High profile information security data breaches in the for-profit and governmental sectors such as those that occurred at Target and the Office of Personnel Management have saturated the news and raised awareness about the widespread scope of the problem. Not surprisingly, organizations are questioning the security of their own confidential information, and are concerned about the potentially crippling effects of a data breach, which include not only financial loss, but reputational damage as well. Nonprofits are particularly vulnerable, as resources in many nonprofits are spread thin, and necessary training is often overlooked (Gloeckner and Herman, 2016). This paper examines the state of information security compliance through the lens of the nonprofit organization and provides a comprehensive review of information security laws most relevant to nonprofit organizations. The authors conducted an exploratory survey of 64 respondents in an effort to better understand the compliance environment in nonprofit organizations, including overall familiarity with information security law and organizational implementation of information security policies. In light of results showing a general lack of awareness about the law of information security and lack of preparedness for securing confidential information, the authors propose a risk-management strategy for developing and implementing a comprehensive information security plan in the nonprofit organization in light of current legal mandates.