There are two problems with this statement. First, as the actual owner of the data, you probably do have some liability even if it’s your processor that gets breached. However, if your site is hacked, that data could be scraped BEFORE it gets to the processor, leaving you directly liable.
Secondly, there is a lot of data that goes beyond credit card numbers that is sensitive to the campaign, that is likely hackable. Do you have lists or campaign plans in your email or computer? Does your digital or field consultant? Are they held securely in an encrypted way?
Your password is probably hackable in minutes. Additionally, if you are not using a unique password for your computer itself, any number of companies that are hackable probably have it too.
You can’t be 100% secure. But there are simple things you can do, both for your own devices and from a staff/consultant/vendor policy standpoint, that can dramatically reduce your risks.