Technology

An Ounce of Prevention: Establish an Effective Privacy/Cybersecurity Program

Data breaches have become common occurrences. Nearly every business—including nonprofits—collects, stores, and uses personal information (PI) that’s valuable to bad actors. All organizations store and process PI about their employees, and many nonprofits store and process PI about their donors and volunteers. Bad actors can cause financial harm to those whose PI is stolen, but data breach notification laws are one step toward protecting individuals. Organizations can also mitigate the risk of a data breach by implementing a privacy and cybersecurity program and related processes and controls.

Data Breach Notice Laws

There are more than 50 data breach notice laws in the United States, and California was the first to try to protect affected individuals from the harm of stolen data. It enacted a data breach notification law nearly 20 years ago, and the law’s rationale is that individuals who have notice of a breach can take steps to protect themselves from identity theft and financial harm.

All 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands now have data breach notification laws requiring organizations that collect, use, and store PI to notify consumers if their PI is breached.

Closer Look: District of Columbia, Maryland, and Virginia

There are similarities among the current data breach notification laws in the District of Columbia, Maryland, and Virginia. Breach is defined as the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of PI.

The cause of the breach is irrelevant. It can result from criminal activity or employee error—for example, sending PI to the wrong individual. Encrypted PI doesn’t trigger data breach notification even if a bad actor infiltrates a system in which PI is stored.

It’s important to remember that nonprofits aren’t exempt from reporting a data breach under the current District, Maryland, and Virginia laws.

The District’s data breach notification law went into effect on June 8, 2020. PI is defined as the first name or initial and last name, plus Social Security number, passport number, driver’s license number, financial account number with access code or password, medical information, genetic information, or biometric information.

Organizations that suffer a breach must notify affected individuals as soon as possible and without unreasonable delay. Notice must also be sent to the District’s attorney general (AG) and consumer reporting agencies under certain circumstances. Notice isn’t required if an organization determines it’s unlikely the individuals will be harmed, but that determination must be after investigation and consultation with the AG.

Maryland’s data breach notification law became effective on January 1, 2008, and has many similarities to the District’s. The definition of PI is similarly broad. Notice doesn’t need to be given in the case of a breach of unencrypted PI if the organization reasonably determines the PI won’t be misused (for example, for identity theft). Notice must also be sent to the Maryland AG under certain circumstances.

Virginia’s data breach notification law was effective as of July 1, 2008, but it isn’t as consumer-friendly, at least with regard to the definition of PI, as the District and Maryland laws. PI is limited to first name or first initial and last name in combination with Social Security number, driver’s license number or state identification card number, financial account number with a required access code, passport number, or military identification number. For example, notice isn’t required under the Virginia law if a bad actor acquires a consumer’s health information.

An organization must notify affected individuals of a breach of unencrypted PI without unreasonable delay if it reasonably believes the affected individuals have been or will be victims of identity theft or fraud. The Virginia AG and consumer reporting agencies must also be notified under circumstances described in the law.

There are also differences among the three laws. Virginia’s definition of PI isn’t as broad as those set out in the District and Maryland laws. Notice in Maryland must be given as soon as possible but not later than 45 days after an organization discovers or is notified of a breach. The time frames in the District and Virginia are without unreasonable delay. Finally, the District law doesn’t apply to its government agencies, and Maryland and Virginia don’t exempt their state government agencies.

Your Privacy and Cybersecurity Program

Data breaches are costly. IBM reported in 2022 that the average cost of a data breach was $4.35 million. The costs include fees charged by cybersecurity forensics consultants, outside attorneys, and public relations firms, as well as costs relating to data restoration, system downtime, modifying systems to eliminate the cause of the breach, and notifying affected individuals.

In the case of ransomware, some breach victims choose to pay the ransom. Some organizations don’t have cybersecurity insurance, and those that do have high deductibles. Building an effective program that uses reasonable and appropriate security measures lessens the chance of a data breach.

There are six steps a business should take to implement a privacy and cybersecurity program:

Data mapping/data classification. Many businesses don’t know the systems and databases in which the PI they collect is processed and stored. In addition, many businesses use third parties to process and store PI. Data mapping is a process by which a business locates its PI and tracks it to each system used to process and store the PI. Don’t forget PI stored in hard copy.

Data should be classified after it’s located, and it usually falls into one of three categories:  PI, proprietary but not PI, and public information.

Risk assessment. You should then assess the risks of processing and storing your PI. Measure current practices against a set of industry-recognized data-handling practices, and remediate the gaps.

Policies, processes, and procedures. You should adopt written privacy and security policies, processes, and procedures related to handling and storing information. Regulators will ask for these if your business is investigated.

Incident response plan (IRP). Every organization needs an IRP, which sets out procedures that will be followed when a business has a known or suspected security incident. Test the IRP periodically via a tabletop exercise.

Training. Many security incidents occur because well-meaning people aren’t careful or knowledgeable, so it’s crucial to train staff and volunteers on secure data-handling practices. For example, train staff and volunteers on what to look for to spot phishing emails. Personnel who have been trained are far less likely to open these.

Audit. Audit your program, and address the gaps. Strive for constant improvement.

Practices to Consider

Some specific practices to include in your privacy and cybersecurity program are:

  • All confidential information, including PI, should be encrypted at rest and in transit. Bad actors can’t use encrypted information.
  • Require users to use complex passwords. A password should be at least eight characters that include upper and lowercase letters, numbers, and symbols. Also, require users to change passwords at least every 90 days.
  • Make multifactor authentication mandatory. A second login credential decreases bad actors’ ability to infiltrate an employee’s account.
  • Keep all software updated with the latest patches and security configurations.
  • Consider buying cyber insurance.
  • Train employees and volunteers to be wary of working in public spaces using public Wi-Fi and hot spots. Be sure workers use a virtual private network (VPN).

Bottom Line

An ounce of prevention is worth a pound of cure. No amount of effort will make your organization completely breach-proof, but a well-thought-out, risk-based privacy and cybersecurity program will make it difficult for bad actors to gain access to your organization’s data.

Bruce F. Martino is an attorney with Whiteford, Taylor & Preston, L.L.P., in Baltimore, Maryland. You can reach him at bmartino@whitefordlaw.com

Leave a Reply

Your email address will not be published. Required fields are marked *