Technology

The House of Data Cards

30th January 2025

This article explores the risks associations face in an increasingly interconnected digital landscape, why they can’t afford to treat cybersecurity as an afterthought, and the practical steps they must take to safeguard their reputations.

Words Anne Lesca, Edouard Duverger & Juliano Lissoni

When the Toronto District School Board (TDSB) announced a data breach in January 2025, the problem wasn’t their servers. It wasn’t even their systems. The breach happened in PowerSchool, the third-party platform TDSB relied on to manage student records. For a brief moment, that distinction seemed important. But not for long. The outrage wasn’t directed at PowerSchool; it landed squarely on TDSB.

The breach revealed something fundamental: trust is non-transferable. It doesn’t matter where the breach occurs or who caused it. Accountability falls on the organization that promised to protect the data. For associations — many of which operate in equally complex ecosystems of partnerships and platforms — the TDSB incident is more than a wake-up call. It is a loud, jarring alarm.

Associations rarely make headlines for being data-driven organizations. They’re not flashy tech startups or financial powerhouses. But beneath their calm, professional exterior, they’re quietly running massive, sophisticated data operations.

Every membership application, every event registration, every training session generates data. And this isn’t just name-and-email stuff. It’s payment histories, survey responses, certifications earned, even dietary restrictions for catered events. This data fuels the entire association engine—from tailoring member benefits to convincing sponsors their dollars are well spent.

But with so much riding on this data, here’s the rub: managing it isn’t easy. Most associations don’t have Fortune 500 IT budgets or in-house cybersecurity teams. So, they do what makes sense: they partner with vendors — companies specializing in membership databases, event platforms, and cloud-based CRMs. These partnerships allow associations to offload some of the burden while maintaining the illusion of seamless operations.

The systems associations rely on — the CRMs, the event platforms, the integrations — are designed to make their lives easier. But they also create blind spots. The cracks in the system aren’t always obvious, and they rarely announce themselves until something breaks.

Take this example: an association stores its membership data in a secure, centralized database. They trust their vendor to manage event registrations. The two systems are linked — names and membership details automatically flow between them. It works beautifully, until the vendor’s platform gets hacked. Suddenly, the association’s entire membership roster is exposed.

The problem isn’t just the systems themselves; it’s the spaces between them. Every integration, every API connection, every data flow is a potential point of failure.

What Associations Should Do

The associations that manage these risks properly don’t leave their data security to chance. They act like corporations — disciplined, skeptical, and always prepared for the worst. Here’s how they do it:

  • Work with Partners Who Deliver: The best associations don’t just pick vendors — they pick partners who can prove their security standards. They demand full risk assessments before signing a contract and look for certifications like ISO 27001, ISO 27701, or SOC 2 — credentials that show the vendor knows how to protect sensitive data.
  • Write Contracts That Protect You: Smart associations know the fine print isn’t just legal trivia — it’s the backbone of accountability. Contracts should shift liability to the vendor where it belongs. If there’s no clause requiring immediate notification of breaches, they walk away.
  • Get Insurance for the Worst-Case Scenario: Even with the best systems, breaches happen. Cybersecurity insurance doesn’t stop a breach, but it cushions the blow — covering legal fees, fines, and PR fallout. It’s the safety net associations hope they’ll never need but can’t afford to skip.

Building a Culture of Trust

This article, part of a special partnership with IAPCO and Boardroom, was written by Anne Lesca, DPO, Risk & Compliance Officer, MCI Group; Edouard Duverger, Chief Information Officer, MCI Group, and Juliano Lissoni, Managing Director, MCI Canada.

For many associations, cybersecurity feels abstract — an IT issue buried somewhere in the background. But in reality, it’s woven into every interaction they have with their members. Trust isn’t just built on programs or events; it’s built on the promise that personal information is safe.

The associations that excel at this don’t just implement better systems. They build a culture of trust. They educate their teams, from executives to volunteers, about their role in data protection. They train staff to recognize phishing attempts and follow strict protocols for handling sensitive information. And they communicate openly with members — not just in the good times, but especially when something goes wrong.

Handling data means playing by the rules. For associations, that means navigating a maze of regulations like GDPR, CCPA, and Canada’s PIPEDA. Compliance isn’t optional, but it’s manageable with the right approach.

The process starts with a privacy diagnosis to identify gaps. From there, associations develop a plan:

  • Establish data protection policies
  • Train staff regularly
  • Assess vendors for compliance
  • Update technical safeguards

By keeping these measures up to date, associations can achieve compliance and build systems resilient enough to handle evolving threats.

The Stakes of Inaction

Every association’s data system is a house of cards. Every vendor, every integration, every decision is another layer. And when one card falls, the entire structure is at risk.

What TDSB data breach teach us is that trust isn’t just a vague concept — it’s the foundation of everything organizations do. And trust, as fragile as it is, doesn’t break evenly. It shatters.

Associations that act decisively — by working with capable partners, sharpening contracts, and building a culture of security — aren’t just protecting their data. They’re protecting their future. Because when the house of cards collapses, it won’t matter whose fault it was. The only thing people will remember is whose house it was.

Hit enter to search or ESC to close