Articles

Data Breaches and Your Privacy/Cybersecurity Program

Data breaches have become a commonplace occurrence. Nearly every business, including nonprofits, collects, stores and uses personal information (PI) that is valuable to bad actors. All organizations store and process PI about their employees. Many nonprofit organizations store and process PI about their donors and volunteers. Bad actors can cause financial harm to the individuals whose PI is stolen.
 
California was the first state to try to protect affected individuals from this harm. It enacted a data breach notification law[i] nearly 20 years ago. The rationale behind the law is that individuals who have notice of a breach can take steps to protect themselves from identity theft and financial harm. All 50 states, the District of Columbia (District), Guam, Puerto Rico and the Virgin Islands now have a data breach notification law. These laws require organizations which collect, use and store PI to notify consumers if their PI is breached.
 
This article will briefly describe the District, Maryland and Virginia data breach notification laws. It will then discuss how an organization can mitigate the risk of a data breach by implementing a privacy and cybersecurity program and related processes and controls.  
 
A. Data Breach Notice Laws
 
There are 50+ data breach notice laws in the United States[ii]. There are similarities among the current District, Maryland and Virginia laws. Breach is defined as the unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of PI.[iii] The cause of the breach is irrelevant. It can result from criminal activity or employee error, for example, sending PI to the wrong individual. Encrypted PI does not trigger data breach notification even if a bad actor infiltrates a system in which PI is stored.
 
It is important to remember that nonprofit organizations are not exempt from reporting a data breach under the current District, Maryland and Virginia laws.
 
The District’s data breach notification law[iv] went into effect on June 8, 2020. PI is defined as the first name or initial and last name plus social security number, passport number, driver’s license number, financial account number with access code or password, medical information, genetic information or biometric information. This is not an exhaustive list. Organizations which suffer a breach must notify affected individuals as soon as possible and without unreasonable delay. Notice must also be sent to the District’s Attorney General (AG) and consumer reporting agencies under certain circumstances. Notice is not required if the organization determines it is unlikely the individuals will be harmed. That determination must be after investigation and consultation with the AG.  
 
Maryland’s data breach notification law[v] became effective on January 1, 2008, and has many similarities to that of the District. The definition of PI is similarly broad. Notice does not need to be given in the case of a breach of unencrypted PI if the organization reasonably determines the PI will be not be misused, for example, for identity theft. Notice must also be sent to the Maryland Attorney General under certain circumstances.
 
Virginia’s data breach notification law[vi] was effective as of July 1, 2008. It is not as consumer friendly, at least with regard the definition of PI, as the District and Maryland laws. PI is limited to first name or first initial and last name in combination with social security number, driver's license number or state identification card number, financial account number with a required access code, passport number or military identification number. For example, notice is not required under the Virginia law if a bad actor acquires a consumer’s health information.[vii]
 
An organization must notify affected individuals of a breach of unencrypted PI without unreasonable delay if the organization reasonably believes the affected individuals have been or will be the victim of identity theft or fraud. The Virginia Attorney General and consumer reporting agencies must also be notified under circumstances described in the law.
 
There are differences among the three laws. First, Virginia’s definition of PI is not as broad as those set out in the District and Maryland laws. Next, notice in Maryland must be given as soon as possible but not later than 45 days after the organization discovers or is notified of a breach. The timeframes in the District and Virginia are without unreasonable delay. Finally, the District law does not apply to its government agencies. Maryland and Virginia do not exempt their state government agencies.
 
B. Your Privacy and Cybersecurity Program, Processes and Controls to Implement
 
Data breaches are costly. IBM reported in 2022 that the average cost of a data breach was $4.35 million dollars[viii]. The costs include fees charged by cybersecurity forensics consultants, outside attorneys and public relations firms. There can also be costs relating to data restoration, system downtime, modifying systems to eliminate the cause of the breach and notifying affected individuals. In the case of ransomware, some breach victims choose to pay the demanded ransom. Some organizations do not have cybersecurity insurance. Those that do have high deductibles. Building an effective program, which uses reasonable and appropriate security measures, lessens the chance of a data breach.
 
There are six steps a business should take to implement a privacy and cybersecurity program. They are:

1. Data Mapping/Data Classification. Many businesses do not know the systems and databases in which the PI they collect is processed and stored. In addition, many businesses use third parties to process and store PI. Data mapping is a process by which a business locates its PI and tracks it to each system used to process and store the PI. Do not forget PI stored in hard copy.  

2. Risk Assessment. A business should then assess the risks around processing and storing its PI. Measure current practices against a set of industry recognized data handling practices. Remediate the gaps.

3. Policy, Process and Procedures. Written privacy and security policies, processes and procedures related to handling and storing information should be adopted. Regulators will ask for these if the business is investigated.

4. Incident Response Plan (IRP). Every organization needs an IRP. The IRP sets out procedures that will be followed when the business has a known or suspected security incident. Test the IRP periodically via a table top exercise.

5. Training. Many security incidents occur because well-meaning people are not careful or knowledgeable. It is crucial to train staff and volunteers on secure data handling practices. For example, train staff and volunteers on what to look for in spotting a phishing email. Personnel who have been trained are far less likely to open a phishing email.

6. Audit. Audit your program and address the gaps. Strive for constant improvement.

Some specific practices to be included in a privacy and cybersecurity program are:

1. All confidential information, including PI, should be encrypted at rest and in transit. Bad actors cannot use encrypted information.

2. Require users to use complex passwords. A password should be at least 8 characters that include upper and lowercase letters, numbers and symbols. Establish a requirement to change passwords at least every 90 days.

3. Make multi-factor authentication mandatory. A second log-in credential decreases the ability of bad actors to infiltrate an employee’s account.

4. Keep all software updated with the latest patches and security configurations.

5. Consider buying cyber insurance. 

6. Train employees and volunteers to be wary of working in public spaces using public WiFi and hot spots. Be sure each is using a VPN.

C. Conclusion
 
There is an old adage. An ounce of prevention is worth a pound of cure. No amount of effort will make an organization completely breach proof. However, a well thought out, risk-based privacy and cybersecurity program will make it difficult for bad actors to gain access to an organization’s data.

---