Like most people in our tech-inundated world, you might be a bit numb to seemingly daily reports that yet another organization has been hacked. But, as an executive or employee of a nonprofit organization or association, you may have taken notice and some comfort in the fact that the lion’s share of those attacks appear to have been perpetrated on for-profit businesses and government agencies, like Sony, Citibank, Lockheed Martin, ADP, the FBI and the CIA.
But don’t be lulled into a false sense of security; when it comes to collecting and storing valuable data, such as employee data, credit card numbers, and other member information, many associations and nonprofits are in the same situation. Just ask technology trade associations TechAmerica and USTelecom, both of which were reportedly knocked offline by the hacker collective Anonymous in April 2012. Or ask the National Automated Clearing House Association (NACHA), which suffered from a relentless phishing scam that used NACHA's famous electronic payments brand to lure email recipients into downloading malware. Or ask one of a host of other trade associations and non-profits who have suffered similar, if less visible, fates.
The reality is that, in an instant, your own association or nonprofit organization can find itself in the glare of a viral media storm, responding to Tweets and YouTube accusations, fending off the press, and struggling to bolster member and donor confidence, comply with legal requirements and avoid lawsuits, money damages, and governmental enforcement actions.
How could this happen to you? Easily. A laptop is stolen from an employee’s car. A compact disk is lost in transit. A disgruntled employee walks off with customer data on a flash drive. A member’s social security number is visible through the window on an envelope. A hacker taps into your technology system, defaces your website and posts confidential information on the Internet. Your cloud vendor suffers a security breach. Or one of your employees clicks on a phishing link that gives botnet operators control of your entire network. However it happens, a security breach can compromise the personal information of your employees or members and have drastic, negative effects on your mission and reputation, leaving you stunned and the world angry at you.
Whether or not your organization is actually prepared for a security breach, it almost certainly is required to comply with one or more of the complex patchwork of state, federal, and international laws designed to protect the privacy of personal information. While many of the U.S. federal privacy laws have been around for years and were designed to protect limited kinds of information, such as those held by banks and hospitals, the more recent “data security breach laws” adopted in D.C., Delaware, Maryland, Virginia and 45 other U.S. states and territories tend to be much broader and to govern any business -- whether for-profit or not -- that holds the personal information of a resident from a particular state. So, for example, if your organization holds the personal information of residents from D.C., Delaware, Maryland, Virginia, California or Massachusetts, then you must comply with the data security breach laws of each of those jurisdictions.
What do state data security breach laws require?
There are critical differences among the various data security breach laws. For instance, in most states, “personal information” means a person’s name in combination with their social security number, driver’s license number, bank, credit or debit card number, or taxpayer identification number; some states limit the scope of protected information to that which is stored electronically, and still others expand the scope to include medical information. But, in essence, the data security breach laws require organizations to conduct a reasonable and prompt investigation and to notify affected individuals, the state government (and sometimes others, such as credit reporting agencies) in the event of a personal data security breach. Some states do not require organizations to report security breaches that affect only encrypted data.
Moreover, and here’s where it gets really important, a handful of states and territories, including California, Massachusetts and Maryland (but not D.C., Delaware or Virginia), also require organizations to take certain preemptive actions that are intended to minimize the risk of unauthorized access or use of personal information. For example, if your organization stores, owns, uses, or licenses the personal information of an individual residing in California, Massachusetts, Maryland or a state with a similar law (and virtually all membership organizations do), you must implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information and the nature and size of your organization and its operations. In essence, this means that, in order to comply with the law, you must adopt what’s often referred to as a written information security program (“WISP”). The full impact of these laws is unclear as of yet, and the fact that only a few states have adopted them and have used not entirely consistent language when doing so, means there will be inconsistent approaches and enforcement unless the federal government can, at some point, pass a single, national law that preempts those state laws.
Beyond the steps required to try to prevent data loss and to deal with a loss if it happens, states may also regulate other aspects of keeping private data secure.
- Under Maryland law, for example, if an organization destroys records that contain a customer’s personal information, the organization is required to take reasonable steps to prevent unauthorized access to, or use of, the personal information, taking into consideration factors that include the sensitivity of the records, costs, and available technology.
- Under some state laws, including California, Massachusetts, and Maryland, if your organization uses a nonaffiliated third party to perform services and if you disclose personal information about a resident of that state under a written contract, then your organization must by contract require the third party to implement and maintain its own reasonable and appropriate security procedures and practices to help protect personal information from unauthorized access, use, modification, disclosure or destruction. Since many nonprofit organizations and trade associations strive for a national or international membership base, and most also outsource important functions that provide third party service providers with access to personal information -- such as cloud computing services -- most nonprofit organizations and trade or professional associations are subject to those requirements.
The best first steps are prevention and planning.
If your organization has not yet suffered a security breach, count yourself lucky -- the Privacy Rights Clearinghouse now conservatively estimates that a whopping 563 million records have been compromised since January 2005. But don’t count for too long; instead, spend your time wisely by preparing for the worst. Doing so will help you minimize the likelihood of a breach by bolstering your security systems and policies, ensure that you comply with applicable state data security policy and breach laws (and any other applicable U.S. or international privacy laws), and establish safeguards and plans that will bolster customer confidence, both in good times and in bad.
Make no mistake, prevention and planning for a security breach can be a big and complex job, but so are the stakes. We recommend the following five-step prevention and planning process:
- Learn -- know the laws that apply to you and what they require you to do.
- Audit -- audit your security practices and how you collect, share and use personal information.
- Implement -- design and implement a privacy and security plan that complies with applicable laws, limits exposure, and increases customer confidence.
- Comply and adjust -- follow the plan, stay current on the legal requirements, and update your protections as technologies and laws change.
- Mitigate -- prepare a risk mitigation plan, including how to handle the bad publicity, and swiftly implement it if the worst happens.
No security system, not even Google’s, is perfect. But in view of the complex patchwork of state-level data security laws (and other privacy laws), taking preventive measures to minimize the likelihood or scope of a future security breach and establishing contingency plans in case a breach occurs, is most likely to ensure legal compliance, not to mention a win-win outcome for your members, your organization, your mission, and your pockets.