Top Five Privacy and Data Security Issues for Nonprofit Organizations

Similar documents
Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

Accelerate GDPR compliance with the Microsoft Cloud

Cyber Risks in the Boardroom Conference

Overview of Key E.U. and U.S. Privacy and Cybersecurity Laws. Brett Lockwood Smith, Gambrell & Russell, LLP May 15, 2018

Merchant Guide to PCI DSS

NYDFS Cybersecurity Regulations

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

The HIPAA Omnibus Rule

Data Compromise Notice Procedure Summary and Guide

PCI compliance the what and the why Executing through excellence

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

GDPR- the new General Data Protection Regulations. Staff PDM- 2 nd May 2018

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

The Honest Advantage

3 rd Party Certification of Compliance with MA: 201 CMR 17.00

New Data Protection Laws

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Integrating Information Security Protections In Supplier Agreements: Guidance for Business and Technology Counsel

Data Protection in Switzerland Update Following the Safe Harbor Decision. 21 October 2015 / 6 February 2016 Christian Wyss

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Data Processing Agreement for Oracle Cloud Services

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

PCI DSS 3.2 AWARENESS NOVEMBER 2017

PCI COMPLIANCE IS NO LONGER OPTIONAL

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

Cybersecurity in Higher Ed

The Postal Service s Financial Crisis: What It Means for Nonprofit Mailers

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

Employee Security Awareness Training Program

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

The Impact of Cybersecurity, Data Privacy and Social Media

HIMSS 15 Doing Better Business in the Era of Data Security and Privacy

FinFit will request and collect information in order to determine whether you qualify for FinFit Loans*.

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Credit Card Data Compromise: Incident Response Plan

Managing Cybersecurity Risk

I GOT ROBBED! HOW NYS AND THE US SHOULD PROTECT YOUR DATA ONLINE

What to do if your business is the victim of a data or security breach?

THE CCPA AND PREPARING FOR STATE PRIVACY LEGISLATION. Nathan Taylor Morrison & Foerster LLP

Data Processing Agreement

IBM Managed Security Services - Vulnerability Scanning

Legal Considerations and Case Studies

Frequently Asked Question Regarding 201 CMR 17.00

FAQs. The Worldpay PCI Program. Help protect your business and your customers from data theft

Putting It All Together:

VERSION 1.3 MAY 1, 2018 SNOWFLY PRIVACY POLICY SNOWFLY PERFORMANCE INC. P.O. BOX 95254, SOUTH JORDAN, UT

EXECUTIVE SUMMARY JUNE 2016 Multifamily and Cybersecurity: The Threat Landscape and Best Practices

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

2017 RIMS CYBER SURVEY

Jeff Wilbur VP Marketing Iconix

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

MOBILE.NET PRIVACY POLICY

Dealing with the Reality of a Privacy Breach: Civil Litigation, Regulatory Response, and Minimizing Your Risks

Subject: University Information Technology Resource Security Policy: OUTDATED

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

Mastering Data Privacy, Social Media, & Cyber Law

01.0 Policy Responsibilities and Oversight

Incident Policy Version 01, April 2, 2008 Provided by: CSRSI

Data Security: Public Contracts and the Cloud

MNsure Privacy Program Strategic Plan FY

What is HIPPA/PCI? Understanding HIPAA. Understanding PCI DSS

UWTSD Group Data Protection Policy

Magento GDPR Frequently Asked Questions

Upcoming PIPEDA Changes What is changing and what to do about it

PCI Compliance: It's Required, and It's Good for Your Business

2016 Data Protection & Breach Readiness Webinar Will Start Shortly. please download the guide at

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Red Flags/Identity Theft Prevention Policy: Purpose

ISACA Kansas City Chapter PCI Data Security Standard v2.0 Overview

Subject: Kier Group plc Data Protection Policy

Higher Education Privacy Update

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

Integrating HIPAA into Your Managed Care Compliance Program

PRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology

Data Breach Notification: what EU law means for your information security strategy

Data Security and Privacy at Handshake

AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

Credit Union Service Organization Compliance

U.S. Private-sector Privacy Certification

Oracle Data Cloud ( ODC ) Inbound Security Policies

City of Portland Audit: Follow-Up on Compliance with Payment Card Industry Data Security Standard BY ALEXANDRA FERCAK SENIOR MANAGEMENT AUDITOR

Information Security Strategy

General Data Protection Regulation (GDPR)

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Red Flags Program. Purpose

The State of Privacy in Washington State. August 16, 2016 Alex Alben Chief Privacy Officer Washington

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

How PayPal can help colleges and universities reduce PCI DSS compliance scope. Prepared by PayPal and Sikich LLP.

Why you MUST protect your customer data

Automotive Privacy. A discussion of privacy and security legal compliance for the automotive industry

PCI Compliance. What is it? Who uses it? Why is it important?

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

Revision History. Revision # Date Author Sections Altered Rev 1.0 2/15/15 Ben Price New Document

Establish and Maintain Secure Cardholder Data with IBM Payment Card Industry Solutions

SECURITY STATE OF THE INDUSTRY

DeMystifying Data Breaches and Information Security Compliance

Transcription:

Top Five Privacy and Data Security Issues for Nonprofit Organizations Julia K. Tama, Esq. Jeffrey S. Tenenbaum, Esq. Association of Corporate Counsel Nonprofit Organizations Committee Legal Quick Hit MAY 10, 2011 2008 Venable LLP 1

What Personal Information Do You Collect? Computerized or paper Collected from or about individuals Clients, donors, supporters, members, volunteers, employees Common types of data: Names and contact information Payment card information Social security or driver s license 2

Liability and Other Risks Federal laws sector specific State unfair or deceptive acts or practices laws Modeled on Federal Trade Commission Act Enforced by state attorneys general Private rights of action Reputational risks Consumers are concerned about privacy and security Potential for loss of public trust 3

Top Five Privacy and Data Security Issues Privacy policies Maintaining data security Preparing for the possibility of a breach Data-sharing and working with vendors Sensitive data 4

Privacy Policies: Basics Privacy policies = promises to the public Generally available when data is collected May apply to specific data collection streams website, paper forms, etc. Must not be deceptive Promises travel with the data 5

Privacy Policies: Common Elements Scope of the policy What data you collect How you use data How you share data Individual choices or access rights (if any) Contact information Effective date 6

Privacy Policies: Common Pitfalls Forgetting to follow the policy Exposure to liability for deception Promising too much Avoid: We will never share your information with anyone. Instead: No promise or We may share data for purposes [such as] (e.g. if nonprofit becomes part of another organization) Updates: material changes should not be applied to data already collected, without notice and choice 7

Data Security: Duties and Guidance Privacy policies Massachusetts regulations (MA-201) If data collected on MA resident Breach notification laws May provide safe harbor for encryption or other protections Payment Card Industry Data Security Standards Enforcement precedents 8

Data Security Program: Process Identify responsible manager Assess risks and vulnerabilities Develop and implement data security program Train and discipline employees Re-assess and update regularly 9

Data Security Program: Contents Proportional to: Data handled Size and nature of organization Safeguards covering lifecycle of data Administrative Technical Physical Employee policies Oversight of third parties 10

Preparing for Possible Data Breach Data breach can take many forms How to prepare: Establish written incident response plan Train all employees to identify and report Designate employees to respond Know where to get help Learn from experience 11

Incident Response Plan Proportional to organization s needs Assign responsibilities Secure the system Assess legal obligations (notification laws) Public and client relations Afterward: Improve data security Improve incident response plan 12

Data Breach Notification Laws Almost all states have data breach notification laws, which may apply to nonprofits Comply with laws of state with affected individuals, not where organization is located Even if law applies, not all incidents require notification Exceptions and safe harbors, such as encryption 13

If Notification Is Required Generally, burden on owner or licensor of data Notice provided to: Individuals State authorities Credit reporting agencies Required content, method, deadlines 14

Data Sharing: Sales or Rentals In accord with privacy policy and other promises Privacy promises travel with data Consider offering individual choice Usually opt-out When obtaining data, the same considerations apply to your data supplier 15

Data Sharing: Vendors and Service Providers In accord with privacy policy and other promises Contracting considerations: Restrictions on use/disclosure of data Reps and warranties of compliance with privacy and security obligations Can assign breach notification duties Adequate supervision Cloud computing: pros and cons 16

Sensitive Data Additional federal or state obligations may apply Examples of sensitive data: Financial Payment card Health Children Social Security numbers Other data, depending on context 17

Payment Card Data Payment Card Industry Data Security Standards (PCI DSS) 12 security standards created by the credit card industry Practices and policies to protect accountholder data Implementation Compliance steps depend on card processing volume Qualified Security Assessors (QSAs) can assist Information security policy is required Service providers should be PCI DSS compliant Enforcement Credit card brands require merchant banks to enforce compliance by their clients Fines imposed on banks can be passed on to organizations States, including Minnesota, have recently enacted statutory requirements similar to PCI DSS 18

Contact Information Julia K. Tama, Attorney jktama@venable.com t 202.344.4738 Jeffrey S. Tenenbaum, Partner jstenenbaum@venable.com t 202.344.8138 www.venable.com/nonprofits/publications www.venable.com 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback