Post on 10-Jul-2020
BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms.
Navigating Data Privacy and Cybersecurity ForNonprofits
November 2019
2
With You Today
DERRICK KINGDirectorGovernance, Risk & Compliance
703-245-8659 (O)703-966-0217 (M)dking@bdo.com
3
Topics
Privacy & Cybersecurity Drivers
Overview of Privacy and Cybersecurity Frameworks and Enforcement
Privacy and Cybersecurity Laws
• EU General Data Protection Regulation
• New US State Consumer Privacy Laws
• US State Breach Notification and Cybersecurity Laws
• US Federal Privacy and Cybersecurity Laws
Future-Proofing Your Privacy and Cybersecurity Program
4
Privacy & Cybersecurity DriversWhy Privacy and Cybersecurity is a Hot Topic
INNOVATION
Implementations of Artificial Intelligence, Blockchain, Robotic Process Automation,
Internet of Things, etc. are bringing about new and
different uses of personal data and privacy concerns.
And, of course, more places to put PI.
DATA BREACHES & HACKS
Data breaches and hacks lead to adverse media attention,
business disruption, customer trust erosion, goodwill and
reputation loss, criminal and civil penalties and costs,
complaints and lawsuits, and loss of revenues.
REGULATIONS
New privacy and data protection laws and
regulations (with teeth) are being drafted and going into
effect in the US , EU, and across the world.
The US states are individually crafting their own unique
versions.
6
Privacy Frameworks and Enforcement
General law governing a broad range of data processing activities in the private and public sector (e.g., GDPR)
EU Member State Data Protection Authorities
Private Right of Action
Comprehensive Laws
(Europe)
Sectorial Model(United States)
Privacy and cybersecurity legislation is adopted on a needs basis, when specific sectors and circumstances require it (e.g., HIPAA)
Federal Laws: Sector Specific Agencies or the FTC
State Laws: State Attorney General or Private Rights of Action
Self Regulatory Model
(United States)
Self-regulation refers to companies and industry associations which establish codes of practice and implement self-policing techniques (e.g., Digital Advertising Alliance)
Industry Associations against Members
Co-Regulatory Model
(Canada)
Industry develops the rules for privacy and cybersecurity protection
Industry Enforcement and Agency Oversight (e.g., Office of the Privacy Commissioner in Canada)
7
Fair Information Privacy Principles A Common Basis for a Majority of Privacy Frameworks
1. Transparency Inform individuals about data processing practices
2. Individual Participation Involve individuals in decisions regarding the processing of their
personal data Provide mechanisms for exercising individual privacy rights
3. Purpose Specification Articulate the purpose for the processing of personal data
4. Data Minimization Only collect personal data that is directly relevant and necessary for
the articulated purposes
8
Fair Information Privacy Principles A Common Basis for a Majority of Privacy Frameworks
5. Use Limitation Only use data for the articulated purposes or compatible purposes
6. Quality and Integrity Ensure personal data is accurate, relevant, timely, and complete
7. Security Protect personal data with appropriate security measures against
unauthorized access, loss, destructions, modification, and unintended and inappropriate disclosure
8. Accounting and Auditing Be accountable for complying with the principles Provide training to relevant personnel Regularly review and audit the compliance with the principles and
other applicable privacy requirements
10
The General Data Protection Regulation (GDPR)
Applies to:
Private and public sector
For profit and nonprofit organizations
Both those who “control” or “process” information
The GDPR became effective in May 2018 and applies to organizations wherever they are located that: Offer goods and services
(including free services) to people in the EU; or
That monitor the behavior of people in the EU (e.g. website analytics)
11
GDPR Application to Nonprofits in the United States
If you are unsure whether your nonprofit is subject to GDPR, start by considering the following questions:
Do you have affiliates established in an EU member state?
Does your organization offer goods or services to individuals in the EU?
Does your nonprofit solicit contributions from individuals in the EU?
Does your organization collect, process, view, or store EU personal data?
Does your nonprofit receive contributions from EU organizations or individuals?
* You can use this as a checklist within your organization.
12
Processing
Any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Personal Data
Means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
“Controller” and “Processor”
Controller: Determines the purposes for which and the manner in which personal data is processed.
Processor: Processes personal data on behalf of the controller.
Sensitive Personal Data
Refers to special categories of personal data that bear extensive risks to the rights and freedom of individuals and are subject to additional protections (e.g., genetic data, biometric data, criminal information, religious and sexual orientation).
GDPR Definitions
13
GDPR Detailed Overview A Framework to Understand the Requirements
RIGHTS OF THE DATA SUBJECT Right to Know Right to Access Right to Data Portability Right to Rectify Right to Restrictions Right to Object to Automated Decisions Right to be Forgotten
PRINCIPLESDATA
SUBJECTRIGHTS
CONTROLLER OBLIGATIONS
PROCESSOR OBLIGATIONS (OPERATIONS
AREAS)
PRINCIPLES Fair, lawful, and transparent Purpose limitation Data minimization Accuracy Storage limitation Integrity and confidentiality Accountability
OPERATIONS (PROCESSOR) AREAS Contract requirements Policies and procedures Written records of processing activities Technology Third-party risk management and vendor
accountability Information security Website activity Information governance/records retention Breach notifications Data Protection Impact Assessment (DPIA) Data transfer mechanisms Data subject access requests intake,
verification, and fulfilment
CONTROLLER OBLIGATIONS Written records of processing Legal basis for processing Cross-border transfer mechanisms Transparent notices Freely given, specific, informed and
unambiguous consent & withdrawal mechanisms Privacy by design and by default Privacy Impact Assessments (PIA) & Data
Protection Impact Assessment (DPIA) Constraints and requirements for automated
decisioning Security obligations Obligatory Data Protection Officer (DPO) Representatives Documented accountability mechanisms
14
GDPR by the Numbers
Number of Complaints to Data Protection Authorities: 144,376
Main Types of Complaints: Telemarketing Promotion Emails Video Surveillance/CCTV
Privacy Awareness in the Europe: 67% of Europeans have heard of the GDPR 57% of Europeans know of Data Protection Authorities
and their Enforcement Power
Number of Breach Notifications: 89,271
Data from May 25, 2018 to May 25, 2019; Source: EU Commission Website
15
GDPR Enforcement Against Nonprofits and the Healthcare Industry
FACEBOOK V. WIRTSCHAFTSAKADEMIE SCHLESWIG HOLSTEIN
A nonprofit organization (Wirtschaftsakademie) collected user data of their Facebook page visitors without providing privacy notice
The Court of Justice of the EU held that the organizations acted as a “joint controller” of data together with Facebook
The German DPA was able to enforce notice requirements against the nonprofit organization
CENTRO HOSPITALAR BARREIRO MONTIJO
A Portuguese hospital allowed unlimited access to patient data which should have only been accessible for doctors (985 profiles with access existed but only 296 doctors worked at the hospital)
It failed to provide adequate data security measures to protect patient dataThe hospital was fined 400,000 Euros
16
GDPR Article 32 Cybersecurity RequirementsIntentionally Broad to Allow Varying Industry Standards
Pseudonymization and encryption
Ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
Ability to restore the availability and access to personal data in a timely manner
Regular testing, assessing, and evaluating the effectiveness of technical and organizational measures
OFFICIAL GUIDANCE The UK (ICO) and French (CNIL) Data Protection Authorities Published Official Guidance:
• ICO Cyber Essentials: https://www.cyberessentials.ncsc.gov.uk/• CNIL Security Guide: https://www.cnil.fr/en/new-guide-regarding-security-personal-data
Industry Standards:• ISO 27001; AICPA Trust Service Criteria; Cloud Security Alliance Consensus Assessments Initiative
Questionnaire; NIST 800-53; COBIT 5.0; and ENISA IAF
18
Recent Development of State Consumer Privacy Laws
January 2019
The Vermont Data Broker Regulation requires data brokers to register annually with the Vermont Attorney General and must disclose information regarding their practices related to the collection, storage or sale of consumers’ personal information.
Vermont
Nevada
October 2019
Nevada passed a privacy law which requires the Operators of online services to give consumers the right to opt out of the sale of their personal information.
July 2020
The Maine Act to Protect the Privacy of Online Consumer Information prohibits internet service providers from any disclosure of customer data without consent subject to limited exceptions.
Maine
January 2020
California toughens consumer privacy law. Expands definition of personal information, introduces individual privacy rights and notice requirements, requires the provision of an “Opt-out of Sale” button on websites, and introduces a right against discrimination when exercising privacy rights.
California
In Process
Several newly proposed state privacy laws extend individual privacy rights and impose notice and opt-out requirements for the sale of personal data. They also extend privacy enforcement methods in case of violations.
HawaiiIllinois
Louisiana Maryland
MassachusettsMinnesota
New JerseyNew York
PennsylvaniaRhode Island
TexasWashington
19
California Consumer Privacy Act (CCPA)
The CCPA going into effect January 1, 2020, gives Californians extensive consumer privacy rights. The act sets requirements that regulates and attempts to limit the sale of personal information (PI). Applies to “for profit” businesses that: Have annual revenues > $25M
Have 50% annual revenues from sale of personal information
Buy, sell, share PI of > 50,000 CA residents
PRIVATE RIGHT OF ACTION AND PER CAPITAL FINES UP TO $750 PER RECORD
HIGHLIGHTSBroad definition of PI includes identity, commercial, professional, electronic, behavioral, inferential, financial, transactional, biometric, and educational data.Enhanced disclosure obligations to consumers how and from whom PI is collected, used, shared, disclosed, or sold to.Enhanced consumer rights including:1. Right to Know 2. Right to Access3. Right to Data Portability4. Right to Say No or Opt-out5. Right to Equal Service6. Right to Deletion
20
Why is the CCPA Relevant For Nonprofits?
Contractual Obligations: Data Processing Agreements will likely require nonprofits to abide to CCPA-compliant
data collection and retention policies of for-profit partners
For-Profit Subsidiaries: A nonprofit may control a for-profit subsidiary which is subject to the CCPA
Joint Ventures with For-Profit Businesses: Both the nonprofit and the for-profit entity will likely need
to agree on how data will be collected, stored, used, retained,or deleted
Best Practice: Complying with Fair Information Privacy Principles and industry
best practice requirements does not only provide positive PR, butalso builds trust with sponsors and business partners
21
State Privacy Laws Relevant For NonprofitsNew York Privacy Act (Senate Bill S5642)
The New York Privacy Act is currently in the Senate’s Consumer Protection Committee. If passed, it will give NY residents the most sweeping, comprehensive and empowering consumer privacy rights in the country. Applies to all businesses including nonprofits.
Requires businesses to act as so-called “data fiduciaries.”
Distinguishes between “controllers” and “processors” and requires a legal basis.
PRIVATE RIGHT OF ACTION AND ATTONEY’S FEES
HIGHLIGHTSBroad definition of PI includes identity, commercial, professional, electronic, behavioral, inferential, financial, transactional, biometric, and educational data. Enhanced disclosure obligations to consumers how and from whom PI is collected, used, shared, disclosed, or sold to.Enhanced consumer rights including:1. Right to Know 2. Right to Access3. Right to Correct4. Right to Data Portability5. Right to Say No or Opt-out6. Right to Deletion
23
Threat Landscape
Increasing Intrusions
Nonprofit Case Study:
In May 2017, fraudsters hacked a “Save the Children Foundation” employee’s email address and created a number of false invoices. The foundation lost $1 million due to this attack.
February 2016, the Urban Institute’s National Center for Charitable Statistics was the victim of a malicious attack that compromised 600–700 organizations. 2005
Risk is everywhere!
*Rate of breaches increasing since 2005
2008
2009
2010
2011
2012
2013
2014
2006
2007
2015
HackingTeam
2016
2017
2018
2019
24
Threat Landscape
Who Is Stealing Your Information?
Internal actors were responsible for 43% of data loss, half of which is intentional, half accidental.
25
New Data Breach and Cybersecurity Laws in the United States
April 2018Delaware broadens and toughens data breach notification law. 60 day breach notification deadline. One (1) year of credit monitoring similar to as CA and CT. Imposes new cybersecurity standards to implement reasonable information security measures on companies.
Delaware
Oregon
June 2018Oregon broadens and toughens data breach notification law. 45 day breach notification deadline. One (1) year of credit monitoring similar to as CA and CT. Imposes new cybersecurity standards to implement reasonable information security measures on companies.
July 2018Becomes the 49th State to adopt a data breach notification law. 60 day breach notification deadline.
South Dakota
April 2018Arizona toughens data breach notification law. Expands definition of personal information to include biometric, health insurance & login data and private keys to authenticate records. 45 days breach notification deadline.
Arizona
June 2018Becomes 50th State. Includes requirements for an employee to coordinate security measures, identify risks, adopt and assess safeguards to address risks, retain service providers contractually required to maintain safeguards, evaluation of security measures for sensitive PII, and keeping board of directors and leadership informed.
Alabama
26
US State Breach Notification Laws
Apply to for-profit and nonprofit organizations “Personally Identifiable Information” is generally defined narrow and is often
limited to:• Social Security number• Driver’s license number• State identification card or passport number• Financial account number in combination with any required security code,
access code, or password that would permit access to an individual’s financial account
Require notice of security incidents to the State Attorney General and/or affected individuals based on the level of harm or risk caused to individuals or the number of affected individuals
Violations may result in high civil penalties per violation, private right of action and restitution claims
27
Roadmap to a Robust Breach Response Program
Understand the collection and
flow of Personal Information in your systems.
Determine security gaps and understand what breach protection
measures you have in place.
Understand which breach laws apply
to you.
Develop incident response
strategies, roles, responsibilities,
and easily accessible
procedures.
Know who to consult in case of a breach (e.g.,
outside counsel, cyber liability
insurance, consultants).
28
Best Practices to Implement Cybersecurity
SOFTWARE PATCHINGLack of software updates
ACCESS CONTROLWho has access to your system and do they really need it?
THIRD PARTY VENDORSAre your third party vendors secure?
PEOPLEInternal actors up to no good or being exploited
30
Other Relevant Federal Privacy Laws
HIPAA: Applies to organizations that provide health care services or conduct data processes on behalf of health care providers.
FCRA: May apply when organizations use consumer reports to make employment decisions, including hiring, retention, promotion or reassignment.
COPPA: Applies to organizations that provide online services targeted to children and that collect data.
FERPA: Applies to federally funded educational institutions.
32
Future-Proofing Your Privacy ProgramHow to Comply
ASSIGN ACCOUNTABILITY & OWNERSHIP
ESTABLISH STANDARDS, PROCEDURES &
CONTROLS
KNOW YOUR DATA FLOWS & PROCESSING
MONITOR & REMEDIATE
ESTABLSH PRIVACY PRINCIPLES AND POLICES
ADOPT PRIVACY BY DESIGN & DEFAULT
MINDSET
TRANSPARENT AND LEGITIMATE DATA USE
ESTABLISH END-TO-END SECURITY
33
Challenges When Implementing Privacy and Cybersecurity
Protect through the entire lifecycle
Discover relevant business functions and data
Identify gaps and govern processing
Build a roadmap to manage data throughout it’s lifecycle
Meet at incremental times to check in on progress of the governance committee
Implement technologies to better manage data
Train personnel on data governance practices
Evaluate policy and procedure gaps
Define classification and retention schemas
Outline roles and responsibilities to manage data
Identify potential technology solutions to better manage data
Get buy-in to form a governance program
Form a governance committee
Map data sources Understand how data is
managed throughout the organization
Identify sensitive data used by businesses
34
BDO Privacy Services Overview
Focus on staffing solutions for a wide range of publicly traded and privately held companies. Partners with IT leaders to deliver strategy and technology solutions to address business needs through CIO
Advisory, Program/Project Management delivery, Outsourcing, and Staff Augmentation.
Outsourced DPO and Privacy Services
Undertake interview process that exposes risks and challenges. Integrate leading practices and industry knowledge into privacy approaches. Define a longer-term strategy that supports privacy objectives of the company. Delineate the discrete initiatives that combine to create a successful privacy compliance program.
Strategy and Readiness
Evaluate products, processing activities and processes, monitoring procedures or vendors Conduct vendor/third party GDPR and CCPA readiness assessments. Identify technical controls, policies, procedures, process or documentation that require updates .
Assessments
Implement requirements to align with Privacy by Design and Default Implement BDO’s Data Reduction by Design strategies using Records Management Align business practices, policies, and procedures with GDPR Articles and CCPA requirements Implement practices to train, communicate and manage the data privacy program. Identify overlaps between GDPR and other privacy regulations and construct a shared solution approach
Implementation Services
Staffing for tracking, reviewing, and responding to GDPR and CCPA data subject/consumer requests Online reporting to ensure regulatory timing requirements using automated workflow Long-term outsourcing or short-term outsourcing
Outsourced Data Subject Request Services
Up to date regulatory information tailored and sent to the company and the chief privacy officer Privacy software platform implementation and support using industry leading software
Privacy Desk
This document contains information that is proprietary and confidential to BDO USA, LLP, the disclosure of which could provide substantial benefit to competitors offering similar services. Thus, this document may not be disclosed, used, or duplicated for any purposes other than to permit you to evaluate BDO to determine whether to engage BDO. If no contract is awarded to BDO, this document and any copies must be returned to BDO or destroyed.
Material discussed is meant to provide general information and should not be acted on without professional advice tailored to your needs.
© 2019 BDO USA, LLP. All rights reserved. www.bdo.com
BDO is the brand name for BDO USA, LLP, a U.S. professional services firm providing assurance, tax, and advisory services to a wide range of publicly traded and privately held companies. For more than 100 years, BDO has provided quality service through the active involvement of experienced and committed professionals. The firm serves clients through more than 60 offices and over 700 independent alliance firm locations nationwide. As an independent Member Firm of BDO International Limited, BDO serves multi-national clients through a global network of more than 80,000 people working out of nearly 1,600 offices across 162 countries.
BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. BDO is the brand name for the BDO network and for each of the BDO Member Firms.
www.bdo.com