Nonprofit Report - February 2015
Don't Send Your Association's Email Lists to Criminals
By: Jeff Glassie and Stacey Pine
On an almost daily basis, we hear about a high profile company falling victim to a cyber-attack. While the news media has been replete with stories about high profile, for-profit businesses falling victim to computer hackers, nonprofit associations are now also a prime target for cyber criminals.
No organization is immune from a cyber-attack, as the attacks are pervasive across all industries. Nonprofit associations face considerable liability risks, especially if credit card, bank or a member’s personal information such as social security number or birth date is obtained by the cyber criminals. Such risks include government and regulatory investigations and fines, and lawsuits seeking damages for invasion of privacy, misappropriation of confidential information, and a myriad of other issues. In addition to legal risks, there are also financial and practical ramifications associated with business interruptions and trying to protect the nonprofit association’s brand, reputation, and donor relations.
A cyber-attack can take many forms and can be used to access various kinds of organizational information. For instance, in the well-known Target case, cyber criminals installed malware on Target’s computer system and then captured customer debit and credit card information. However, in several recent cases involving nonprofit associations, cyber criminals utilized some very simple steps to gain unauthorized access to organizational data. These attacks involved cyber criminals pretending to be someone with authority within the association or a trusted vendor, a practice called “spoofing.” In these cases, the cyber criminals high jacked the email system and then used the system to send an email to targeted junior staff or an email vendor responsible for maintaining the association’s email lists. The emails appeared to come from the CEO and, in fact, were sent from the CEO’s email account. The emails instructed the junior staff member or vendor to forward specific member information to the CEO’s work email and a fraudulent email address identified as the CEO’s personal email account. In each case, the staff or vendor complied with the request and unknowingly sent the email member list to a hacker
These types of attacks have a high success rate, primarily because they target specific staff members within an organization. Often those staff members are junior staff members who do not feel comfortable questioning a request that comes from the CEO or senior management. Fortunately, there are some very simple steps an organization can take to protect itself against such an attack. From an Internet Technology perspective, the organization should ensure that there are systems and controls in place to screen suspicious URLs and IP addresses and block malicious materials. Just as important, however, is implementing a company-wide training to educate staff members about such attacks, discussing with them the impact such an attack could have on the organization, and instructing them on how to handle suspicious emails or requests for organizational data. Staff and vendors should be instructed to not transmit the association’s membership lists or other important data without first verifying the identity of the recipient.
All states now have very strict laws regarding security breaches and business organizations, including nonprofit associations, are required to design and implement a written information security plan (“WISP”) for safeguarding organizational data. For this reason, associations should ensure they know the laws that apply to them and take all necessary steps, including developing a WISP, to protect their organizational data.
Readers interested in learning more about the subject of this article or other cyber security issues affecting nonprofit organizations may contact Jeff Glassie at firstname.lastname@example.org or Stacey Pine at email@example.com .
Travel Safe: Managing the Legal Risks that Arise from International Operations
By Jeff Glassie
This article originally appeared in the Winter 2014 edition of “Risk Management Essentials” a publication of Nonprofit Risk Management Center.
Nonprofit organizations are becoming increasingly active in global activities, which are very complex because of cultural, linguistic, operational, and risk issues. Adding to the complexity are legal issues. When does United States law apply, and when does the law of the local country apply? And what exactly are local laws that nonprofits have to watch out for? It’s not possible to know the laws of all the countries around the world, so how does one manage some of the key legal risks?
Here is a list of some of the more important legal concerns, with some guiding principles that nonprofit leaders should be aware of before venturing overseas.
1. Trademark – This may be the most important issue of all. In the United States, nonprofit organizations obtain rights to trademarks, i.e., their names, acronyms, design logos, and slogans, simply through use in commerce. Registration is not required, but is advisable to enhance protections. In most other countries, however, trademark ownership is based on registration with the relevant authorities. These countries are “first to file” jurisdictions, so if a nonprofit starts conducting activities in another country, the first step is to register the organization’s important trademarks. Otherwise, someone else could register and start using the nonprofit’s name! That would not be cool! So, don’t be the nonprofit manager who surrenders your organization’s name and marks in other countries. Engage the services of trademark counsel, identify and prioritize the countries where you may conduct programs, and make sure registrations are filed for important marks. It is essential for truly global nonprofits to have a trademark portfolio to protect their marks globally.
2. Overseas Offices – Many activities can be conducted without an office in the local country, but it’s important to understand when one may cross the line and be required to register with the corporate authorities. Simply having a single employee or agent in a country is unlikely to trigger corporate registration requirements, but having several employees, an office, and a bank account for funds will likely necessitate registration. It’s important to think of this before activities become substantial. In some cases nonprofits open offices in other countries without setting up new local, legal entities; these are usually called “branch offices” and will require registration. Or, the nonprofit may want to establish a separate legal entity for liability purposes and that will entail setting up a corporatetype organization under the laws of the local country. Keep in mind that other countries don’t have the same type of corporate structures we do in the United States, so the options will have to be explored with local legal counsel and sometimes the requirements can be unfamiliar, complex, and arcane. It might even be appropriate or advantageous to operate as a for-profit entity in certain countries, so keep an open mind as to the options!
3. Employees/Contractors – Other countries often have similar concepts in this area as in the United States. Independent contractors must be autonomous, generally will have other clients, and should have clearly written contractor agreements. Many countries have very broad laws when it comes to employees, and mandate significant benefits during and after employment termination, more so than in the United States where “employment at will” is the default employment relationship in all states except Montana. It is critical to make sure that employees and contractors are properly identified and treated correctly under local law, or there could be significant obligations or penalties if the nonprofit does not comply. Of course, proper visas or work permits are necessary if using employees from outside the local country and, again, legal advice is important to ensure compliance.
4. Tax – A variety of issues arise when a nonprofit operates overseas. First, United States law applicable to tax exempt organization applies globally. So, limitations imposed on U.S. tax exempts will apply when conducting activities outside the United States. A Section 501(c) (3) charitable organization can engage in international activities, but the restrictions imposed on lobbying, political activities, and the intermediate sanctions rules will still apply. If revenues are received from fee-for-service/consulting activities or from advertising, those would be considered unrelated business income tax (“UBIT”) just like in the U.S. Second, while most nations recognize charities and consider them tax exempt, the definitions applicable in other jurisdictions are different and may not cover educational or similar more professional types of activities than Section 501(c)(3) in the U.S., much less have a tax exemption category for trade or professional associations exempt in the United States under Section 501(c)(6). Third, there are value added taxes (“VAT”) in many countries, which we don’t have in the U.S. Also, many nations impose “withholding” taxes on the amount of dividend, royalty, or interest paid to a parent or affiliated entity outside the country. So, it’s really important to understand tax obligations in other countries before engaging in significant activities that might be considered to constitute a “permanent establishment” for tax purposes in other nations.
5. Privacy, Spam, and Cybersecurity – The United States has a patchwork of laws in this area that can make compliance somewhat complex, and other countries have similar laws, such as the European Privacy Directive, that is applicable to U.S. nonprofits. It’s important to understand that U.S. nonprofit organizations may have “personally identifiable information” (PII) about nationals of other countries that can be impacted by laws in those countries, may unknowingly have information about U.S. citizens in servers outside of the U.S., and are increasingly subject to hacker attacks and data breaches that can give rise to liability. As one of the new liability concerns, nonprofit managers must devote significant energy to ensure compliance with domestic and foreign laws regarding protection of data and information, such as adoption of written information security plans mandated by certain state laws. The new Canadian anti-spam law also will ultimately require U.S. organizations to get “opt-in” consent from Canadian donors, members, or stakeholders in order to send Canadian stakeholders email messages.
6. Insurance – Most nonprofits arrange for sufficient insurance to protect the organization from claims of bodily injury and property damage, and also to protect directors, officers, staff, and volunteers from claims of wrongful or negligent acts under standard commercial liability policies and Directors’ and Officers’ (D&O) insurance, respectively. Although these policies may cover claims for actions anywhere around the world, they are likely to only respond if the suit is brought in the United States. Therefore, it’s essential to ensure that international activities are properly and adequately insured. Extra travel insurance is generally advisable for staff or volunteers working outside the United States.
“Note that it’s generally advisable for international contracts to have arbitration clauses, as the international arbitration treaty provides for enforcement of arbitral awards in subscribing countries, whereas court decisions will probably not be given effect in other countries.”
7. Export Controls and Embargoes – In many respects, export controls are less significant nowadays than in the last century, but the United States embargoes of certain countries and nationals remain very strict and high profile. The main countries targeted are Cuba, Iran, Sudan, and North Korea, although specific sanctions are in place with respect to other countries such as Somalia, Syria, Russia, etc. For nonprofits with a global mission, it is important to ensure compliance with the embargoes, which are administered by the Office of Foreign Assets Control of the Treasury Department. These regulations can be highly technical and arcane.
8. Contracts – It is critical that arrangements with individuals and organizations in other countries be subject to written contracts. Misunderstandings can easily arise based on cultural, language, and other differences, so it’s vital to make sure that contracts are signed, and that specifications and deliverables are clearly described. Any creation or use of intellectual property should be addressed in the contract, to ensure that the nonprofit organization holds and retains rights in copyrighted material, and that only authorized uses of intellectual property, including trademarks, are permitted. Note that it’s generally advisable for international contracts to have arbitration clauses, as the international arbitration treaty provides for enforcement of arbitral awards in subscribing countries, whereas court decisions will probably not be given effect in other countries. These are just some of the main legal principles for nonprofit leaders in organizations conducting or considering activities outside of the U.S. The advice of counsel based in the U.S. and also the country where your nonprofit is headed may be required depending on the circumstances. And certain nonprofit activities such as certification, accreditation, and standards setting will require additional review. An ounce of prevention in terms of planning in advance is worth a pound of cure, because international situations can become complex very quickly. When taking your nonprofit’s mission overseas, resolve to plan for success, but be prepared for trouble.