By Deborah Shinbein, CIPP/US
Data Law Group, P.C.
This article is the second in a series describing different privacy and security considerations that apply to nonprofit organizations. For Part I of the series, click here.
It is an unfortunate fact that many nonprofit organizations will experience a data security breach at some point. If it can happen to large companies with significant investments in data security, such as AOL and Target, it can certainly happen to nonprofit organizations with limited budgets. Nonprofits with extensive databases of donor or grant recipient information (potentially including financial account data or social security numbers) may, unfortunately, be easy targets for malicious data thieves. In order to prepare, there are a few steps every organization should take before a breach occurs, keeping in mind that breaches may trigger the differing notification laws and obligations of 47 states and the District of Columbia.
Step 1
First, it is important to understand the various types of security breaches in order to anticipate how they may occur. The most common types of security breaches include:
- Internal breach: an employee or contractor may use data in a manner not permitted, may disclose data to third parties without authorization (whether intentionally or not) or may maliciously steal data with the intention of using it for illegal purposes.
- Loss of hardware or data: loss of a laptop or mobile device containing personal information is a common occurrence.
- Malicious breach: third parties with malicious intentions can hack into unsecure systems through various means, whether into a network, a server, or an individual computer or database. This may sometimes occur by means of a virus or other online attack, such as the recent “Heartbleed” bug.
- Lack of precautions: unfortunately, companies often fail to take reasonable precautions to protect their data, and what may seem like a small oversight at the time, can easily lead to a breach via any of the above means, or others.
Step 2
Companies should take reasonable steps to evaluate the data they have, who has access to the data, what are the risks of potential breaches, and ensure they have a reasonable level of security in place.
Step 3
Before a breach occurs, have a response plan in place specifying what should be done if a breach of any type does occur. The plan should include the following:
- Contact information for individuals within the company to be notified in the event of a breach (senior executives, head of security, IT personnel, legal, PR, etc.);
- Contact information for a data forensics specialist (to evaluate the nature of the breach and attempt to determine whether it is possible to find the source of the breach, the potential culprit, and the data impacted);
- List of specific steps to take if a breach is suspected (e.g. terminate outside access to the network, remotely disable stolen hardware, etc., depending on the type of breach);
- Analysis of which state notification laws will be triggered, based on states from which personal information is collected, and the definition of personal information triggering notification laws in the various states (note that there are currently 46 different state notification laws, with different requirements);
- List of which law enforcement or government agencies must be notified pursuant to applicable state laws or industry requirements;
- Form notification letters prepared in accordance with applicable state laws, so the organization can merely input the details of the breach and send the letters pursuant to the timing requirements of various states;
- Pre-negotiated rates for consumer fraud protection services if the entity wishes to offer this service to impacted consumers (it is difficult to negotiate this in the aftermath of a breach when the service may be urgently needed); and
- List of third parties or vendors to be notified if applicable.
It is important to review your organization’s breach response plan on an annual basis to evaluate whether the organization began to collect different types of information, or collect data from subjects in different states, such that different notification laws would be triggered.
For further information, please feel free to contact Deborah Shinbein at deb@datalawgroup.com or visit www.datalawgroup.com.