Think about what people trust nonprofits to do. Nonprofits exist because people trust them. Donors trust nonprofits with their money. Beneficiaries trust nonprofits with their stories. Volunteers trust nonprofits with their time. Advocacy groups and corporate partners trust nonprofits to be good stewards of sensitive data.

That hasn’t changed. What has changed is the extent to which that trust is now mediated by technology. From fundraising software to donor databases, program management systems, and email newsletters, nonprofits rely on interconnected digital tools more every day. Many of those tools now leverage Artificial Intelligence (AI) to improve operations.

This shift has led to two major developments. First, nonprofits are routinely collecting and managing sensitive data that, in many cases, was historically only housed in large enterprises. However, many nonprofits do not have the same level of security maturity as their corporate counterparts. Second, privacy regulations like the CCPA are evolving rapidly, and the use of AI is expanding just as quickly. Collectively, these factors are forcing nonprofits to reconsider their approach to cybersecurity, compliance, and risk.

 

Why Cybersecurity Risk is Growing for Nonprofits

Cybercriminals see value in attacking nonprofits. These organizations have sensitive data they can monetize on the dark web, operate in high-trust environments, and often lack mature security controls.

Some examples of sensitive data commonly found in nonprofit organizations include:

  • Donor financial and payment information
  • Personally identifiable information (PII)
  • Volunteer and employee data
  • Beneficiary records that may include health information or social security numbers
  • Grant and funding applications and records

Smaller budgets and IT teams often translate into gaps in security controls and visibility. According to HALOCK’s nonprofit security guidance, many organizations operate without formal cybersecurity programs despite handling sensitive donor data and online transactions

Cybercriminals also understand that nonprofits can serve as an entry point into broader ecosystems, including corporate partners and government-adjacent systems. Attacks against mission-driven organizations are increasingly seen as “low resistance, high value” opportunities, particularly where donor networks and payment systems are involved.

Cybersecurity risk in nonprofits continues to grow because the value of the data outweighs the level of protection in place.

 

 

AI is Expanding Cybersecurity Risk for Nonprofits

Organizations are beginning to adopt AI tools without consistent governance or oversight.

Use cases currently being deployed include:

  • Donor communications and outreach
  • Writing and data collection for grant reporting
  • Data analysis to understand program outcomes
  • Customer service chatbots
  • Fraud detection and operational efficiency

AI creates clear benefits for nonprofits. But it also introduces new vulnerabilities.

AI is already being used to increase the success rate of traditional attacks. Phishing messages are becoming more personalized and convincing, improving the likelihood of credential theft and payment fraud. Deepfake technology is also emerging as a major concern, enabling attackers to impersonate nonprofit executives or beneficiaries to request funds or sensitive information.

HALOCK highlights these evolving risks in nonprofit environments where AI adoption is outpacing governance

AI can also create internal threats. Staff may use third-party AI tools without understanding where data is stored, how it is retained, or whether it is reused for model training. This “shadow AI” issue is increasingly common across industries and represents an emerging data leakage pathway.

Finally, AI can be used maliciously to disrupt nonprofit operations through synthetic donor accounts, falsified donations, or manipulated engagement metrics, undermining trust in fundraising systems.

 

 

CCPA Privacy Compliance Considerations for Nonprofits

Many nonprofit leaders assume privacy laws do not apply to them. This is often incorrect.

The CCPA and similar state privacy laws apply to organizations that collect and process personal information, including nonprofits in many cases. In addition, nonprofits may be subject to:

CCPA obligations that may apply include:

  • Mapping data to understand where personal information is collected, used, and stored
  • Responding to data access and deletion requests
  • Disclosing how data is shared and whether automated decision-making is involved
  • Conducting privacy and cybersecurity risk assessments for high-risk processing activities

 

AI-driven donor analysis and engagement programs may fall into this category when behavioral profiling or automated decision-making is used. Privacy compliance is not just a regulatory issue. It directly impacts donor trust and the ability to secure funding and partnerships.

 

 

Breaches Are Also a Risk for Nonprofits

Large data breaches affecting nonprofit organizations are increasingly common. Examples of incident types include:

  • Ransomware attacks that take systems offline and expose donor data
  • Data breaches exposing sensitive beneficiary information, including vulnerable populations
  • Spear phishing attacks and account takeovers that redirect donations

Industry-wide breach impact data reinforces the financial and operational consequences of these events.

Third-party risk is often a contributing factor. Many nonprofits rely on external platforms for donation processing, donor management, email campaigns, and cloud storage. A breach in any of these providers can expose the nonprofit organization itself. Nonprofits often lack visibility into vendor security practices, creating indirect exposure that is difficult to detect until after an incident occurs.

 

 

Understanding Cybersecurity Risk: What Constitutes “Reasonable Security” for Nonprofits?

Nonprofit organizations are not expected to operate enterprise-grade security programs. However, they are expected to implement reasonable security based on their risk profile.

What constitutes reasonable security varies, but generally includes safeguards aligned with:

  • The sensitivity of the data
  • The size and resources of the organization
  • The potential impact of a breach

Reasonable security also includes the ability to demonstrate decision-making. Documentation of risk assessments, policy decisions, and control selection helps establish that an organization acted with due care.

At HALOCK, we help nonprofits apply Duty of Care Risk Analysis (DoCRA) to align cybersecurity decisions with legal expectations and real-world risk.  This approach enables organizations to implement practical, defensible safeguards while supporting their mission.

 

What is New in the Nonprofit Industry and the Risks of AI?

 

AI Can Help, But It Increases Your Risk Obligations

Trust is foundational to the nonprofit sector. Cybersecurity risk directly threatens that trust, and regulatory requirements like the CCPA add additional obligations for protecting sensitive data. At the same time, AI also creates opportunities to strengthen operations and support mission delivery. AI can enhance cybersecurity programs, improve efficiency, and reduce operational burden when implemented responsibly.

The key is governance.

Nonprofit organizations should take a risk-based approach to cybersecurity, AI, and data privacy. Waiting for a cyber incident to occur before taking action will fall short of what is needed to protect data, donors, and organizational reputation. A structured, defensible approach to risk helps nonprofits balance innovation with responsibility, ensuring that technology strengthens rather than undermines trust.

 

Review Your AI Security and Risk Posture

Review Your CoPilot Security Position

Review Your CCPA Privacy Risk

 

Read more AI (Artificial Intelligence) Risk Insights

Webinar  A Practical Guide to Governing Native AI, Browser-Based AI, and Third-Party AI Tools