It’s the time of year when we set goals for self-improvement and make our New Year’s resolutions. One resolution I suggest that nonprofit executives include is the improvement of data privacy practices. As reported by the Identity Theft Resource Center and CyberScout, 2019 saw the total number of data breaches increase 17% over 2018. The 2019 reporting year also saw a return to the pattern of the ever-increasing number of breaches and volume of records exposed.
As most organizations continue to have a significant portion of their workforce work remotely, 2020 will likely show a significant uptick in unauthorized access to personal information. Additionally, the average cost for each lost or stolen record containing sensitive and confidential information increased by 4.8 percent year over year to $148. Such financial repercussions as well as the risk of incurring reputational harm that could follow unauthorized access of customer data, indicate that privacy and cyber security should be a top concern.
Nonprofit organizations hold a variety of personal information on behalf of their constituents and employees, and it is incumbent upon them to safeguard that information. The fact is, that with each passing year, the number of data breaches grows, and the related financial cost and reputational harm along with it. Additionally, the regulatory landscape is becoming more complex, requiring organizations to comply with an increasing number of requirements or face penalties.
Due to the continued need to protect information, New York State enacted Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) on March 21 of 2020. This new law applies to any organization that receives or collects private information about New York residents through the Internet, and requires, among things that your organization. The Act requires specific actions and imposes a variety of obligations, and significant fines may be levied for non-compliance. Among other requirements, to meet the SHIELD Act requirements organizations must:
- conduct a risk assessment of its cybersecurity program;
- properly vet all third-party service providers to ensure they can comply with the NY SHIELD Act, and include in its contracts specific provisions related to cybersecurity practices;
- have policies and procedures related to the deletion and/ or disposal of data within a reasonable amount of time after it is no longer needed for business purposes;
- develop and implement a written incident/data breach response plan so that you can comply swiftly and completely with the Acts reporting requirements (or face potentially harsh penalties); and
- designate a “point person” to coordinate your data-security program to meet compliance.
The good news is that conducting a privacy audit can significantly reduce potential “data incidents” and minimize the related risks. It is also a big step to achieving SHIELD compliance. A privacy audit is essentially a process to identify, across the organization (and chapters), the types of personal information collected, the ways in which it is protected, and with whom such information is shared.
The following risk assessment methodology is a good place to start.
• Inventory Locate the places in the organization (and vendors operating on its behalf) that house/store Personally Identifying Information (“PII”), identifying both electronic files/databases and physical files
• Safeguards Assess the safeguards in place – including the physical, administrative and technical controls – and whether they are adequate and reasonable considering the type of PII being stored (SSN vs. email address for example might have different levels of protection).
• Gaps Determine the compliance gap – essentially the difference between that what it should be doing, and the organizations actual practices.
• Risk Assessment For most organizations there will be a number of gaps. As a first step, for the PII held in various locations and with various vendors, assess the risk of non-compliance, determine the impact of non-compliance and likelihood of risk occurrence, and use this to help prioritize compliance efforts.
• Remediation Depending upon the finding/conclusions in the previous steps, remediation should be a joint effort among various members of the organization to address and remedy any identified shortfalls/gaps.
As organizations look to identify material risks and implement processes and procedures to protect their data and hence their missions – data privacy and cyber security will no doubt continue to be a critical concern. Now is the right time to conduct a privacy audit.