Managers at nonprofits across the U.S. collect and store — in filing cabinets, networked servers and in rented “cloud” space — vast amounts of personal information. If you believe that the work of foreign hackers represents the greatest threat to the confidential information your nonprofit collects, you might be overlooking threats that are far closer to home.
Despite the increasing frequency of data breaches affecting public, private and nonprofit organizations, most nonprofit leaders admit knowing too little about the risks and consequences of failing to adequately protect personal information collected from employees, volunteers, clients and donors.
Here are common business activities that can lead to a data breach and potential liability for a nonprofit:
Conducting e-commerce on your website, especially collecting credit card data and processing payments online;
Storing and transferring personal employee, client or donor data — for both virtual data and paper records (e.g., sending sensitive data via email or storing sensitive data in the cloud; storing paper records in unprotected filing cabinets that anyone could access);
Storing personal information on laptops or smartphones;
Allowing partners and/or vendors to access personal information without proper safeguards; and,
Storing personal information on cloud servers or systems.
While it’s true that cybercrimes such as hacking, insertion of malicious code into a data system, or the purposeful loss and destruction of data are a valid concern for nonprofit leaders, it’s important to recognize that unintentional privacy breaches can be just as costly.
A simple example is permitting personal information to be stored on a laptop or smartphone. The device — and all the vital data on it — could be damaged, lost forever, or it could even fall into the wrong hands. In some states, the mere loss of the device with personally identifiable information is a breach under the law and triggers reporting responsibility, such as the duty to notify the people whose data was lost.
Knowing what constitutes personally identifiable information under the law is the starting point for understanding the duty to guard personal information. Data found in telephone books is not protected under the law. Therefore, the loss of a paper or electronic file containing donor names and addresses probably doesn’t constitute a breach or trigger state law notification requirements.
For example, in Illinois the definition of “personal information” contained in the Personal Information Protection Act (815 ILCS 530) is “…an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
Social Security number;
Driver’s license number;
State identification card number; and,
Account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
Data management and security standards are becoming increasingly complex as data constantly moves between multiple devices and storage sites. Various federal and state privacy regulations require that for-profit and nonprofit businesses protect personally identifiable information (PII) no matter where it resides: on a network; on stand-alone systems such as billing, medical, and marketing databases; on remote devices such as laptops or employee-owned cell phones; and of course on paper.
Additionally, there are data protection standards for specific industries or specific business practices, such as the PCI Security Standards Council’s Payment Card Industry Data Security Standard. This standard requires organizations to enact information security best-practices if the organization handles major credit cards such as Visa and MasterCard. Failure to comply with these standards can result in enormous fines. Similarly, you might be familiar with federal data security regulations such as the Health Insurance Portability and Accountability Act (HIPAA) if your nonprofit handles protected health information (PHI).
According to the National Conference of State Legislatures, 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted laws that require organizations to notify individuals of security breaches of information involving personally identifiable information. Each of these laws generally has four key components:
Who must comply;
What constitutes “personal information;”
What constitutes a breach (e.g., unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and,
Whether there are exemptions. The most common exemption is for encrypted information.
For more information in data security and liability issues for nonprofits, go to www.nonprofitrisk.org
Erin Gloeckner is project manager and Melanie Lockwood Herman is executive director at the Nonprofit Risk Management Center. They welcome your questions about data privacy risks. Their emails are Erin@nonprofitrisk.org or Melanie@nonprofitrisk.org