Nonprofit Cybersecurity: Donors, Data, and WISPs
“It’s not a question of if you’re going to get hacked — it’s when you’re going to get hacked.”
– Verizon CEO Lowell McAdam [1]
Online operations may now be the norm for many nonprofits, but they come with security risks that warrant careful attention. In May of 2017, “WannaCry,” a computer “ransomware” attack, locked up over 200,000 computer systems world-wide. The attacks demanded payment in exchange for return of the locked-up data. In September of 2017, the credit bureau Equifax revealed that it had been hacked, putting over 140 million Americans’ personal information at risk.
While such cyberattacks seemingly occur indiscriminately, many medium-sized and smaller nonprofits can become preferred targets because of their typically weaker security protocols. Hackers use information gleaned in attacks on smaller organizations to fuel large-scale, robust corporate attacks. More than ever, nonprofits are strongly advised to develop protective measures commonly known as “Written Information Security Programs” (WISPs), to help safeguard valuable data like donor information and other sensitive materials.
I. THE BASICS: WHAT’S A WISP?
A WISP is a systematic set of protocols, security measures, and policies that seek to protect confidential and restricted data maintained by an organization. Through a WISP’s careful development and implementation, a nonprofit safeguards data integrity, reduces its exposure to data breaches, and charts a clear path for corrective action if a breach occurs. Responsible nonprofit leaders can develop a WISP by identifying goals for information security, the types of information to protect, and persons responsible for carrying out protective measures. They can then approve a WISP with online privacy and usage policies specific to the organization and compliant with applicable privacy protection and data-breach responsive requirements.
II. THE LEGAL LANDSCAPE: WHY A WISP?
Effective nonprofits increasingly rely on the benefits of contemporary technologies. A nonprofit’s operations often depend on its effective use of computers, cloud-based networks, systems, and applications, websites, social media, networking devices, routers, cell phones, USB flash drives, portable external hard drives, or other information technology that it owns, licenses, or leases.
In its use of technology, a nonprofit is often a custodian of information: it regularly receives, stores, processes, and transmits information – both inside and outside the organization. As a custodian, the nonprofit is subject to various federal and state laws that impose obligations on the nonprofit’s handling of information.
A. State Laws
The Internet’s global nature blurs jurisdictional lines when it comes to the laws governing the online processing of information. Nonprofits often reach into numerous states through their emails, newsletters and fund raising efforts, and websites. Organizations that receive, process, store, or transmit users’ personally identifiable information are subject to state statutes that are designed to protect such user information.
- Privacy Laws. Many states require that organizations inform users of the organization’s website of how website information will be used by the organization. For example, The California Online Privacy Protection Act (CalOPPA) applies to any website that collects personally identifiable information from California consumers, and “personally identifiable information” under CalOPPA is defined broadly. Under CalOPPA, a website operator reaching California residents is obligated to “conspicuously post its privacy policy.” These privacy policies must address the following areas:
- Categories of personal information collected and third parties with whom it is shared;
- Processes to request changes to any personal information, if applicable;
- Description of how notice of changes to the privacy policy is given;
- The policy’s effective date;
- How the site responds to “do not track” signals from web browsers; and
- Whether other parties may collect personally identifiable information about an individual consumer’s online activities.
An operator violates the statute if the privacy policy does not contain all the required elements, or if the operator fails to comply with the provisions of its posted privacy policy, either knowingly and willfully, or negligently and materially. Organizations are further required to utilize “reasonable precautions and security measures”[2] to protect personal information.
- Data Protection. Other states have specific requirements for the protection of personally identifiable information, such as encrypted storage and transmission of data. If a nonprofit receives charitable contributions online using debit or credit cards, it must generally comply with Payment Card Industry Data Security Standards (“PCI DSS”). An increasing number of state statutes are mandating PCI DSS compliance. New Hampshire, for example requires such compliance.
- Data Breach Reporting. Furthermore, most states have specific reporting requirements for organizations that are victims of a data breach, like the data breach that occurred at Equifax. Hacked organizations must not only notify individuals who have had their personal information compromised, they must also notify designated governmental agencies and authorities. The timing, content, and extent of hack-related disclosures varies by state. Florida, for example requires that entities notify the state’s Department of Legal Affairs of data security breaches, and notify individuals of data security breaches under certain circumstances.
B. Federal Law
Current federal law presents an amalgam of legal requirements. As one commentator observed, “In the US, there is no single, comprehensive federal (national) law regulating the collection and use of personal data. Instead, the US has a patchwork system of federal and state laws and regulations that can sometimes overlap, dovetail and contradict one another.”[3] The federal government enforces multiple statutes to address technology usage, information security, and the privacy of personal information. Key federal laws that substantially impact many nonprofits’ internet use include CAN SPAM, HIPAA, and COPPPA.
- CAN SPAM. The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (“CAN SPAM”) governs the use of commercial email, and provides rules for commercial messages. Under CAN SPAM, email recipients have the right to stop emailers from sending unwanted commercial emails. The Act further provides tough penalties for violations. Nonprofits soliciting charitable contributions via email must be mindful of federal CAN SPAM requirements, in addition to the state-level requirements affecting email solicitations enforced by the states’ attorneys’ general. Under CAN SPAM, nonprofits may not use deceptive or misleading subject lines in their emails, they must identify the message as an ad or solicitation, they must provide opt-out procedures, as well as numerous other requirements.
- HIPAA. Nonprofit organizations that handle or management medical information are generally subject to The Health Insurance Portability and Accountability Act (HIPAA) (42 U.S.C. §1301 et seq.). HIPPA provides for heightened security and data handling protocols for such information.
- COPPA. The Children’s Online Privacy Protection Act (“COPPA”) U.S.C.A. §§ 6501 et seq. was enacted to addresses the priority of protecting children’s privacy on the Internet. COPPA makes it unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates very strict rules governing the collection and use of such information. Website operators that collect personal information from children in a manner inconsistent with the statute can face substantial liability. Website operators can mitigate their legal risk under COPPA through robust online privacy policies with disclosures concerning the use of personal information, made in good faith and following reasonable procedures in responding to a request for disclosure of personal information to the parent of a child.
III. GETTING SPECIFIC: WHAT’S IN A WISP?
A Written Information Security Program can be adapted from standard protocols for an organization’s specific needs. A well developed WISP will incorporate multiple integrated provisions designed to ensure the security, confidentiality, integrity, and availability of the sensitive information a nonprofit organization collects, creates, uses, and maintains. To that end, a nonprofit’s WISP should include the following.
A. Scope and Purpose
An organization’s WISP should carefully set forth the organization’s objectives in information security, and describe the types of information the organization seeks to steward under the WISP. The program should consider both the nature of the information provided (names, addresses, social security numbers), and the source of the information (donors, employees, contractors). The nature and source of sensitive information will likely impact what security protocols the organization utilizes to protect it.
B. Security Responsibilities
A WISP should identify the organization’s Information Security Coordinator – that is, an employee, volunteer, committee, or department responsible for implementing the organization’s information security policies and procedures. The Information Security Coordinator will be on point for ensuring that the organization follows its WISP, and will oversee reporting for both compliance and non-compliance or breach-related issues.
C. Website and Online Privacy
As discussed above, nonprofits are subject to a variety of state and federal laws regulating the use of personally identifiable information obtained through websites. WISPs should include a well-drafted online privacy policy to ensure that the organization on both adheres to these usage laws, and notifies website visitors of the ways in which their data will be used.
D. Record Retention and Document Destruction
In July 2002, Congress passed the Sarbanes-Oxley Act (“SOX”). SOX, which created significant reporting and record-keeping obligations for both public and privately held companies, also contains provisions affecting nonprofit organizations as well. In 18 U.S.C.A. § 1519, SOX makes it a crime for anyone (nonprofit organizations and their personnel included) to intentionally destroy, alter, mutilate, conceal, cover up, or make a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11 of the Bankruptcy code.
A nonprofit’s WISP should establish record retention and destruction protocols that are in keeping with SOX that further protects the organization during the discovery phase of other civil litigation that may affect the organization, and that otherwise address broader considerations for record retention (e.g., electronic storage as standard, access to records). Generally speaking, an organization should establish a retention policy that ensures it retains only those records it must retain, and otherwise establishes a systematic approach to destroying records whose useful life has expired.
E. Data Breach Contingencies
Nonprofits should incorporate data-breach protocols in their WISPs because hackers attack indiscriminately, and nonprofits are not immune to such attacks. When the worst happens, and a nonprofit’s sensitive data are compromised either through a hack or user error, a data breach policy guides the organization to help it meet its state and federal reporting and recovery obligations. Furthermore, in the event of a breech, advance preparation of a data breach policy within a comprehensive WISP demonstrates diligence by a nonprofit’s directors to safeguard the organization’s valuable information assets with which they have been entrusted.
IV. IN THE END, WISPS SAFEGUARD NONPROFITS
For nonprofits operating online, the time is ripe for WISPs. A WISP may be developed using established protocols, adapted for each nonprofit’s specific goals and usage aspects. That’s not hard overall, but of utmost importance for guarding against disclosure risks. A WISP will also educate employees and volunteers, keep nonprofit leaders aware of their obligations under diverse state and federal laws, and empower them for compliance. Through such protective measures in the background of a nonprofit’s operations, it may better focus on the forefront of carrying out its tax-exempt mission.
[1] http://www.businessinsider.com/verizon-ceo-lowell-mcadam-on-1-billion-di….
[2] Cal. Civil Code 1798.81.5(b).
[3] Ieuan Jolly, Loeb & Loeb, Westlaw, Data protection in the United States: overview, Practical Law Country Q&A 6-502-0467