Act Now on Privacy and Cybersecurity Issues!
Originally published in Association TRENDS magazine, June 2016.
There is no question that the newest and biggest liability risk for associations arises from online activities. It's not a question of 'if' your association will suffer a data security breach, but 'when.' Savvy association execs and operational professionals will get ready now for the inevitable breach – whether from a pernicious hack, phishing, or just a lost staff computer or personal device. In fact, the laws of several states – which apply if the association has personally identifiable information (“PII”) of any residents from those states – mandate that holders of such information have in effect a written information security plan/policy (“WISP”) to protect such information NOW!
As background, the United States does have laws in place that protect certain vertical areas, such as health care and financial, but there is no federal law that covers and protects the privacy of regular citizens across the board. Thus, there is no single national law that tells an association what information to protect or what its obligations are in the event of a breach, including when notification is required to be made to the subject of the breach or to governmental authorities. As a result, as indicated above, associations have to look to individual state laws for guidance, with the result that compliance is essentially required with the toughest state laws.
If an association has PII on its members, stakeholders, donors, certificants, or others, it must take steps now in hopes of preventing a breach, but more realistically to minimize the damage and cost when a breach does occur. PII generally comprises information that identifies a person and could lead to access to the person's funds or assets, such as a person's name in combination with other identifying information, such as bank account number, social security number, driver license, credit card number, etc. Claims can arise based on breach of privacy, but the costs of remediation also can be significant. When a breach happens, it is often difficult to determine the exact cause, but notification is generally required within a matter of days to protect those who's PII was compromised. In addition, woe to the association that suffers a breach and didn't think to obtain cybersecurity insurance to defend against claims and cover costs of remediation; such insurance is available, but you often have to ask for it.
On top of that, many associations have international members or constituents, and other countries have varied laws protecting their citizens' personal data, which is often more broadly defined than in the U.S. The European Union implemented a Privacy Directive that requires opt-in consent from individuals prior to their personal data being transferred outside of the EU. The U.S. had in place a safe harbor for transfers of data to companies or organizations that registered with the Commerce Department, but that safe harbor was rejected recently by the courts and is no longer in effect. A breach of PII involving nationals of other countries would require analysis of the laws of all those countries, with notification and remediation as mandated by such statutes.
There is no adequate preparation for the inevitable breach other than association leadership (in particular, executive and finance staff) diligently, seriously, and strategically addressing these issues in advance, including by adopting appropriate privacy policies, implementing a WISP, ensuring vendor compliance, and obtaining insurance. As we tell our clients, “Plan to Fail Well.” Don't wait. Do it now!