Nonprofit Report - November 2015

Date: November 4, 2015

Cybersecurity: A Big Threat
By: Stacey L. Pine, Esq.

This article appeared in Association TRENDS and is reprinted with permission of the publisher.

Many association employees may think that cybersecurity is a matter to be handled only by the IT staff. CFOs, however, know that nothing could be further from the truth as cybersecurity is not just an IT issue, it is also a money issue.  For instance an association that falls victim to a cybersecurity breach may spend thousands of dollars to repair its compromised computer system, may expend significant funds providing notification to those whose information was released, and be forced to pay even larger sums of money to defend or settle law suits initiated by those whose personal information was compromised.  

For these reasons, tt is critical to protect the “personally identifiable information” (“PII”) of association members.   PII is generally defined to be a person’s first name or first initial, plus last name, combined with other identifying information such as a Social Security number, driver’s license number, or a financial account number.  Almost all states now have strict laws regarding the safeguarding of this type of data, and require businesses, including nonprofit associations, that store PII to take specific steps to protect the information.  Some states (such as Massachusetts and Maryland) require organizations to design and implement a written information security plan (“WISP”) for safeguarding PII.   Various states also require organizations that provide member PII to third-party vendors to include very specific provisions in their contracts with the vendors to ensure the vendor takes steps to protect the PII.  A cybersecurity breach of the vendor’s system could subject the association to liability if these provisions are not included.  

To protect the association from the risks from a cybersecurity breach incurred by a vendor, the association should take the following steps:

Become familiar with your state’s cybersecurity laws.  Laws vary from state-to-state and each state will require different security measures.  Remember, even if the association has only one member in a state, it must comply with the data security laws in that state. 

Develop a WISP.  Numerous states throughout the country now require organizations to have a WISP.  Developing a WISP helps associations to identify and evaluate security risks, aids in the implementation of measures to protect against risks, and provides clear procedures for the association to follow should it fall victim to a cyber-attack. 

Minimize risk through contract provisions.  If vendors have access to the PII of members, contracts with those vendors should contain the following provisions: 

  1. The vendor agrees to comply with all data security laws of all applicable states,  and shall indemnify and hold the association harmless for the vendor’s failure to comply; 
  2. The vendor shall use the members’ PII only for purposes specified in the contract; 
  3. The vendor shall develop and implement its own WISP and provide the association with a copy;  
  4. The vendor must provide procedures it will take to notify the association in the event of a data security breach; and 
  5. The vendor shall return, delete, or destroy all of the members’ PII upon termination of its contract with the association and upon request of the association.

Make sure your insurance policy covers cyber-attacks. Many organizations assume their general liability insurance policy will protect them from any damage or liability resulting from a cyber-attack.  This is an ill-founded assumption, however, and associations should also confirm with their insurance providers whether the association’s general liability policy covers damage to the association’s computer system caused by cyber criminals as well as liability incurred as a result of an attack.

DOJ Issues New Guidance on Testing Accommodations Under the Americans with Disabilities Act
By: Megan C. Spratt, Esq.

On September 8, 2015, the Department of Justice issued technical assistance on testing accommodations under the ADA.  The document covers who is entitled to testing accommodations, what types of testing accommodations are required, what documentation may be required of the individual requesting the accommodations, prohibited flagging policies, and how test scores for those receiving accommodations should be reported.

First, the document makes clear that the testing accommodations requirements apply to exams administered by any private, state, or local government entity related to applications, licensing, certification, or credentialing for secondary or postsecondary education, professional, or trade purposes.  

Regarding what constitutes testing accommodations, the DOJ explains that testing accommodations are changes to the regular testing environment and auxiliary aids and services that enable those with disabilities to demonstrate their true aptitude on exams.  Examples include braille, screen reading technology, scribes, extended time, wheelchair-accessible testing stations, and distraction-free rooms.

In terms of testing accommodations eligibility, the document explains that an individual with a disability is eligible to receive testing accommodations, and under the ADA, an individual with a disability is someone who has a physical or mental impairment that substantially limits a major life activity (such as hearing, seeing, learning, reading, or concentrating), or a major bodily function (such as the neurological, endocrine, or digestive system).  A substantial limitation of a major life activity may be based on the extent to which the impairment affects the condition, manner, or duration in which the individual performs the major life activity.  In other words, to be “substantially limited” under the ADA does not require that the individual be unable to perform the activity.  Finally, a person may still have a disability, even if he or she has a history of academic success.  

As for the testing accommodations that must be given, the document provides that the testing entities are obligated to ensure that the test scores of those with disabilities accurately reflect the individual’s aptitude, or whatever skill the test is intended to measure, as opposed to the individual’s impairment (unless the exam is designed to measure the impaired skill).  

The document also addresses what kind of documentation is sufficient to support an accommodations request.  It states that any required documentation must be reasonable and narrowly tailored to the information needed to determine the nature of the disability and the need for the requested accommodations.  The DOJ counsels that proof of past testing accommodations in similar test settings is usually sufficient to support a request for the same accommodations, but an absence of previous accommodations does not preclude a candidate from receiving accommodations.  Finally, testing entities are instructed to defer to documentation from a qualified professional who has made an individualized assessment of the candidate that supports the need for the requested accommodations.

To help address complaints to the DOJ regarding test givers’ failure to response to requests for accommodations in a timely manner, the DOJ counsels that testing entities must respond in time for applicants to register and prepare for the test, and should provide applicants with an opportunity to respond to any requests for additional information and still be able to take the test in the same testing cycle.  

With respect to the reporting of test scores, the DOJ takes the position that testing entities should report accommodated scores in the same way they report scores generally, and must not decline to report scores for test-takers receiving accommodations.

Finally, the document makes clear that flagging policies (i.e., annotating or otherwise reporting scores in a way that indicates the exam was taken with an accommodation) are prohibited.  The rationale for this prohibition is that flagging announces to all exam score recipients that the test-taker has a disability, suggests that the scores are not valid, and discourages test-takers with disabilities from exercising their right to testing accommodations under the ADA.  

The technical assistance document can be viewed by visiting the disability rights section of the DOJ’s website at 

European High Court Invalidates Safe Harbor for Transfer of Personal Data
Seen as blow to companies seeking inexpensive and efficient way to comply with EU Data Directive
By: Howard Feldman, Esq. 

On October 6, 2015, the European Court of Justice — the highest court in Europe — invalidated an international privacy agreement between the United States and the European Union, known as the US-EU Safe Harbor.  The US-EU Safe Harbor allowed companies engaged in international business activities to transfer personal data from the European Union to the U.S. in compliance with the European Union Data Protection Directive (“EU Data Directive”).  Although all is not lost for companies that wish to transfer personal data from the European Union to the U.S., many view the European Court of Justice’s decision as a blow to companies seeking an inexpensive and efficient way to comply with the EU Data Directive.

Background of Safe Harbor

In short, the EU Data Directive prohibits the transfer of personal data outside of the European Union unless the laws of the country to which the personal data is being sent are deemed “adequate” under the laws of the European Union.  The data privacy and security laws of the U.S. have not been deemed “adequate” by the European Union.  Consequently, to be compliant with the EU Data Directive, companies have to undertake certain measures in order to transfer personal data from the European Union to the U.S. 

Among several alternatives, U.S. companies could rely on the US-EU Safe Harbor — the agreement between the U.S. and the European Union that was invalidated on October 6, 2015, by the European Court of Justice.  The US-EU Safe Harbor was a self-regulatory regime that did not require government approval.  A company could qualify for the US-EU Safe Harbor by: (a) adopting and posting a privacy policy that complies with the principles of the US-EU Safe Harbor; (b) self-certifying to the U.S. Department of Commerce that it adheres to the US-EU Safe Harbor principles; (c) making a public declaration of this adherence; and (d) annually self-verifying compliance with the US-EU Safe Harbor.  As a protective and enforcement measure, companies relying on the US-EU Safe Harbor were required to be subject to either an independent, third party privacy enforcement mechanism, or the European Union data protection authorities.

Safe Harbor Invalidated Because of Conflict with EU Law

The European Court of Justice struck down the US-EU Safe Harbor because of the broad discretion held by U.S. governmental agencies to access personal data (such as the U.S. National Security Agency's PRISM mass surveillance program revealed by Edward Snowden), which was viewed to be in conflict with European Union law that provides for access to personal data only when strictly necessary.  In light of the decision by the European Court of Justice, U.S. companies must now follow one of the alternative legal mechanisms for transferring personal data from the European Union to the U.S.

Moving Forward Without the Safe Harbor

Among the remaining alternatives for lawfully transferring personal data are (a) “model clauses”; and (b) “binding corporate rules” (“BCRs”). Each of these is a contract-based exception, which appear simple at first glance.  However, companies may be required to make filings with, and receive approval from, each European country from which personal data is transferred.  BCRs also require comprehensive data protection audits.

Safe Harbor 2.0?

In the aftermath of the European Court of Justice’s decision, U.S. and European Union authorities will presumably continue to negotiate a new “safe harbor” agreement.  It remains to be seen whether, or how, such an agreement will address the concerns expressed by the European Court of Justice.