By Deborah Shinbein, CIPP/US
Data Law Group, P.C.

This article is the first in a four-part series describing different privacy and security considerations that apply to nonprofit organizations, which often receive vast amounts of personal information from donors, grant applicants, volunteers, and others.  Merely by receiving this information, organizations become subject to numerous legal requirements, which vary depending on the state in which the individual resides (regardless of where the organization is located), as well as applicable federal laws and regulations.  Violations (such as failure to take reasonable security precautions) can lead to severe fines, burdensome audits, reputational harm, loss of public confidence, and lawsuits, so it is best to implement a privacy program before trouble arises.

State privacy laws require compliance based on the location of the individual “data subject” rather than the location of the entity doing the collection.   Nonprofits with personally identifiable information (“PII”) from individuals in various states are therefore subject to numerous state laws requiring specific information security measures, data destruction procedures, security breach notification, and more, even though the organization  may not have offices in those states.

Although state laws vary in their definitions of PII, it typically includes an individual’s name together with a social security number, driver’s license number, credit/debit card or financial account number.   Organizations that fail to comply with applicable state laws may face legal action by the state’s attorney general, and some states also allow lawsuits by impacted consumers (such as victims of a security breach).

For example, three (of many) state laws that catch organizations by surprise, include:

• Massachusetts requires any company in possession of PII from a MA resident to have a written information security plan (“WISP”), with very specific and detailed security requirements.
• Nevada requires encryption of PII transmitted outside of a company’s own secure system – both when in transit and when stored on a device (e.g. emails containing an applicant’s PII, or any laptop or hard drive containing PII, must be encrypted).
• California requires security measures appropriate to the nature of information, detailed destruction parameters, and specific disclosures to include in online privacy policies.

In addition to state laws, depending on the type of PII collected and the nature of the nonprofit’s business, an organization may also be subject to data privacy and security requirements of various federal laws and regulations (HIPAA, FERPA, GLBA, and more).

Nonprofits can benefit from implementing a basic information privacy and security program, including a WISP, a website privacy notice, and an internal employee policy describing the entity’s requirements for processing and sharing PII.  If the authorities come knocking or consumers file lawsuits after a security breach, having these basic documents in place can go a long way toward insuring your entity from liability.

For further information, please feel free to contact Deborah Shinbein at deb@datalawgroup.com or visit www.datalawgroup.com.