The obligations imposed by the data breach laws enacted by almost every state and many foreign countries (particularly the European Union) and various federal privacy laws do not distinguish between for profit businesses and nonprofit organizations. Therefore, trade and professional associations must be vigilant to ensure compliance with these many laws and, when appropriate and necessary, implement a written information security program that includes appropriate technical, procedural and administrative safeguards for protecting private information.
Nearly every state has enacted some form of data breach law. While there are several differences between the various states’ laws, as a general matter, they impose obligations upon organizations that collect “personal information,” which generally is defined to be a person’s first name or first initial, plus last name, combined with other identifying information such as a Social Security number, driver’s license number, or a financial account number. Although requirements differ from state to state, the data breach laws generally require an organization to investigate a data breach, notify affected persons and, in some cases, notify state regulators. In some states, compliance with these requirements may be avoided if a breach involves encrypted data. In contrast to nations in the European Union, Canada, Australia, New Zealand and others, which have enacted omnibus data protection laws, to date, Congress has taken a patchwork sectorial approach to privacy by enacting federal laws that protect specified types of information, such as financial information, health information, credit information and personal information of children.
Most associations collect one or more of the kinds of information protected under these various laws and should, therefore, implement policies and safeguards to avoid noncompliance. While the costs of implementing these measures may be significant to an association, the costs will be minimal when compared to the costs of responding to a data breach that may have been avoided by having proper safeguards in place, as well as the fines or penalties that may be imposed by state and/or federal regulators and litigation costs. It is wise to evaluate whether your association should have insurance to cover these risks. These costs, when combined with the nonmonetary costs associated with a breach – such as adverse publicity and loss of trust of members and donors – dictate that privacy must matter to your association.
This article was originally published in the Association TRENDS newsletter.