As data breaches affecting the public continue to increase it is important for every public, private and nonprofit organization to take every precaution to keep personally identifiable information safe. For nonprofits this could include information collected from employees, volunteers, clients and donors.
Nonprofits conduct several business activities that can lead to a data breach yet most nonprofit leaders admit they know very little about the risks and consequences involved in collecting this information. Some such activities include collecting credit card information and processing payments online; storing or transferring employee, client or donor data (virtual and paper records); storing personal information on laptops or smartphones; allowing access of personal information by partners or vendors without proper safeguards; and storing personal information on cloud servers or similar systems.
Unintentional privacy breaches can be just as costly to an organization as a purposeful loss and destruction of data so it’s important for a nonprofit to understand its liability. According to the National Conference of State Legislatures, 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have all enacted laws that require organizations to notify individuals of security breaches of information involving personally identifiable information. Knowing what constitutes as personally identifiable information under the law is the first step toward understanding a nonprofit’s responsibility if a breech should occur.
For example, information found in telephone books is not protected under the law. Loss of any paper or virtual record containing donor names and addresses would be unlikely to trigger state law required notification of a breach. Yet records containing any combination of a first or last name or initials along with a social security number; driver’s license number; state identification card number; or an account, credit or debit card number would definitely call for notification of a breach.
Since for-profit and nonprofit organizations move and store data in various ways federal and state privacy regulations require that personally identifiable information be protected no matter where it resides. Any networks; billing, medical, and marketing databases; remote devises; and paper files must all be protected. The Payment Card Industry Data Security Standard requires organizations to enact information security best-practices for any organization that handles major credit cards like Visa and MasterCard. Failure to comply with these standards can result in hefty fines.
While technology has served to make us a more effective society in many ways, it has also served to make us more vulnerable in others. It is important organizations and individuals alike understand the risks and take precautions to protect themselves and each other.
(Compiled from A Nonprofit’s Cyber Liability And Data Privacy, The NonProfit Times)