread local and national law enforcement response in that area. 

Spencer Pollock (39m 12s): 

My mom had gotten in her car and started driving about two hours to hike the mountain and come find us. 

Dolph Goldenburg (39m 19s):
So that’s like Teacher Y – what’s your mom going to do? 

Spencer Pollock (39m 24s):
Oh, If I was a terrorist, I’d be worried about my mom if she’s coming up a mountain to get me. I did get a hold of her, though. And my mom, being the best, picked up McDonald’s for everybody. It wasn’t in a local paper, but it was on our school paper that we were accosted by potential terrorists or assumed that we were terrorists. One of the two. 

Dolph Goldenburg (39m 48s):
I have to say I do a lot of hiking and backpacking. I don’t have nearly such a dramatic backpacking story. I’ve got to try to maybe go do some hiking around Camp David, see if I can have my own backpacking story. 

Spencer Pollock (40m 4s):
Maybe get camouflage, put war paint on, and run up to the line and run back. Whatever you can do to match the story here. 

Dolph Goldenburg (40m 12s):
We took one of my best friends’ kids on a backpacking trip. Their youngest child literally fell off a cliff and he did it right in front of me. All day long, I kept saying to him, “Buckle your backpack. This will not be as difficult if you buckle your backpack.” I saw it about to happen. So I started to hover my hand over his backpack. He started to go off a cliff. I grabbed his backpack and then he starts to slip out of his backpack because he did not buckle his backpack. And I was like, “Kid, you gotta hang onto your backpack. This is the point. You’re going to die. I need you to hang on.” 

Spencer Pollock (41m 36s):
That’s still a good one though. I like it. No guns involved, but I do like it 

Dolph Goldenburg (41m 41s):
No guns involved, but some sense of danger was involved. Spencer, thank you so much for joining us today. I am thrilled that you were able to come on. Listeners, I need to make sure, you know how you can reach out to Spencer. First of all, he’s an attorney with Niles, Barton and Wilmer. You can visit him at nilesbarton.com and then look up Spencer Pollock. You can reach out to him to find out if you are prepared for a data breach and whether you fully understand what those legal obligations might be. 

Dolph Goldenburg (42m 24s):
He has made the very generous offer to offer some free consulting to anyone that calls and says, “Hey, I need to talk about my nonprofit and how ready we are and what else we can do to prepare.” So definitely worth your while. He’s got a LinkedIn page that we will link to. And then finally, he has one of the newest, hottest podcasts, Cyber Law Revolution. Hey Spencer, thank you so much for coming on today. 

Spencer Pollock (43m 5s):
Dolph. Thank you so much. It’s been a pleasure. I really appreciate you having me. 

Dolph Goldenburg (43m 8s):
So listeners, if you are busy looking through your insurance policy, trying to figure out what it covers and what it does not cover in case of cybercrime, keep reviewing those policies and know that you can go to successfulnonprofits.com to get all the links and ways to reach out to Spencer. Don’t forget, if you’re starting to think about that board retreat, think about us at Successful Nonprofits®, as well. Finally, if you enjoyed this conversation with Spencer, there are two episodes I suggest that you listen to. The first is Episode 164, How to Love Your Next CRM with Maureen Wallbeoff and Episode 114 with Peter Gross. 

Dolph Goldenburg (44m 6s):
Listeners make sure that you check out both of those and that you rate and review us on iTunes, Spotify, Stitcher, or your streaming app of choice. That is our show for this week. I hope you have gained some insight to help your nonprofit thrive in a competitive environment. 

Dolph Goldenburg (44m 46s): 

And just a quick reminder that I am not an accountant nor an attorney, and neither I nor the Goldenburg group provide tax, legal, or accounting advice. This show is intended for informational purposes only and should not be relied on for tax, legal, or accounting advice. If that’s what you need, you should find a qualified, licensed professional and talk to them. 

**  We have edited this transcript because how you listen is not how you read. If you have a problem with this, remember you got this for free!

Top

You're subscribed!

There was an error while trying to send your request. Please try again.

Successful Nonprofits will use the information you provide on this form to be in touch with you and to provide updates and marketing.