In the first part of this three-part article, we introduced three legal frameworks that nonprofit organizations should be acquainted with if they collect and maintain confidential information from donors, volunteers, staff, and clientele.

The first was the Telephone Consumer Protection Act (TCPA). Here in the second part, we'll introduce and discuss the laws that govern data protection and data breaches.

What is a data breach?

A data breach is said to occur when any form of confidential, proprietary, or sensitive data is exposed to unauthorized access.

According to Lutzker & Lutzker LLP, the number of significant data breaches in the United States doubled between 2019 and 2020 and affected every industry segment. According to a study by the Ponemon Institute sponsored by IBM, the average total cost of response and resolution of a data breach increased from $6.53 million to $7.01 million between 2015 and 2016, an increase of 17 percent. Similar studies have found the costs of data breaches have continued to rise and will continue to rise.

For a nonprofit, confidential, proprietary, or sensitive data may include a list of donors or volunteers, the personal information of the nonprofit's clientele, or the future plans or programs of the organization.

Ways in which a breach might occur include (1) intentional theft of the information by electronic intrusion, (2) indirect theft (e.g., the theft of a laptop or memory device containing sensitive data), (3) access to records that are improperly disposed of (e.g., paper documents that are not shredded or otherwise destroyed), (4) "leaked" information that is passed along by a staff member or volunteer.

What laws apply to data breaches?

This is a very good question. The legalities of governing data maintenance, data use, and data loss are an area of emerging legal jurisprudence that has been irregularly legislated and litigated. It's interesting to note that there is no U.S. federal legal framework that comprehensively governs or regulates data collection, maintenance, and loss.

In 2002, the federal government adopted the Federal Information Security Management Act (FISMA), which mandates federal agency implementation of processes and procedures that ensure confidentiality, integrity, and availability of data and sensitive information.

No counterpart regulatory mandates exist yet for private, commercial, or nonprofit organizations, but all 50 states have adopted laws and codes that require organizations to inform consumers in the event of a data breach. The specifics of these laws, including who must comply, the definition of a "data breach," the definition of "personal information," the form and timing of notification, and other details differ for each state.

As is often the case in matters of personal liberties, privacy, etc., California's response to the need for legal protections on sensitive data--the California Consumer Privacy Act of 2018 (CCPA)--is widely considered the most comprehensive and one that has been widely imitated and emulated.

Implications for nonprofits

There is no exemption for nonprofits when it comes to legal mandates for disclosing data breaches. Generally speaking, nonprofits would not want to withhold data breaches from their donors, volunteers, staff, and clientele, of course, and no organization in the world wants their data to be stolen, lost, or accessed without authorization.

The first step to preventing data breaches is securing your organization's data. Securing the hardware with physical and electronic access is critical, obviously, but this includes internal access as well as external. Those who can access an organization's data should be limited, monitored, and reviewed. Only those who need the data on a regular basis should be allowed to access it, and their use should be regulated.

Next, all forms of media and memory (e.g., laptops and other portable devices, memory devices, and storage media) should be inventoried and strictly regulated. Removal of data from the premises should be allowed only on a mission-critical basis if at all. And strict penalties should be in place for neglect or mismanagement of an organization's data.

Other forms of everyday security should likewise be followed, such as password security and the use of encryption.

Data breaches should be considered inevitable but treated as preventable. Unfortunately, this means all nonprofits should be aware of the precise details of when, how, and who to notify after a data breach. This information should lead to the adoption of an organizational data-breach plan. A data-breach plan should be prepared with authorized legal oversight and outline in a step-by-step fashion how to handle data breaches according to the applicable state laws. A data-breach plan should be clear, periodically updated, and legally defensible.

Next, in the third part of the series, the concept and legal framework of general data protection regulation (GDPR) will be introduced and discussed.

‍