Nonprofit Report - February 2016
Plan To Fail
Your association will be hacked. Are you ready?
By: Jefferson C. Glassie
Originally published in Associations Now Magazine, published by ASAE.
You often hear lawyers talking about risk -- potential legal and other problems that can arise for an association. Well, there is one new risk that isn’t just a possibility: Your association will suffer a cybersecurity breach at some point in the future, and you’d better be ready.
A cybersecurity breach can be caused by bad guys, thieves, or hackers. Or it may happen because an employee leaves a laptop or personal device somewhere or because a staffer clicks on a phishing link that compromises your computer and management systems. But it will happen, and the best advice is this: Plan to fail well.
If you try to decide what to do after your organization has suffered a security breach, it’s too late. Association executives must plan in advance for a breach; there is no reasonable alternative. Here’s what to do:
Get buy-in from leadership. Make sure that the volunteer leadership and the C-suite comprehend the fact that the association will suffer a security breach and must plan for it.
Adopt a written information security policy. A WISP is probably already required of your association. Several state laws mandate that such a policy be in place if your organization has personally identifiable information on residents from that state.
Make sure that all of your technology vendors also have a WISP. And make sure that they are contractually required to take all necessary steps to ensure the security of your association’s data and that they will indemnify and hold harmless the association if damages arise.
Get cybersecurity insurance. It’s not automatically included in standard policies, so you have to ask for it. Make sure it’s the right policy; if your agent doesn’t know what you need, get another agent.
When you find out that all of your members’ credit card information has been stolen or that personally identifiable member information has been compromised, you will know what to do. Follow your WISP, which will tell you whom to call (first your lawyer, then your insurance agent), how to investigate the breach, what public and member relations steps to take to minimize the damage, and what other federal or state reporting obligations the association might have.
A breach will happen, one way or another, to all associations. Be prepared so that you know what to do when your organization has been hacked.
Top 5 Political Law Compliance Tips for 2016
Avoid Common and Costly Missteps that Accompany Political Contributions, Lobbying and Gifts
By: James A. Kahl
Another election year is upon us, and once again federal and state candidates are on track to raise and spend unprecedented sums for their election efforts. That means corporations, trade associations, 501(c)(4) advocacy organizations, their political action committees (“PACs”), leaders, members and donors will be inundated with political contribution requests. They may also be asked to help candidates and political parties in other ways, such as hosting fundraisers or providing in-kind contributions of goods or services.
For many organizations, political engagement is not an option – decisions by federal, state and local officials may be critical to their success. Any organization engaged in political activity must understand the basic rules of the road in order to avoid common pitfalls. Here are our Top 5 compliance tips for addressing the political law risks facing your organization this election year.
Compliance Tip No. 1: Know the contribution rules that apply to you
Federal corporate contributions are prohibited
- All incorporated entities, including corporations, trade associations and 501(c)(4) organizations, are prohibited from contributing to federally-registered candidates, political parties and PACs.
- However, direct and indirect independent corporate candidate advocacy is permitted by the Supreme Court’sCitizens United v. FEC ruling (e.g., radio, TV, cable, Internet and print ads expressly supporting or opposing candidates that are not coordinated with candidates). Corporate issue advocacy is also permitted.
Federal and state corporate contribution rules may differ significantly
- Only a few states allow unlimited corporate contributions in state/local elections.
- Contributions from incorporated entities are prohibited in about 20 states, and other states impose limits on corporate contributions.
Consider establishing a federal or state Political Action Committee (PAC)
- An incorporated entity (but not a 501(c)(3) organization) may establish a PAC as a vehicle for contributing when corporate funds cannot be used. PACs are funded by individuals affiliated with the organization. Only state-registered PACs can be used in some state/local elections.
Avoid common contribution missteps
- Conduit and “straw-man” contributions and contribution reimbursement schemes are almost always illegal, and are a favorite target for federal and state prosecutors.
- Corporate facilities or resources – such as conference rooms, copiers, phones and secretarial time – should not be used to assist in fundraising activities in support of federal candidates (unless paid by a permissible source or limited safe harbor rules apply). Such “corporate facilitation” can result in significant fines. This activity is also illegal in many states.
Compliance Tip No. 2: “Pay-to-Play” laws pose special risks for public contractors
- “Pay-to-play” laws may prohibit or restrict political contributions by state or local public contractors (including pension fund investment advisers and municipal bond broker-dealers). These contribution restrictions may also apply to the organization’s PAC, and to its officers, directors, senior managers and even their spouses and children.
- The sanctions for violating pay-to-play laws can be harsh – e.g., bids disqualified, contracts voided, prospective contract bans. In addition, adverse publicity is likely to accompany violations since the media covers pay-to-play violations closely.
Compliance Tip No. 3: Lobbying laws are increasingly onerous
- In many states, the term “lobbying” may mean more than just direct communications with legislators or executive branch officials. For example, lobbying laws and regulations may also cover “grassroots” lobbying (communicating with the public), “goodwill” lobbying (“getting to know” public officials) or “procurement” lobbying (communications about pubic contracts).
- States are also requiring more disclosure about lobbying activities, imposing political contribution restrictions on lobbyists and mandating ethics training for lobbyists and their employers.
Compliance Tip No. 4: Yes, a cup of coffee could be an illegal gift
- Gift giving is highly regulated by federal, state and local laws. Gift and ethics laws must be reviewed carefully because a “gift” may be anything of value – even a cup of coffee!
- Gift and ethics rules usually apply to gift giving to elected legislative and executive officials and career government employees. And most states impose additional gift restrictions on lobbyists and government contractors.
- Virtually all gift rules have exceptions, which allow for some level of gift giving. Common exceptions permit officials to receive invitations to receptions, awards and certificates, and informational materials. In some jurisdictions a wide range of gift giving is permitted, but advance planning is essential. When gift giving is allowed, the donor and/or recipient may have disclosure obligations.
Compliance Tip No. 5: Know – and manage – your risk
- Develop clear political activity policies and procedures (tailored to your organization’s level of political engagement) outlining “do’s and don’ts” for employees.
- Designate a “go-to” person who can respond to employees’ political activity questions.
- Establish tracking processes for gifts, contributions and other reportable expenditures to facilitate preparation of lobbying, campaign finance and IRS reports.
- On a periodic basis (i) provide training and/or informative materials for certain key employee groups and (ii) review the scope of your organization’s political activities to identify risk areas and prioritize compliance needs.