It has been brought to our attention that The Urban Institute has been the victim of a data breach related to their Form 990, 990-N, and Form 8868 extension online filing system. Possible data includes the username, first and last name, email address, IP address, phone number, and passwords associated with non-profit accounts.
If you or your organization is a victim of this data breach, contact the data breach attorneys at Revision Legal.
Data breaches involving online tax-filing platforms are particularly serious for non-profit organizations because the compromised data often includes financial officers’ credentials, organizational contact information, and details tied directly to IRS filings. If your organization used the Urban Institute’s online filing system for Form 990, Form 990-N, or Form 8868 extension requests during the affected period, you should take the following steps immediately.
The Urban Institute’s legal obligations following this breach depend on the applicable state breach notification statutes. Every U.S. state, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted breach notification laws requiring businesses and organizations to notify affected individuals when their personal information is exposed in a security incident. These laws vary significantly in their definitions of covered data, trigger thresholds, notification timing requirements, and required content of breach notices.
Most state breach notification statutes define a covered breach as unauthorized acquisition of personal information—typically combinations of name, email address, password, financial account number, Social Security number, or other sensitive identifiers. The data categories reported in the Urban Institute breach (username, name, email, IP address, phone number, and passwords) fall squarely within the covered categories in most states. Organizations affected by breaches of state-regulated data have their own notification obligations if their employees’ or donors’ personal information was stored in the compromised system.
Because the Urban Institute’s compromised system was used for IRS-related filings—Form 990 and extension requests—there are additional federal dimensions to consider. The IRS has its own data security requirements for third-party filing platforms under the Internal Revenue Code and its regulations governing electronic return originators and intermediary service providers. A breach of a platform used for IRS electronic filings may trigger notification obligations to the IRS in addition to affected individuals and state regulators.
Non-profits that are government contractors or grantees may also have obligations under the Federal Information Security Management Act (FISMA) or agency-specific cybersecurity requirements. If your organization’s use of the Urban Institute platform was connected to federal grant activities, review the cybersecurity terms in your grant agreements to determine whether the breach triggers any reporting obligations to your federal program officer.
Affected non-profits and individuals may have civil claims arising from the breach depending on the applicable law and the facts of the incident. Potential causes of action include negligence (failure to implement reasonable security measures), breach of contract (if the platform’s terms of service included security commitments), and statutory claims under applicable state data breach or consumer protection statutes. Some states permit statutory damages per affected individual without requiring proof of actual harm; others require a showing of injury such as fraudulent use of the compromised information, identity theft, or out-of-pocket costs incurred in responding to the breach.
Class action litigation following significant data breaches is common. If the Urban Institute breach affected a large number of organizations and individuals, class proceedings may aggregate claims that would not be economically viable on an individual basis. Organizations that believe they or their employees have been harmed by the breach should document the incident, preserve evidence of any resulting harm, and consult with data breach counsel promptly—statutes of limitations for data breach claims vary by state and can be as short as one to two years from the date of the breach or the date of discovery.
Revision Legal’s data breach attorneys advise organizations on breach response, notification compliance, and legal claims arising from data security incidents. If your organization was affected by the Urban Institute breach or another data security event, contact us at 855-473-8474 or through the contact form on this page.
Organizations that suffer data breaches face potential liability under both federal and state law. At the federal level, the FTC Act’s Section 5 prohibition on unfair or deceptive acts or practices applies to inadequate data security—the FTC has brought enforcement actions against companies whose failure to implement reasonable security measures constitutes an unfair practice. The FTC’s Wyndham Worldwide Corp. litigation, affirmed by the Third Circuit in 2015, established that the FTC has authority to regulate corporate data security under Section 5. Organizations handling personal data must maintain security measures that are reasonable given the sensitivity of the data and the cost of available safeguards.
At the state level, the patchwork of breach notification statutes imposes its own compliance requirements. Most states require notification within a specified timeframe after the breach is discovered—ranging from 30 days in states like Florida and New York to 72 hours under certain circumstances. California’s Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), impose additional requirements on organizations that handle personal information of California residents, including data security obligations and statutory damages for breaches of unencrypted personal information. Non-profits that solicit donations or operate programs in California may be subject to CCPA requirements regardless of where the organization is headquartered.
Affected individuals and organizations also have standing to bring civil claims for breach-related harms in many states. The specific legal theories available depend on the state, the nature of the data compromised, and the type of harm suffered. Consultation with data breach counsel is essential to evaluate the options and meet applicable deadlines. Contact Revision Legal at 855-473-8474 for assistance.
Revision Legal’s data breach attorneys have experience advising non-profit organizations, businesses, and individuals following data security incidents. Our practice encompasses breach response planning, regulatory notification compliance across multiple state regimes, coordination with forensic investigators, and civil litigation on behalf of affected parties. When a breach occurs, time is critical—both to limit ongoing harm and to preserve legal options that may be foreclosed by applicable statutes of limitations. Early engagement of counsel allows organizations to respond systematically, communicate accurately with affected stakeholders, and position themselves to pursue or defend claims effectively. Whether you are a non-profit executive concerned about the Urban Institute breach or a business responding to your own data security incident, our attorneys are available to advise you. Contact us at 855-473-8474 or complete the contact form on this page.
California’s revised CCPA regulations offer some compliance clarity but leave significant questions unanswered. Here’s what businesses need to act on now.
Read more about Revised CCPA Regulations: Guidance and Uncertainty
Revenge porn involves the non-consensual distribution of intimate images to harm a victim. Revision Legal’s internet attorneys explain the legal definition and remedies for revenge porn victims.
Read more about What is Revenge Porn? Legal Definition and Remedies
Montana’s data breach notification law requires businesses to notify residents when their personal information is compromised. Here’s what the law requires and who must comply.
Read more about Montana Data Breach Notification Law Explained