Data Privacy: What your nonprofit needs to know. Donna Balaguer and Ed Lavergne Washington, D.C. February 5, 2015

Data Privacy: What your nonprofit needs to know Donna Balaguer and Ed Lavergne Washington, D.C. February 5, 2015

Overview 2 Data privacy versus data security Privacy polices and best practices Data security requirements and best practices Preparing for and responding to a data security breach

Data Privacy vs. Data Security 3 Data Privacy: Refers to the manner in which data entrusted to your organization is used. The agreed-upon uses of data are generally set forth in an organization s external privacy policy. Data Security: Refers to the practices and procedures your organization adopts to protect data in your care from unauthorized access. Data security practices and procedures are generally set forth in an organization s internal data security plan.

Privacy Policies 4 Privacy policies required in California.

Privacy Best Practices 5 Privacy by Design: Build in privacy protections at inception of new websites, new charitable solicitation materials, etc. Individuals have a legitimate interest in controlling the collection, use, disclosure, and dissemination of their personal information.

Privacy Best Practices 6 Privacy Notices: Make privacy notices clearer, shorter, and more standardized. Personal data generally can be used for the following purposes without offering consumer choice because such use is widely expected: 1. Product and service fulfillment 2. Internal operations 3. Fraud prevention 4. Legal compliance 5. First-party marketing

Privacy Best Practices 7 Simplified Choice: Give consumers the ability to make decisions about use of their personal data at a meaningful moment and in a meaningful context. Examples: By checking this box, I give you permission to share my email and postal address with your marketing partners. Yes, you may contact me at 703-555-1212 regarding future promotional offers. I understand that while using this service, my physical location may be tracked for marketing purposes.

High Scrutiny Expected 8 Expect heightened scrutiny when your organization collects sensitive information: 1. Information about children 2. Financial information 3. Health information 4. Social Security number information 5. Geolocation Also expect heightened scrutiny when your organization collects information about consumers when you do not have a direct ( first party ) relationship with them i.e., when consumers would not expect you to collect information about them.

Practical Privacy Recommendations 9 Create a privacy policy and follow it to the letter. Keep the policy simple and offer clear choices. Don t use the policy to showcase anything: We are 100% committed to protecting your privacy We will do whatever it takes to protect your personal information We use state of the art technology to protect your data Give yourself sufficient flexibility. Easier than later changing policy to expand what you can do (e.g. sharing with third parties) Limit the personal information you collect and don t keep it longer than you need it.

Global Privacy Challenges 10 No Uniformity, No Global Solution

Data Security - Federal Law 11 There is no federal data security law of general applicability to business. Instead, there are sector-specific laws, such as: Gramm-Leach-Bliley Act (financial) HIPAA (medical and health records) Children s Online Privacy Protection Act (children under 13) Individual states have adopted laws of general applicability to fill the void.

Data Security State Laws 12 Data Disposal. Personal records must be disposed of in a manner that will prevent unauthorized access (FTC and many states). Social Security Numbers. Disclosure of Social Security numbers must be restricted to prevent unauthorized access (many states).

Data Security - State Laws 13 Encryption. Some states prohibit electronic transmission of personal information unless it is encrypted. Dealings with Third Parties. Reasonable security procedures must be required in contracts when personal information is shared with third parties (some states). Written Plan. Massachusetts requires a comprehensive written plan to protect personal information.

Data Security Plan 14 Data Security Inventory Identify what data is maintained, why data is needed, how long data is needed, where data is located, who has access and why. Identify internal risks (rogue employees, careless treatment, lost laptops, etc.) and external risks (hackers, physical security breach, etc.) to your data. Identify existing safeguards to control risks. Identify steps that can be taken to improve existing safeguards.

Elements of a Data Security Plan 15 Data Security Policy (Sample) Collection and Access. Personal information should only be collected to the extent necessary for legitimate business purposes and should only be accessed by employees who need such information to perform their jobs. Emails. Whenever highly-sensitive personal information is transmitted by email or other electronic means, the transmission should be encrypted through the use of a reputable encryption service. Highly-sensitive personal information should never be sent through normal email channels. Highly sensitive personal information includes Social Security numbers, driver s license numbers, passport numbers, W9s, W4s, credit and debit card numbers, and financial account numbers Storage. All paper records that contain highly-sensitive personal information should be stored in a locked area (whether in the office or elsewhere). Highly-sensitive personal information that is stored on computers or portable devices should be encrypted through the use of complex passwords or other secure techniques. Destruction. Personal information should be destroyed when no longer needed for business purposes. Paper records should be shredded. Old computers and portable storage devices should be wiped clean so that files are no longer recoverable. Deleting files using keyboard or mouse commands is not adequate.

Elements of a Data Security Plan 16 Data Security Policy (Sample) Firewalls and Software. Employees must at all times maintain up-to-date firewall protection, software, and operating system security patches to secure the integrity of the personal information stored on all servers, computers, and other electronic devices. Third Parties. All third party service providers to whom we provide personal information must be contractually required to implement and maintain appropriate security measures. Terminated Employees. When employees are terminated, they must immediately surrender to management all keys, FOBs, and other means of access to secure areas where personal information is stored. In addition, terminated employees must return all records, in paper and electronic form that contain personal information maintained by, or on behalf of, the Company. All electronic passwords or other means of access to the Company s electronic systems must immediately be terminated. Security Breach. Any employee who becomes aware of a security breach or suspected security breach that may compromise personal information should immediately notify the General Counsel. The failure of any employee to adhere to this policy may lead to disciplinary action including termination of employment. By signing below, I acknowledge that I have read and agree to the terms of this Data Security Policy. Employee's Signature: Date:

Training and Implementation 17 Designate a data security coordinator responsible for oversight. Train personnel in data security protocols; monitor personnel for compliance. Review and revise data security protocols at least annually.

Personal Devices 18 If Bring Your Own Device allowed, implement a written policy. Employee negligence and misuse of data is a leading cause of breaches. Encrypt portable devices in case of loss/theft. Clarity in policy mitigates employee concerns regarding location tracking, employer access to social media and personal emails, monitoring of Internet browsing etc. Include volunteers who will access personal information in policies and training.

Vendors 19 Protect information downstream. Obligate vendors that will access the information you collect to maintain appropriate privacy practices and security measures. Hackers infiltrated Target through its HVAC vendor. Other examples: payroll company, insurance administrator, cloud provider, retirement plan administrator etc. Require contractual remedies (indemnification, representations & warranties etc.) for data breaches caused by your vendors. Make sure you know what contracts require of you in terms of specific privacy and security practices. PCI Data Security Standard (PCI DSS) (credit cards).

Data Breaches in the News 20

State Breach Notification Laws 21 Nearly all states have adopted security breach notification laws. These laws usually require that prompt notice of a security breach be provided to: Affected persons Law enforcement Nationwide credit reporting agencies Companies must manage a patchwork of state laws. Source: Imation Corp. (2012) Note: KY has since adopted a notification law

What is a Security Breach? 22 A security breach generally means unauthorized access to data that compromises the security, confidentiality, or integrity of personal information. Personal information generally means a person s name in combination with Social Security number, Driver s license or state ID number, or Credit, debit, or financial account number along with any necessary passwords

Frequent Misunderstandings 23 State notification laws don t apply to us because We don t collect personal information from our customers. We are a small non-profit organization. We are located in California and comply with CA law.

The Facts 24 These laws generally apply to personal information collected. by anyone (retail, manufacturing, accounting, law firms, schools, churches) about anyone (customers, employees, vendors, and financial donors) irrespective of physical location (relevant question is whether data was collected on a resident of a state)

Litigation Trends 25 Large data breach triggers class action suit almost immediately (especially if financial data). Grounded in state unfair business practice statutes, Fair Credit Reporting Act, breach of contract (privacy policies), negligence etc. Many cases dismissed for lack of harm to plaintiffs. Possible future identity theft is not enough. But new attempts to show harm. LinkedIn customers would not have bought premium service if knew of lax security. Home Depot customers will lose time/money replacing their cards.

Breach Costs 26 Rapid and definitive response to breach affects filing of suit and outcome. Free credit monitoring decreases plaintiffs harm. Average cost of breach is $3.5 Million (Ponemon Institute/IBM study). Stock drops, reputational harm, remediation costs (investigating breach, legal, reissuing cards, credit monitoring etc.). Nearly 50% of cases settle (especially for medical data breaches). Settlements often include requirements to improve security.

Key Take-Aways 27 Review what you collect and what you do with information. Different laws may apply depending on what information you collect (i.e., children, health, students etc.). Implement a privacy policy. Don t copy one from the Web! Customize to your own practices. Implement a data security plan. Include a plan to respond to data breaches. Implement a BYOD policy. Train staff on ongoing basis. Review your vendor contracts.

For More Information Ed Lavergne, CIPP/US Certified Information Privacy Professional Principal Fish & Richardson P.C. 1425 K Street, N.W. Washington, D.C. 20005 Direct: 202-626-6359 lavergne@fr.com Donna Balaguer, CIPP/US Certified Information Privacy Professional Principal Fish and Richardson P.C. 1425 K Street, N.W. Washington, D.C. 20005 Direct: 202-626-7719 balaguer@fr.com 28