Non Profit Report - November 2013

Date: November 25, 2013

Privacy Matters
By: Howard R. Feldman, Esq.

The obligations imposed by the data breach laws enacted by almost every state and many foreign countries (particularly the European Union) and various federal privacy laws do not distinguish between for profit businesses and nonprofit organizations. Therefore, trade and professional associations must be vigilant to ensure compliance with these many laws and, when appropriate and necessary, implement a written information security program that includes appropriate technical, procedural and administrative safeguards for protecting private information.

Nearly every state has enacted some form of data breach law. While there are several differences between the various states’ laws, as a general matter, they impose obligations upon organizations that collect “personal information,” which generally is defined to be a person’s first name or first initial, plus last name, combined with other identifying information such as a Social Security number, driver’s license number, or a financial account number. Although requirements differ from state to state, the data breach laws generally require an organization to investigate a data breach, notify affected persons and, in some cases, notify state regulators. In some states, compliance with these requirements may be avoided if a breach involves encrypted data. In contrast to nations in the European Union, Canada, Australia, New Zealand and others, which have enacted omnibus data protection laws, to date, Congress has taken a patchwork sectorial approach to privacy by enacting federal laws that protect specified types of information, such as financial information, health information, credit information and personal information of children.

Most associations collect one or more of the kinds of information protected under these various laws and should, therefore, implement policies and safeguards to avoid noncompliance. While the costs of implementing these measures may be significant to an association, the costs will be minimal when compared to the costs of responding to a data breach that may have been avoided by having proper safeguards in place, as well as the fines or penalties that may be imposed by state and/or federal regulators and litigation costs. It is wise to evaluate whether your association should have insurance to cover these risks. These costs, when combined with the nonmonetary costs associated with a breach – such as adverse publicity and loss of trust of members and donors – dictate that privacy must matter to your association.

This article was originally published in the Association TRENDS newsletter.

Cyberattacks Are Equal Opportunity Threats
By: S. Keith Moulsdale, Esq.

You may think that most cyberattacks happen to for-profit businesses and government agencies. But don’t be lulled into a false sense of security; when it comes to collecting and storing valuable data, many trade associations and nonprofits could give a like-sized corporation a run for its money.

However it happens, a security breach can compromise the personal information of your employees or members, have drastic effects on your nonprofit mission, and push you into the blinding glare of a viral media storm – responding to accusations, fending off the press, and struggling to bolster customer confidence, comply with legal requirements and avoid lawsuits, money damages and enforcement actions. How could this happen to you? Easily. A laptop is stolen from an employee’s car. A compact disc is lost in transit. A disgruntled employee walks off with association financial data – including member credit card information – on a flash drive. Students at a local school get unauthorized access to the IT system. A member’s Social Security number is visible through the window on an envelope. A hacker taps into your technology system. Your cloud vendor suffers a security breach. However it happens, a security breach can compromise the personal information of your employees and members and have drastic effects on your association, leaving you stunned and the world angry at you.

While many of the U.S. federal privacy laws have been around for years and were designed to protect limited kinds of information, more recent “data security breach laws” adopted in most U.S. states and territories tend to be broader and to govern any business – for-profit or not – that holds the personal information of a resident from a particular state.

If your business has not yet suffered a security breach, count yourself lucky – the Privacy Rights Clearinghouse now conservatively estimates that a whopping 230 million records have been compromised since January 2005. But don’t count your blessings for too long; instead, spend your time wisely by preparing for the worst. Doing so will help you minimize the likelihood of a breach by bolstering your security systems and policies, ensure that you comply with applicable state data security breach laws (and any other applicable U.S. or international privacy laws), and establish safeguards and plans that will bolster customer confidence, both in good times and in bad.

Make no mistake, prevention and planning for a security breach can be a big and complex job, but so are the stakes. Here is a four-step prevention and planning process:

  1. Audit – audit your security practices and how you collect, share and use personal information, and learn which laws apply to your association.
  2. Implement – design and implement a privacy and security plan that complies with applicable laws, limits exposure, and increases customer confidence.
  3. Comply – follow the plan, but update it as technologies and laws change.
  4. Mitigate – prepare a risk mitigation plan; swiftly implement it if the worst happens.

It also is important to evaluate and obtain appropriate liability insurance to cover claims that might be brought against your association, as well as first-party insurance to cover the costs of compliance to handle a security breach.

No security system, not even Google’s, is perfect. But in view of the complex patchwork of state-level data security laws (and other privacy laws), taking preventive measures to minimize the likelihood or scope of a future security breach, and establishing contingency plans in case a breach occurs, is most likely to ensure legal compliance, not to mention a win-win outcome for your members and your association. If your organization has not yet suffered a security breach, count yourself lucky. But don’t count for too long; instead, spend your time preparing for the worst.

This article was originally published in the Association TRENDS newsletter.