As most organizations continue to have a significant portion of their workforce work remotely, 2020 will likely show a significant uptick in unauthorized access to personal information.  Additionally, the average cost for each lost or stolen record containing sensitive and confidential information increased by 4.8 percent year over year to $148. Such financial repercussions as well as the risk of incurring reputational harm that could follow unauthorized access of customer data, indicate that privacy and cyber security should be a top concern.

Nonprofit organizations hold a variety of personal information on behalf of their constituents and employees, and it is incumbent upon them to safeguard that information. The fact is, that with each passing year, the number of data breaches grows, and the related financial cost and reputational harm along with it. Additionally, the regulatory landscape is becoming more complex, requiring organizations to comply with an increasing number of requirements or face penalties.

Due to the continued need to protect information, New York State enacted Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) on March 21 of 2020.   This new law applies to any organization that receives or collects private information about New York residents through the Internet, and requires, among things that your organization.   The Act requires specific actions and imposes a variety of obligations, and significant fines may be levied for non-compliance.  Among other requirements, to meet the SHIELD Act requirements organizations must:

1. conduct a risk assessment of its cybersecurity program;
2. properly vet all third-party service providers to ensure they can comply with the NY SHIELD Act, and include in its contracts specific provisions related to cybersecurity practices;
3. have policies and procedures related to the deletion and/ or disposal of data within a reasonable amount of time after it is no longer needed for business purposes;
4. develop and implement a written incident/data breach response plan so that you can comply swiftly and completely with the Acts reporting requirements (or face potentially harsh penalties); and
5. designate a “point person” to coordinate your data-security program to meet compliance.

The good news is that conducting a privacy audit can significantly reduce potential “data incidents” and minimize the related risks.  It is also a big step to achieving SHIELD compliance.   A privacy audit is essentially a process to identify, across the organization (and chapters), the types of personal information collected, the ways in which it is protected, and with whom such information is shared.

The following risk assessment methodology is a good place to start.
• Inventory Locate the places in the organization (and vendors operating on its behalf) that house/store Personally Identifying Information (“PII”), identifying both electronic files/databases and physical files
• Safeguards Assess the safeguards in place – including the physical, administrative and technical controls – and whether they are adequate and reasonable considering the type of PII being stored (SSN vs. email address for example might have different levels of protection).
• Gaps Determine the compliance gap – essentially the difference between that what it should be doing, and the organizations actual practices.
• Risk Assessment For most organizations there will be a number of gaps. As a first step, for the PII held in various locations and with various vendors, assess the risk of non-compliance, determine the impact of non-compliance and likelihood of risk occurrence, and use this to help prioritize compliance efforts.
• Remediation Depending upon the finding/conclusions in the previous steps, remediation should be a joint effort among various members of the organization to address and remedy any identified shortfalls/gaps.

As organizations look to identify material risks and implement processes and procedures to protect their data and hence their missions – data privacy and cyber security will no doubt continue to be a critical concern.  Now is the right time to conduct a privacy audit.

The post 2021 – A Very Private New Year – Steps all Nonprofits Can Take first appeared on Staging Perlman and Perlman.

The SHIELD Act creates two primary obligations: 1) the adoption and maintenance of a comprehensive cybersecurity data protection program to safeguard private information; and 2) compliance with specific data breach notification requirements.

The SHIELD Act broadens what is considered to be personally identifiable information (“PII”) which means that most organizations will be deemed to be collecting PII.  Under the Shield Act, any organization that collects PII must “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity” of the PII.   While the extent of the safeguards is expected to be relational to the size and complexity of the organization, it is clear that all organizations will have to meet the minimum requirements as outlined below.

• Develop, implement and maintain “reasonable [administrative, physical and technical] safeguards to protect the security, confidentiality and integrity” of PII.
• When utilizing third-party service providers, include specific contractual provisions that stipulate that maintenance of appropriate cybersecurity practices are necessary for compliance. (This suggests that all current, and certainly future, vendor agreements must be reviewed and appropriately negotiated).
• Adopt a data retention and destruction policy to safely and securely store, and when appropriate, permanently dispose of, PII.

Added to this, the SHIELD Act broadens the definition of data breach, requiring prompt notice to affected individuals and to government authorities.  For those organizations that have yet to adopt a “data breach response plan”, the time to do so is now.   This clause includes penalties for failing to provide timely notice in the event of a data breach as well as for failing to adopt reasonable safeguards.

The organizational costs related to unauthorized access continue to grow.  Therefore, procuring and maintaining a comprehensive and appropriate tailored cyber-security insurance policy has never been more important (also see Cyber Security Insurance – A Must Have).

Although the law took effect on October 23, 2019, it provides organizations a grace period until March 21, 2020 for the establishment of the required data protection policies and practices. I highly suggest organizations use this time wisely!  Businesses that have not previously been subject to cybersecurity regulatory requirements should promptly evaluate the sufficiency of their internal policies and practices – as well as the third-party service providers they use – to ensure compliance with the SHIELD Act requirements.  Those organizations with existing cybersecurity programs should review and update their policies and practices in light of these new requirements.

The post The SHIELD Act – A New York State of Mind … and Privacy first appeared on Staging Perlman and Perlman.