Data breaches are the leading threat in today’s digital world, with a new cyberattack occurring approximately every 39 seconds. Non-profit organizations are increasingly being targeted by cybercriminals, not only because of the wealth of data they possess, but because they simply do not take the same precautions nor employ the same resources as their for-profit counterparts.  In fact, small-to-medium-sized organizations are actually more likely to be targeted by hackers for that very reason.

The financial cost of managing a data breach is well documented.  A recent study estimated the average cost of a breech in 2021 at 4.24 million dollars, a 10% rise from 2019.  Although less tangible, the potential loss of trust of the nonprofit’s donors, volunteers and the community can be significant. Such a loss is not only difficult to restore, it can also affect fundraising activities, volunteer engagement, and partnerships with other organizations for years to come.

For organizations seeking to decrease their cybersecurity vulnerabilities, a good first step is to obtain a comprehensive understanding of the current risk environment. For example, what kind of data does your organization collect, store, share and transmit?  Where and how is the data being stored, and who has access to the data?  How does the organization transmit data? (Data transmission is often one of the most significant vulnerabilities; any time data is sent from one location to another, there is a risk of interception.) During the COVID-19 pandemic, the risk of insecure data transfer has increased as more and more individuals have begun accessing critical data from personal mobile devices or using personal digital storage solutions.  Assessing these weak points can be achieved through a data-privacy audit whereby information gathered is then used to strengthen the organization’s cyber-readiness.

Additionally, organizations should consider implementing the following measures:

Implement (Or Update) Organization-Wide Cybersecurity Policies
The first step in ensuring the security of an organization’s data is to have consistent, documented cybersecurity policies in place for all employees to follow.

Provide Ongoing Cybersecurity Training
Next, all individuals within the organization who have access to secure data should receive annual cybersecurity training.

Focus Your Cybersecurity Efforts/Revaluate Third-Party Vendors
Focus on security controls that would be the most effective based on your specific needs and resources. And as many breaches occur from the actions/omissions of third-party vendors who store an organizations data, review the legal terms of all such agreements to make sure there are appropriate terms and conditions to protect your organization (read Are You Protected? Five Points to Include in Every Technology Agreement).

Create A Data Retention and Deletion Policy
Most organizations collect more data than they need, and hold the data longer than necessary or practical.  The more data your organization stores, the greater the liability if a breach occurs.  It is imperative that organizations adopt a policy that dictates the types of data to be stored, and when/how that data is deleted when no longer relevant.

Prepare for the Unexpected
Every organization needs a plan for what to do in case of a data breach. An incident response can help organizations plan to comply with applicable laws and regulations, and launch a rapid and coordinated response that will mitigate the damaging consequences of a data breach.  On a side note, the recently enacted NY SHIELD Act requires organizations that collect information from NY residents to have both a Data Retention and Deletion policy as well as an Incident Response plan in place, among other requirements (read The SHIELD Act – A New York State of Mind … and Privacy).

The post Cyber Readiness – If it Ain’t Broke, You May Still Want to Fix It… appeared first on Perlman & Perlman.

As most organizations continue to have a significant portion of their workforce work remotely, 2020 will likely show a significant uptick in unauthorized access to personal information.  Additionally, the average cost for each lost or stolen record containing sensitive and confidential information increased by 4.8 percent year over year to $148. Such financial repercussions as well as the risk of incurring reputational harm that could follow unauthorized access of customer data, indicate that privacy and cyber security should be a top concern.

Nonprofit organizations hold a variety of personal information on behalf of their constituents and employees, and it is incumbent upon them to safeguard that information. The fact is, that with each passing year, the number of data breaches grows, and the related financial cost and reputational harm along with it. Additionally, the regulatory landscape is becoming more complex, requiring organizations to comply with an increasing number of requirements or face penalties.

Due to the continued need to protect information, New York State enacted Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) on March 21 of 2020.   This new law applies to any organization that receives or collects private information about New York residents through the Internet, and requires, among things that your organization.   The Act requires specific actions and imposes a variety of obligations, and significant fines may be levied for non-compliance.  Among other requirements, to meet the SHIELD Act requirements organizations must:

1. conduct a risk assessment of its cybersecurity program;
2. properly vet all third-party service providers to ensure they can comply with the NY SHIELD Act, and include in its contracts specific provisions related to cybersecurity practices;
3. have policies and procedures related to the deletion and/ or disposal of data within a reasonable amount of time after it is no longer needed for business purposes;
4. develop and implement a written incident/data breach response plan so that you can comply swiftly and completely with the Acts reporting requirements (or face potentially harsh penalties); and
5. designate a “point person” to coordinate your data-security program to meet compliance.

The good news is that conducting a privacy audit can significantly reduce potential “data incidents” and minimize the related risks.  It is also a big step to achieving SHIELD compliance.   A privacy audit is essentially a process to identify, across the organization (and chapters), the types of personal information collected, the ways in which it is protected, and with whom such information is shared.

The following risk assessment methodology is a good place to start.
• Inventory Locate the places in the organization (and vendors operating on its behalf) that house/store Personally Identifying Information (“PII”), identifying both electronic files/databases and physical files
• Safeguards Assess the safeguards in place – including the physical, administrative and technical controls – and whether they are adequate and reasonable considering the type of PII being stored (SSN vs. email address for example might have different levels of protection).
• Gaps Determine the compliance gap – essentially the difference between that what it should be doing, and the organizations actual practices.
• Risk Assessment For most organizations there will be a number of gaps. As a first step, for the PII held in various locations and with various vendors, assess the risk of non-compliance, determine the impact of non-compliance and likelihood of risk occurrence, and use this to help prioritize compliance efforts.
• Remediation Depending upon the finding/conclusions in the previous steps, remediation should be a joint effort among various members of the organization to address and remedy any identified shortfalls/gaps.

As organizations look to identify material risks and implement processes and procedures to protect their data and hence their missions – data privacy and cyber security will no doubt continue to be a critical concern.  Now is the right time to conduct a privacy audit.

The post 2021 – A Very Private New Year – Steps all Nonprofits Can Take appeared first on Perlman & Perlman.

The reality is that most of the “default” third-party terms are invariably one-sided in favor of the vendor. Should things go awry as they did with the Blackbaud incident, it is vital to have the appropriate legal terms in the contract to protect your interests.  While it is impossible to provide an exhaustive list of issues to be considered in negotiating a contract, I recommend that the following five points should always be addressed prior to signing a third-party technology contract.

1. Adjust the Limitation of Liability Cap

Vendors routinely attempt to limit any claims for loss or damage that might be incurred.  Typically, they try to limit the recovery period to six months, or even less, of fees paid.  I suggest that the “cap” be set at some multiple of the contract value, and not be tied to monies paid to date. This avoids having limited recompense for claims that occur early on in the contract term.

2. Draft Exclusions to the Limitation of Liability Cap

Related to the first provision, most types of damage are “capped” at some pre-agreed dollar amount.  However, certain damage, because it poses a greater risk to your organization and its reputation, should be excluded.  As an example, damage that results from a data breach, indemnified claims and breaches of your confidential information should never be capped. In the case of the Blackbaud breach, such an exclusion would have allowed your organization to fully recover all losses and expenses.

3. Require Breach Notification and Credit Monitoring Expenses

The Blackbaud incident illustrates that breaches happen.  Although unfortunate, the reality is that no system or platform is “breach proof.”  Even if your vendors maintain all the various physical, logical and administrative security precautions that have been reasonably requested, breaches can occur.

If a breach occurs and notification is required, your vendor is obligated to notify you alone, not your end-user donors.  For this reason, I strongly recommend that you require any vendor that has access to personally identifiable information on your behalf, to agree to pay for all fines, expenses and costs related to the breach, including notification to your donors, regulatory fines, and credit monitoring services for the potentially affected individuals.  They should also be required to promptly notify you of any breach or suspected breach – my recommendation is within 48-72 hours.  Blackbaud took over two months to provide notification!  This is reprehensible – but they are now the exception that proves the rule: contractually obligate your vendors to timely notice.

4. Insist on Specific Cyber/Privacy Representations and Warranties

During the sales pitch, prospective clients are presented with polished and detailed marketing materials that exhaustively detail the various aspects of the vendor’s product, including the various cyber-security precautions they have in place.  However, most contracts provide scant details of the actual precautions to be undertaken.  Bottomline, if a vendor is getting access to any personally identifiable information, you should have specific and detailed cyber-security and privacy requirements spelled out in the contract.

5. Request Transition Services

Vendor relationships do not last forever.   When the time comes to change a vendor, the transition can be a lengthy and arduous process.  When the existing vendor is reluctant to assist with the facilitation of the transition, the client gets stuck with the logjam.  To mitigate this issue, I always insist on including a provision in the contract that requires the vendor to provide ongoing services and specific transition support at their current standard rates for a specified period of time.

In the sentiments of Robert Frost, good contracts make good vendors.  As the Blackbaud data breach illustrates, “stuff” happens.  While this is one of many third-party providers to suffer a data breach, the attack on Blackbaud serves as a stark example of why organizations need to take the time to carefully evaluate third-party vendor privacy and cyber security practices, as well as insist on specific contractual terms that define accountability and responsibilities in the event of an incident.  (And FYI, the NY SHIELD Act requires all organizations that collect information on NY residents to review all such contracts with third-party vendors to endure that such contracts impose specific technological, administrative and physical safeguards). Failure to do so could leave your organization with limited recourse and remedies when the worst happens.

The post We Won’t Get Fooled Again – Blackbaud Data Breach appeared first on Perlman & Perlman.

The SHIELD Act creates two primary obligations: 1) the adoption and maintenance of a comprehensive cybersecurity data protection program to safeguard private information; and 2) compliance with specific data breach notification requirements.

The SHIELD Act broadens what is considered to be personally identifiable information (“PII”) which means that most organizations will be deemed to be collecting PII.  Under the Shield Act, any organization that collects PII must “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity” of the PII.   While the extent of the safeguards is expected to be relational to the size and complexity of the organization, it is clear that all organizations will have to meet the minimum requirements as outlined below.

• Develop, implement and maintain “reasonable [administrative, physical and technical] safeguards to protect the security, confidentiality and integrity” of PII.
• When utilizing third-party service providers, include specific contractual provisions that stipulate that maintenance of appropriate cybersecurity practices are necessary for compliance. (This suggests that all current, and certainly future, vendor agreements must be reviewed and appropriately negotiated).
• Adopt a data retention and destruction policy to safely and securely store, and when appropriate, permanently dispose of, PII.

Added to this, the SHIELD Act broadens the definition of data breach, requiring prompt notice to affected individuals and to government authorities.  For those organizations that have yet to adopt a “data breach response plan”, the time to do so is now.   This clause includes penalties for failing to provide timely notice in the event of a data breach as well as for failing to adopt reasonable safeguards.

The organizational costs related to unauthorized access continue to grow.  Therefore, procuring and maintaining a comprehensive and appropriate tailored cyber-security insurance policy has never been more important (also see Cyber Security Insurance – A Must Have).

Although the law took effect on October 23, 2019, it provides organizations a grace period until March 21, 2020 for the establishment of the required data protection policies and practices. I highly suggest organizations use this time wisely!  Businesses that have not previously been subject to cybersecurity regulatory requirements should promptly evaluate the sufficiency of their internal policies and practices – as well as the third-party service providers they use – to ensure compliance with the SHIELD Act requirements.  Those organizations with existing cybersecurity programs should review and update their policies and practices in light of these new requirements.

The post The SHIELD Act – A New York State of Mind … and Privacy appeared first on Perlman & Perlman.

A privacy audit is essentially a process to identify, across the organization (and chapters), the types of personal information collected, the ways in which it is protected, and with whom such information is shared. The following risk assessment methodology is a good place to start.
•Inventory Locate the places in the organization (and vendors operating on its behalf) that house/store Personally Identifying Information (“PII”), identifying both electronic files/databases and physical files.
•Safeguards Assess the safeguards in place – including the physical, administrative and technical controls – and whether they are adequate and reasonable considering the type of PII being stored (SSN vs. email address for example might have different levels of protection).
•Gaps Determine the compliance gap – essentially the difference between that what it should be doing, and the organizations actual practices.
•Risk Assessment For most organizations there will be a number of gaps. As a first step, for the PII held in various locations and with various vendors, assess the risk of non-compliance, determine the impact of non-compliance and likelihood of risk occurrence, and use this to help prioritize compliance efforts.
•Remediation Depending upon the finding/conclusions in the previous steps, remediation should be a joint effort among various members of the organization to address and remedy any identified shortfalls/gaps.

The above are general guidelines. As a first step, I typically provide clients with a customized, detailed checklist that is an essential tool for our audit. Not surprisingly, most of these audits reveal a variety of gaps and poor practices, which once addressed and remedied, reduces the likelihood of a breach, and leaves the organization better prepared should one occur.

The post Privacy Audit – Make it Your Organization’s New Year’s Resolution! appeared first on Perlman & Perlman.