Cybersecurity Considerations for Texas Nonprofits

Texas nonprofit organizations face cybersecurity obligations and risks that differ meaningfully from those confronting state agencies or large commercial enterprises — yet nonprofits lack both the regulatory scaffolding that mandates security investment in government entities and the resource base that funds it in the private sector. This page describes the regulatory landscape, operational risk patterns, and structural decision points relevant to Texas nonprofits managing sensitive data, donor records, healthcare referrals, or grant-funded digital infrastructure. The treatment is specific to Texas legal obligations and does not substitute for sector-specific federal compliance review.

Definition and scope

For cybersecurity purposes, a Texas nonprofit is any entity organized under the Texas Business Organizations Code as a nonprofit corporation, unincorporated nonprofit association, or similar structure, and exempt from federal income tax under Internal Revenue Code §501(c). The cybersecurity relevance of nonprofit status is primarily operational: these organizations often handle protected categories of data — including personal health information, financial records of vulnerable populations, donor payment data, and federally funded program records — without the compliance infrastructure their data sensitivity would otherwise require.

Scope of this page: This reference addresses cybersecurity considerations arising under Texas law and applicable federal frameworks for nonprofits operating within Texas. It covers obligations under Texas Business & Commerce Code Chapter 521, federal sector-specific rules that attach regardless of nonprofit status, and relevant guidance from the Texas Department of Information Resources (DIR) and federal agencies including CISA. For a full treatment of the statutory architecture governing Texas entities, see Regulatory Context for Texas Cybersecurity.

Not covered here: Cybersecurity requirements for Texas state agencies, public universities, or K–12 school districts are addressed in dedicated sections of this network. Multi-state data flows, international privacy obligations (e.g., GDPR), and federal contract cybersecurity requirements (CMMC) fall outside the scope of this page. Nonprofit hospitals and clinics subject to HIPAA should additionally consult Texas Cybersecurity for Healthcare Organizations.

How it works

Texas nonprofits are subject to Texas Business & Commerce Code Chapter 521, which imposes breach notification obligations on any person or business that conducts business in Texas and owns or licenses sensitive personal information. The statute's definition of "business" is not limited to for-profit entities — nonprofits collecting donor payment card data, beneficiary records, or employee Social Security numbers fall within its reach. Under Texas B&C Code §521.053, notification to affected individuals must occur within 60 days of breach discovery.

The Texas Identity Theft Enforcement and Protection Act (codified in Chapter 521) further establishes the standards for "reasonable" security practices, though the statute does not prescribe a specific technical control set. In practice, DIR's Texas Cybersecurity Framework — derived from NIST SP 800-53 — provides the de facto reference standard for organizations seeking to demonstrate reasonable care.

Federal overlays apply to nonprofits in specific sectors:

1. HIPAA — Nonprofits operating as covered entities (community health clinics, hospices, mental health organizations) or business associates must comply with the HIPAA Security Rule (45 CFR Part 164) regardless of state law.
2. PCI DSS — Any nonprofit accepting credit or debit card donations is contractually bound to Payment Card Industry Data Security Standards, a requirement enforced through card network agreements, not statute.
3. FTC Act §5 — The Federal Trade Commission's authority over unfair or deceptive data security practices extends to nonprofits engaging in commerce, including online fundraising platforms.
4. Grant-specific requirements — Federal grants administered through HHS, DOJ, or FEMA may impose data security controls as award conditions. The Uniform Guidance (2 CFR Part 200) includes information security provisions applicable to federal award recipients.

CISA's Cyber Hygiene Services program offers free vulnerability scanning to qualifying organizations, including nonprofits with public-facing infrastructure that serves critical community functions.

Common scenarios

Nonprofit cybersecurity incidents cluster around three operational patterns, each with distinct regulatory implications:

Donor data breach: A Texas-based food bank stores donor payment records in a cloud-administered database. Following unauthorized access, Chapter 521 requires notification to affected individuals within 60 days. If more than 10,000 Texans are affected, the Office of the Attorney General must also be notified under §521.053(b). The distinction between a nonprofit and a commercial entity does not alter this obligation.

Ransomware against a social services nonprofit: A nonprofit providing wraparound services to domestic violence survivors suffers a ransomware attack that encrypts case management files containing protected health information. Because the organization qualifies as a HIPAA business associate (receiving PHI from referring healthcare providers), HHS Office for Civil Rights notification requirements under the HITECH Act apply in addition to state law. Texas Ransomware Threats and Response describes the incident response structure relevant to this scenario.

Phishing campaign targeting volunteer coordinators: A faith-based nonprofit with 3 paid staff and 200 volunteers experiences credential compromise through a spear-phishing email. Volunteer email accounts used to communicate beneficiary information constitute a data security risk under Chapter 521 if sensitive personal information is accessible. Texas Phishing and Social Engineering Threats addresses the threat pattern in detail.

Decision boundaries

The central decision boundary for Texas nonprofits is whether the organization functions more like a regulated covered entity (healthcare, financial assistance, federally funded services) or a general data holder subject only to Chapter 521's baseline. This distinction determines the compliance framework, the applicable regulator, and the consequence structure for a failure.

A secondary boundary separates nonprofits that process cardholder data from those that rely entirely on third-party payment processors. Nonprofits that have fully offloaded payment processing to a PCI-compliant third party (and retain no card data) carry a materially lower PCI DSS scope than those maintaining any local storage of card data.

For nonprofits evaluating security investments, the Texas Cybersecurity Audits and Assessments reference describes the assessment frameworks available, including those based on NIST SP 800-171 for organizations handling controlled unclassified information under federal grants. Texas Cybersecurity Insurance addresses coverage considerations relevant to nonprofit risk transfer strategies.

Nonprofits seeking grant-funded security infrastructure should review Texas Cybersecurity Grants and Funding, which covers state and federal funding mechanisms. The main site index provides a complete reference map across Texas cybersecurity topics applicable to this sector.

References

• Texas Business & Commerce Code, Chapter 521 — Unauthorized Use of Identifying Information
• Texas Department of Information Resources (DIR) — Texas Cybersecurity Framework and security control standards
• NIST SP 800-53, Rev. 5 — Security and Privacy Controls for Information Systems and Organizations
• CISA Cyber Hygiene Services — Free vulnerability scanning and cybersecurity assessments
• HHS Office for Civil Rights — HIPAA Security Rule
• FTC — Data Security
• Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards — 2 CFR Part 200
• Texas Office of the Attorney General — Data Security Breaches