Non Profit Report - Spring 2009
The Price of Getting Personal
How is your nonprofit handling personal information?
By: Jerome Schaefer, Esq.
State and federal laws dealing with the protection of personal information and what to do if such information leaks out can significantly impact the operations of nonprofit organizations. This article discusses security breaches, reviews basic state and federal laws, and recommends ways to minimize risks to your organization or association.
Forget Immunity
Security breaches by for-profit entities garnered mainstream media attention in 2008, from Countrywide to TJX (the parent company of TJ Maxx, Marshalls, HomeGoods and AJ Wright stores). But lesser-known are the many breaches that occurred within nonprofits, educational institutions and governmental agencies, such as the U.S. Air Force, Binghamton University, the Federal Aviation Administration (FAA), the Federal Emergency Management Agency (FEMA), the NYPD Pension Fund, the University of Florida, and the Wisconsin State Department of Health and Family Services, among others. [source: www.idtheftcenter.org]
Some suggest that nonprofits are less prepared to guard against security breaches of personal information. Unfortunately, no organization, be it a for-profit or nonprofit entity, is immune to criminal hackers. Hackers belong to a multi-billion dollar global industry that profits from stealing and selling personal information. The personal information that your nonprofit may be holding is priceless.
What is Personal Information?
Your nonprofit's database of supporters and/or members is arguably your most valuable asset. "Personal information" is usually defined as the first name (or first initial) and last name of an individual used in conjunction with unencrypted information such as an individual's social security number, driver's license number, financial account number (with password) or an entity's Taxpayer Identification Number. Many states have already placed restrictions on the use of an individual's social security number unless the information was encrypted, and new laws have expanded this prohibition to include other unencrypted, personally identifiable information including financial account numbers (with passwords). Organizations holding such information and using the internet for commercial transactions must securely store and protect it.
Crossing Jurisdictions
Even if the state where you do business doesn't have a security law, you must comply with the laws of the states where your donors, members or on-line purchasers live. State laws dealing with personal information and security breach notifications are designed to protect the residents of that state, even if the entity holding the personal information is located in a different state. Many nonprofit organizations are incorporated in one jurisdiction, but have a principal office in another jurisdiction, operate in multiple jurisdictions, or receive payments from across the country. In the event of a security breach, you may have to comply with the privacy laws of many states, none of which is exactly the same as the others.
Know Your Own People - Inside Out
In a February 2009 survey of 1,000 people, 59% percent of U.S. employees who left a firm in 2008 knowingly stole data from their former employer, according to a Ponemon Institute survey (sponsored by Symantec, a security company). As the economy continues to produce layoffs, the threat of "rogue insiders" may become even more prevalent as employees fearful of layoffs look to trade their trusted status for the sale of personal data. Monitor your employees and create controls.
Know Your Vendors - Outside In
Organizations can be liable for damages even if the activities of collecting and storing personal information are managed by an independent third party, and the principal organization had no actual role in causing the breach or being able to prevent it. For this reason, exercise due diligence and caution in your selection of third party vendors who collect and store personal information. When your organization releases data to a vendor, be sure that their security is just as good, or even better, than your own. Not only is encryption good for the data held at your organization, it is an important consideration for personal data that leaves your nonprofit. In 2007, nearly 100 clients of Convio, a nonprofit software provider, had their data breached after an unauthorized third party accessed email addresses and passwords.
After a Breach: Giving Notice
Once a security breach has occurred, how do you deal with it? Many of these laws require you to give notice to the individuals affected, and have very precise requirements about the content, manner, and timeliness of the mandated notice. Often, notice must also be given to the state's attorney general. Some states give affected residents a private cause of action against the breaching organization for actual damages (including "dignitary damages" and pain and suffering) and reasonable attorney fees. You may be liable for these damages even if the activities of collecting and storing "personal information" are managed by an independent third party, so your organization never had or controlled the sensitive data.
Cyber Insurance
With the increase in security breaches of personal information and the expense of private causes of action, the insurance industry now offers cyber insurance or what is also called information-asset coverage.
Summary
You may or may not collect personal information for membership purposes, but don't forget the sensitive information (account numbers and the like) that passes through your hands if you do business or accept donations on the internet. Of course, you need to know and comply with the laws of your state, but also keep in mind other jurisdictions where you may have legal contacts. Your website terms and conditions may need to include appropriate disclaimers and may require separate privacy and electronic commerce notices, including how "cookies" are used. And, of course, exercise caution in selecting third party vendors who may handle sensitive personal information. Finally, conduct audits of both your own and your vendors' operations over time, to confirm that you and they are staying abreast of changes in the law and using best practices in the area of security
and privacy. Your organization depends on the trust of your donors or members for its success. A breach of their privacy is both a legal violation and a violation of that trust. What you do today to mitigate that risk tomorrow is very important - to both your organization's reputation and your bottom line.
Virginia Legislative Wrap Up
(Courtesy of VANNO*, the Virginia Network of Nonprofit Organizations: Our great appreciation to VANNO and Executive Director Deborah Barfield Williamson for allowing us to reprint the following information.)
The Virginia General Assembly adjourned its 2009 session on Saturday, February 28, with the reconvened session occurring on April 8 to address the Governor's amendments and vetoes on legislation.
Each year nearly 3000 bills are introduced to the General Assembly, but most do not pass. This year was no different. VANNO tracked two dozen pieces of legislation affecting the nonprofit community, but only 10 passed both houses and were affirmed by the Governor. These bills will go into law on July 1, 2009.
The bills VANNO tracked this session demonstrated the broad scope of Virginia's nonprofit community, with legislation addressing nonprofit daycare centers, first responders, organ donation, charity care in hospitals and the tobacco settlement.
However, some legislation will affect most nonprofits, including expanding the sales-tax exemption for nonprofit organizations. Bills monitored on unsolicited e-mail (spam) and changes to charitable gaming regulations did not
pass this session. Below is a brief summary of the passed bills and resolution which VANNO tracked this session.
Approved by Governor and will go into law on July 1, 2009
- HB1779 Sales and use tax; exemption of sales by nonprofit entities
Provides that a nonprofit entity that is otherwise entitled to the occasional sale exemption shall be entitled to such exemption regardless of the number of times it makes sales throughout the year. - HB1983 Emergency response; liability
Provides civil immunity for private and charitable organizations providing resources and assistance, without compensation, pursuant to a governor-declared emergency or during a formal emergency management training exercise, and at the request of the State Department of Emergency Management or a local emergency management employee. The immunity would not apply in instances of gross negligence, recklessness, or willful misconduct. - HB2214 Pharmacies; bulk donation programs
Provides that a pharmacy participating in bulk donation programs may charge a reasonable dispensing or administrative fee to offset the cost of dispensing donated medications, not to exceed the actual costs of such dispensing. - HB2330 Sales and use tax exemption; nonprofit schools
Exempts any non-profit school that is accredited by an entity approved by the Department of Education and any school licensed by the Department of Education as a school for students with disabilities from the requirement to submit an audit to the Department of Taxation to obtain a sales and use tax exemption, if the school submits a federal 990 tax form. - HB2445 Stock and nonstock corporations
Conforms provisions of the Stock and Nonstock Corporation Acts regarding names, mergers, and terminations with similar provisions applicable to other business entity forms, and makes technical amendments. - HB2458 Posting of charity care policies
Requires all hospitals to post information related to charity care, including specific eligibility criteria and procedures for applying for charity care, on a website maintained by the hospital, and in public areas of the hospital. - SB969 Unlicensed child day centers; staff-to-child ratio
Permits unlicensed day centers to reduce the number of staff per child by 50 percent during designated rest or sleep periods. The bill changes the staff-to-child ratio for unlicensed day centers to conform to that of licensed and regulated day centers during designated rest or sleep periods. - SB1026 Nonprofit corporation
Authorizes the Foundation for Virginia's Natural Resources to establish a nonprofit, nonstock corporation to (i) foster collaboration and partnerships; (ii) raise money to finance projects providing environmental education, pollution prevention, and citizen monitoring; and (iii) promote the mission of the Foundation. - SB1112 Virginia Tobacco Settlement Foundation; name change
Changes the name of the Virginia Tobacco Settlement Foundation to the Virginia Foundation for Healthy Youth and allows for moneys from the Virginia Tobacco Settlement Fund that are obtained primarily from public grants and private funding sources to be used to reduce childhood obesity in the Commonwealth. - SB1222 Sales and use tax exemption; nonprofit entities
Provides that nonprofit entities with gross annual revenue of at least $750,000 in the previous year must file a financial review performed by an independent certified public accountant in order to be eligible for a sales and use tax exemption. However, for those nonprofit entities with gross annual revenue of at least $1 million in the previous year, the Department of Taxation may require that the entity provide a financial audit performed by an independent certified public accountant in lieu of the financial review.
Amended by Governor, Amendments accepted by Senate and Bill will go into law on July 1, 2009
- SB949 Organ donation; Virginia Donor Registry and Public Awareness Fund
Changes the name of the Virginia Transplant Council Education Fund to the Virginia Donor Registry and Public Awareness Fund, and requires the Department of Motor Vehicles to establish a procedure for driver's license applicants to voluntarily contribute to the Fund. Also makes technical corrections to make certain sections consistent with the Revised Uniform Anatomical Gift Act.
Passed both Houses but did not require Governor's action (Resolution)
- SJ337 Resolution; federal grant funding
Encourages the Commonwealth to seek additional federal grant funding for Virginia, and the assistance of the Department of Planning and Budget in helping state and local entities maximize federal grant funding opportunities.
*About VANNO: VANNO seeks to ensure that Virginia's nearly 40,000 nonprofit organizations are educated, engaged and equipped to serve their communities. Through training and technical assistance, its website, and collaborative efforts with other nonprofit support organizations, VANNO builds the capacity of nonprofit organizations to achieve excellence in management and governance. As the voice for Virginia's nonprofit sector, VANNO advocates for nonprofits and organizes nonprofits to advocate for themselves. To contact VANNO, please visit them on the web at www.vanno.orgĀ [Website invalid as of June 2023] or call 804.565.9871.
COBRA Health Continuation Coverage Under the Economic Stimulus Act
By: Mary Claire Chesshire, Esq.
The American Recovery and Reinvestment Act of 2009 implemented a subsidy for former employees and their
dependents who have elected, or were offered the opportunity to elect, to continue health insurance coverage following termination of employment. The following are some FAQs about the new requirements.
Who is eligible for the subsidy?
Former employees or dependents of a former employee (collectively, "qualified beneficiaries") who lost or will lose coverage under a group health plan between September 1, 2008 and December 31, 2009, as a result of an involuntary termination of employment with the employer sponsoring the group health plan.
To which group plans does the subsidy apply?
The subsidy applies only to group health plans. COBRA premium payments for flexible spending plans are not eligible for the subsidy.
What is the amount of the subsidy?
Qualified beneficiaries who are eligible for the subsidy are required to pay 35% of the required COBRA premium.
How long does the subsidy last?
The subsidy lasts for nine months. However, the subsidy will end if the qualified beneficiary is eligible for coverage under another comparable group health plan or Medicare. The qualified beneficiary does not have to actually become covered under the group health plan or Medicare -- simply being eligible for coverage is sufficient to end the subsidy.
Does the subsidy extend the amount of time a qualified beneficiary will be eligible to continue coverage?
No. COBRA coverage still ends on the statutory termination date -18, 29 or 36 months following loss of coverage,
depending on the event causing the loss of coverage.
Does the employer receive a credit for the subsidy?
Yes. The employer providing the subsidy will receive a credit against its payroll taxes for the amount of any subsidies provided to eligible individuals.
When is the subsidy effective?
Eligible individuals are entitled to the subsidy for the first period of coverage following enactment of the Economic Stimulus Act - typically, March 1, 2009. The Act includes a 60 day grace period to provide updated notices.
What are the notice requirements imposed on employers?
Employers must update their COBRA election forms to include information about the subsidy or provide an additional form or notice describing the subsidy.
What about otherwise qualified beneficiaries who did not previously elect continuation coverage?
An individual who loses coverage because an employee was involuntarily terminated on or after September 1, 2008, must be notified of the option to continue coverage with the subsidy.
Is the subsidy taxable to the recipient?
Generally, no.
Are there income limits on qualified beneficiaries on exclusion of the subsidy from gross income?
Yes. The tax-free aspect of the subsidy phases out for individuals with adjusted gross income of $125,000 or more
($250,000 for joint filers), with a complete phase out for individuals earning $145,000 ($290,000 for joint filers). These individuals may make an election to waive the subsidy.
Is additional help with implementing the subsidy available?
The Internal Revenue Service and U.S. Department of Labor have developed notices and outreach programs to assist employers with implementation of the new requirements. The outreach programs contain clarification of many of the requirements.