The SHIELD Act creates two primary obligations: 1) the adoption and maintenance of a comprehensive cybersecurity data protection program to safeguard private information; and 2) compliance with specific data breach notification requirements.

The SHIELD Act broadens what is considered to be personally identifiable information (“PII”) which means that most organizations will be deemed to be collecting PII.  Under the Shield Act, any organization that collects PII must “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity” of the PII.   While the extent of the safeguards is expected to be relational to the size and complexity of the organization, it is clear that all organizations will have to meet the minimum requirements as outlined below.

• Develop, implement and maintain “reasonable [administrative, physical and technical] safeguards to protect the security, confidentiality and integrity” of PII.
• When utilizing third-party service providers, include specific contractual provisions that stipulate that maintenance of appropriate cybersecurity practices are necessary for compliance. (This suggests that all current, and certainly future, vendor agreements must be reviewed and appropriately negotiated).
• Adopt a data retention and destruction policy to safely and securely store, and when appropriate, permanently dispose of, PII.

Added to this, the SHIELD Act broadens the definition of data breach, requiring prompt notice to affected individuals and to government authorities.  For those organizations that have yet to adopt a “data breach response plan”, the time to do so is now.   This clause includes penalties for failing to provide timely notice in the event of a data breach as well as for failing to adopt reasonable safeguards.

The organizational costs related to unauthorized access continue to grow.  Therefore, procuring and maintaining a comprehensive and appropriate tailored cyber-security insurance policy has never been more important (also see Cyber Security Insurance – A Must Have).

Although the law took effect on October 23, 2019, it provides organizations a grace period until March 21, 2020 for the establishment of the required data protection policies and practices. I highly suggest organizations use this time wisely!  Businesses that have not previously been subject to cybersecurity regulatory requirements should promptly evaluate the sufficiency of their internal policies and practices – as well as the third-party service providers they use – to ensure compliance with the SHIELD Act requirements.  Those organizations with existing cybersecurity programs should review and update their policies and practices in light of these new requirements.

The post The SHIELD Act – A New York State of Mind … and Privacy first appeared on Staging Perlman and Perlman.

With the massive expansion of the Internet, privacy is a real concern these days.  Your organization’s privacy policy is the first step in an overall approach to responsibly collecting, sharing and safeguarding the information you obtain: it is a pledge to your donors and supporters to maintain their confidentiality.

While it may seem that all nonprofit sites deal with the same issues regarding privacy, the reality is no two organizations are identical.  On the surface, another organization may appear to engage in similar activities as yours, but the truth is that the way the information is processed, shared and utilized will certainly differ.

The Federal Trade Commission advises that when drafting your privacy policy “say what you mean and mean what you say.”  The first part is easy – you need to have a global understanding of what your organization does with the information it collects.  For example, do you share information with third parties, use cookies and other web tracking technologies, or send promotional emails?  Whatever the practices, they need to be clearly described in your privacy policy.

The second part, “do what you say”, is more of a challenge.  Simply stating the policy is not enough – you must adhere to the policies and procedures as described.  Your organization will be held accountable for any failure to meet its own written standards, thus it’s imperative that everyone in the organization understand what they should be doing – and equally important, what they should not be doing.

Finally, your privacy policy must keep pace with your practices.  Web technologies, marketing strategies and other internal practices change regularly.  If the marketing department concludes that a monthly e-newsletter to donors is essential, that’s fine, but make sure that this is addressed in the privacy policy.  Unfortunately, many organizations do not routinely update their privacy policies to keep pace with such changes.

The goal is to avoid a Federal Trade Commission enforcement action, potential lawsuits, negative publicity and loss of supporter trust.  So you want to follow best practices when it comes to the privacy policy, and in future posts I will provide such guidelines.  In the meantime, if you have a professionally drafted privacy policy, make sure that it is reviewed, followed and updated on an annual basis.  And for those who may have taken the short cut, I recommend working with an attorney familiar with these issues to review and revise your privacy policy to be sure it truly reflects your intended practice.  The investment today will go a long way in honoring the commitment to the privacy your supporters expect and deserve.

The post Steal This Privacy Policy… first appeared on Staging Perlman and Perlman.

The online marketing strategies being used are quite diverse, including:

• Facebook Promotions: “Like” our company page, and we will donate $X to charity; Visit our Facebook page, and vote for your favorite charity to receive $X.
• Online Sweepstakes: Make a donation or take a simple quiz to show your knowledge on an important issue, then enter to win a prize.
• Online Contests: Submit an entry (e.g., a T-shirt design; a proposal to solve a global epidemic) for a chance to win funding or a prize; winner selection may combine an expert panel with public voting.
• Customized Online Fundraisers: Individuals or charities can create their own fundraising page on a third party crowdfunding site to raise funds.
• Cause Gaming:  Play our game to help generate funds for charity.

Nonprofit marketing experts advise groups adopting social media and online marketing strategies to keep it simple, make it meaningful, and be selective to avoid taxing your limited resources. But what do the lawyers say?

Here are five legal considerations for charities to keep in mind as you consider adopting new internet-based strategies:

1.      Understand the structure and limitations of your chosen platform.  Each platform has its own set of rules that will affect your options, ranging from the ability to raise funds for a charitable cause (e.g., not via Kickstarter), to the voting mechanisms you can and cannot use (check out Facebook’s promotions guidelines).

2.      Make sure your promotion rules are clear and thorough. Think about worst case scenarios (e.g., fraud via automated voting) or unexpected situations (e.g., a tie in votes), and build in appropriate protections and procedures. The last thing you want is to have your creative efforts become the next nonprofit social media scandal.

3.      Consider the privacy issues triggered by your promotion. Many organizations and for-profits are using online engagement strategies to grow their database of contacts and convert first timers into regular supporters.  Make sure the rules for our promotion clearly address how personally identifiable information will be used, and if tied to your website’s privacy policy, make sure that policy is up to date as well.

4.      Analyze your fundraising regulatory compliance obligations. If your online promotion is helping to raise funds for a charitable cause, you and possibly any third party site you are using to raise funds could be subject to fundraising registration requirements in 40+ states. The Charleston Principles, a nonbinding set of guidelines adopted by state charity regulators in 2001, provide the most concrete guidance for charities and companies engaged in charitable fundraising activities to determine their state compliance obligations (although the regulatory community is actively re-examining those Principles – consider how much the world of internet-based fundraising has changed over the last 11 years!).

5.      Promotions laws still apply in cyberspace.  Whether you’re dealing with online raffles, contests, or sweepstakes, many of the federal, state and local rules still apply (although certain ones may not, such as sweepstakes rules embedded in the federal Deceptive Mail Prevention and Enforcement Act), and complying with every jurisdiction’s laws can be a challenge.  And if you think the internet makes it a snap to take your promotion global, think again.  Some jurisdictions regulate promotions so strictly that many groups simply opt to make their promotions void in those locations.

With over a million nonprofits in the U.S. vying for funding and constituents to support their charitable mission, it has become imperative for organizations to find ways to stand out in the marketplace of ideas. With some thoughtful planning, though, charities can harness internet and social media platforms to multiply their impact and reach.

The post Social Media and Online Marketing for Nonprofits: A Legal Perspective first appeared on Staging Perlman and Perlman.