Not-for-Profit but Rich in Data: The Unique Privacy Needs of Nonprofits

Transcription

1 Not-for-Profit but Rich in Data: The Unique Privacy Needs of Nonprofits Association of Corporate Counsel-National Capital Region, Nonprofits and Associations Forum Thursday, December 7, 2017 LA / NY / SF / DC / arentfox.com

2 Panelists Rhonda Lees, Senior Counsel, American Bankers Association Molly Meegan, Associate General Counsel, The Human Rights Campaign Donna McPartland, Counsel, Arent Fox Richard Newman, Partner, Arent Fox 2

3 What are the risks of collection and use of personal information? Risks Regulatory or Legal Actions Financial and Operational Costs and Losses Reputational Damage Responsibilities Legal and Regulatory Contractual Obligations Fiduciary Duties 3

4 What is Personal Data? "Personal data" is any informa1on which relates to a living individual who can be iden1fied: From that informa1on From that informa1on combined with other informa1on held or likely to come into the possession of the company Examples ü Name ü Postal or address ü Phone number ü ID numbers (e.g. passport, license) ü Loca1on data (usually from devices) ü Bank account details ü Expressions of opinion ü Photographs, sound recordings, film ü IP addresses ü Informa1on stored in cookies or similar technologies ü Training records 4

5 What is Sensitive Data? Sensi1ve data" is a subset of personal data that requires special handling, higher protec1ons Examples ü Biometric data ü Health and gene1c data (allergies) ü Employment data ü Criminal convic1ons ü Racial or ethnic data ü Poli1cal opinions ü Religious or philosophical ü Trade- union membership ü Sex life or sexual orienta1on 5

6 What are the applicable laws? v No US single omnibus Federal privacy law, instead complex patchwork of US federal and state laws Select US Federal Laws Children s Online Privacy Protec1on Act (COPPA) Select US State Laws Data Breach Family Educa1on Rights and Privacy Act (FERPA) Iden1ty TheT Health Insurance Portability and Accountability Act (HIPAA) and HITECH Social Security Number Restric1ons Graham Leach Bliley Act (GLBA) CAN- SPAM Electronic Communica1ons Privacy Act (ECPA) Encryp1on and Data Security Records Reten1on and Disposal Computer Crimes 6

7 What are the applicable laws? FTC - do they have jurisdiction over nonprofits? No generally but CAN-SPAM, GLBA; recent cases - conduct v. status International (EU GDPR, China, etc.) Government Contracts/Grants Privacy Act, FISMA, NIST, FARS, other government regulations PCI-DSS, other industry standards: ISO 27001, SOC 2, CSA, etc. 7

8 What the same and what s unique? Are the laws the same for nonprofits/smes YES in many instances! What s unique for nonprofits and data privacy? Let s look at all the different types of data 8

9 BIG DATA - Potential for massive data Donors, Members, Students, Grantees Volunteers (training, payments, etc.) Marke1ng Mobile Apps Social Media who s authorized? Social media policy? 9

10 BIG DATA cont d Health data - HIPAA ephi Data Breaches Response plan very important Information Security plans and controls Tabletop exercises Severe reputational impact on donors/other stakeholders 10

11 What s the same and what s unique? International Compliance Complex EU GDPR very broad scope, applies to US companies offering goods in EU May 2018 complex requirements consent, breach notification, DPOs China quickly evolving- Cybersecurity Law June 2017 Some frameworks don t apply for nonprofits Privacy Shield (must be under FTC jurisdiction - so NO nonprofits, banks, insurance companies) Cross Border Protection Rules Alternatives Model Clauses/SCCs and Binding Corporate rules; vendors may be PS certified 11

12 What s unique for nonprofits and data privacy? Tax issues 990 Disclosure issues IRS audits Executive compensation comparability Other tax issues: Sensitivities about info disclosure Taxable Subsidiaries? 12

13 What s unique? (cont d) Humanitarian Organizations (Handbook on DP in Humanitarian Action) Unique issues including biometrics, drones, etc. Limited Resources Fewer IT people Few if any dedicated privacy or security staff (no CPO/DPO?) Same rules 13

14 Hypotheticals Your organiza8on is a charity needing assistance (from employees or volunteers) for your Walk. Let s look at activities and the challenges: 14

15 Helping with registration: Credit card payments day of event. (Nothing could go wrong there!) What if money allegedly goes missing? Do you vet volunteers with a background check or are you just grateful that anyone shows up at 6:30 am on the weekend? Is there a system, such as one volunteer and one employee work together? What s the procedure for opening the envelopes? 15

16 What are the other issues involved if your event takes place outside of the US? Privacy Shield? GDPR? What if you asked about any food preferences or sensi1vi1es? 16

17 Walk Hypo continued Issues collec1ng personal informa1on Consent? HIPAA? PCI DSS? 17

18 Hypo 2 Volunteer Research Your foundation or professional society/ trade association receives input and information from volunteers for a research or educational publication. In addition to volunteers signing the NDA, anyone else? Third parties? Researchers? 18

19 Hypo 2 Volunteer Research Do the wri^en agreements address consent issues? Use of personal informa1on? Third par1es? Does HIPAA apply? Assign all rights regarding contributed content to the associa1on? Confiden1ality? 19

20 Hypo 3 Virtual Workers Some associations have looked into hiring staffing off the web for individual assignments What could go wrong? Is there a wri^en independent contractor agreement? Or just a click through for terms of use? 20

21 Hypo 3 continued Virtual Workers Will personal informa1on be involved? SSN? Health informa1on? Which country was worker located in? Is the arrangement in compliance with various U.S. and other country employment and tax laws? Data protec1on laws? 21

22 Hypo 4 The Weekend Away You work with another organization to host a conference to promote community education and awareness in a neighboring state. You co-brand and market the conference. A volunteer from your organization contacts the company and offers to videotape footage of participants. He arrives, interviews several minors, asks very personal questions, and posts the video to social media with your logo. Then you find out. 22

23 Hypo 4 The Weekend Away At the event, one of your volunteers introduces you to a potential new donor that she has been cultivating for several months. An internet search reveals that the new prospect is a founding member of Project Veritas. After the event, your program partner airdrops you a list of event attendees that have requested additional information. 23

24 Hypo 4 Continued Volunteer training (or lack thereof) Additional points of access for bad actors Volunteer use of insecure devices or personal Inconsistent practices of non-profit partners 24

25 Takeaways Privacy and data security requirements are very similar for nonprofits and for profits (except Privacy Shield, CBPR and tax disclosures) Big Data is pervasive and strategic for most organizations comes with serious risks and responsibilities Privacy Risk Assessment and Compliance: Importance of knowing what personal information you have, who has access to it, where it is located, and what laws apply to your organization and implementing an appropriate compliance program. 25

26 Q&A and Discussion 26