Nonprofit Report - June 2016

Date: June 30, 2016

Act Now On Privacy And Cybersecurity Issues!
By: Jefferson C. Glassie, Esq.

Originally published in Association TRENDS magazine, June 2016.

There is no question that the newest and biggest liability risk for associations arises from online activities.  It’s not a question of ‘if’ your association will suffer a data security breach, but ‘when.’  Savvy association execs and operational professionals will get ready now for the inevitable breach – whether from a pernicious hack, phishing, or just a lost staff computer or personal device.  In fact, the laws of several states – which apply if the association has personally identifiable information (“PII”) of any residents from those states – mandate that holders of such information have in effect a written information security plan/policy (“WISP”) to protect such information NOW!  

As background, the United States does have laws in place that protect certain vertical areas, such as health care and financial, but there is no federal law that covers and protects the privacy of regular citizens across the board. Thus, there is no single national law that tells an association what information to protect or what its obligations are in the event of a breach, including when notification is required to be made to the subject of the breach or to governmental authorities.  As a result, as indicated above, associations have to look to individual state laws for guidance, with the result that compliance is essentially required with the toughest state laws.

If an association has PII on its members, stakeholders, donors, certificants, or others, it must take steps now in hopes of preventing a breach, but more realistically to minimize the damage and cost when a breach does occur. PII generally comprises information that identifies a person and could lead to access to the person’s funds or assets, such as a person’s name in combination with other identifying information, such as bank account number, social security number, driver license, credit card number, etc.  Claims can arise based on breach of privacy, but the costs of remediation also can be significant. When a breach happens, it is often difficult to determine the exact cause, but notification is generally required within a matter of days to protect those who’s PII was compromised.  In addition, woe to the association that suffers a breach and didn’t think to obtain cybersecurity insurance to defend against claims and cover costs of remediation; such insurance is available, but you often have to ask for it.

On top of that, many associations have international members or constituents, and other countries have varied laws protecting their citizens’ personal data, which is often more broadly defined than in the U.S.  The European Union implemented a Privacy Directive that requires opt-in consent from individuals prior to their personal data being transferred outside of the EU.  The U.S. had in place a safe harbor for transfers of data to companies or organizations that registered with the Commerce Department, but that safe harbor was rejected recently by the courts and is no longer in effect.  A breach of PII involving nationals of other countries would require analysis of the laws of all those countries, with notification and remediation as mandated by such statutes.

There is no adequate preparation for the inevitable breach other than association leadership (in particular, executive and finance staff) diligently, seriously, and strategically addressing these issues in advance, including by adopting appropriate privacy policies, implementing a WISP, ensuring vendor compliance, and obtaining insurance.  As we tell our clients, “Plan to Fail Well.”  Don’t wait.  Do it now!  

A "Smart" Version Of The Form I-9 Is On The Horizon
By: Tiffany M. Releford, Esq.

Originally published in Association TRENDS magazine, June 2016.

All employers are required to complete a Form I-9 for newly hired employees to verify the employee’s identity and eligibility to work in the United States.  Failure to complete the Form I-9 can result in severe penalties against the employer.  To help make this process more efficient, the United States Citizenship and Immigration Services (USCIS) has proposed a new “smart” version of the Form I-9 in an attempt to reduce user error and make the form easier to complete.  

The “smart” form, which will be available for download at after it is approved, allows employers to choose from drop-down menus, allows for field checks and error messages to verify the information input is accurate when the form is being completed.  In the past, employers have not been required to use an updated Form I-9 if the changes in versions of the I-9 were not substantial.  However, it is anticipated that once the “smart” form is approved, employers may be required to use the “smart” version of the I-9 since the changes are notable.  

Changes to the “smart” form include but are not limited to the following:

  • Validating information input by the employer to make sure it is entered correctly, as well as validating the correct number of digits for a social security number or an expiration date on an identity document.  
  • Clarifies Section 1 of the form which will require new employees to only provide “other last names used” instead of “other names used” as the current version of the form requires.  
  • Includes various help buttons to assist the user with completing the form and allows users to read instructions for each specific field to be completed on the form.
  • Limits users’ choice of documents from drop-down menus which include a list of acceptable identification documents.  
  • Simplifies the certification for certain foreign nationals by asking for a Form I-94 number or foreign passport information instead of both.  
  • Upon completion, the form will generate a quick-response matrix barcode or QR code once the form is printed.  

It is important to note that employers should not consider the “smart” form as an electronic form.  Even though the form can be completed electronically, it is not an electronic Form I-9.  This means that employers must still print the form, obtain the employee’s original signature on the form, file and maintain the I-9 as required by law, as well as track expiration dates for reverification.   

The current edition of the Form I-9 states it expires on March 31, 2016.  However, the new “smart” form has not yet been issued; thus, the USCIS will likely extend the use of the current form until the “smart” form is approved.  The public was permitted to provide comments on the proposed changes to the I-9 until April 27, 2016.  After the 30-day period ends and the public comments are reviewed, further changes could be made to the I-9 by the USCIS.  However, once the form is finally approved, the revised Form I-9 and form instructions will be posted on the USCIS website and available for use by employers.