A 2020 Pragmatist’s Guide to US Digital Privacy Laws: CCPA, SHIELD

 

Special thanks to RoundTable Technology, a leader in cyber security for nonprofits

This article is for the overworked techie in charge of all of the digital things who just panicked that it is 2020 and there are new privacy laws. 

There are two new major online privacy policy changes coming in 2020, the CCPA in California and SHIELD act in New York. The New York Stop Hacks and Improve Electronic Security act and the California Consumer Privacy Act. There are also multiple bills moving through legislature in no less than 25 other states and the federal government (COPRA) that could become law in 2020.

These acts mimic the standard set by the European Union with GDPR and many of the policies will sound familiar. What is weird is that these acts begin to treat U.S. State boundaries more like digital country borders protecting State residents data differently. Whether federal legislation, if passed, will supercede the state laws remains to seen. Right now it is very much the Wild Wild West with data privacy in the US. 

If you were paying close attention when GDPR came around in 2018 and your organization is confidently GDPR-compliant, you are probably in good shape beyond some updates to privacy policy language. If your organization ignored GDPR because of the EU only audience, then you have officially stumbled upon the can you kicked down the road in 2018 and it is time to start doing the privacy/protection work. 

How does the CCPA apply to my organization?

The California Consumer Privacy Act (CCPA) does NOT apply to nonprofits unless they 

“control or are controlled by a for-profit business or that share common branding with covered business are covered by the California Consumer Protection Act, which grants consumers new rights including data transparency and data deletion rights.”

For businesses, it only applies if annual gross revenues are +$25M or have over 50k Californians, or are selling these data in a way that represents over 50% of annual revenue).  If you Googled something to find this article it probably means CCPA doesn’t apply to your organization (no offense, but lawyers are probably on it already if you meet these qualifications). 

 

How does the SHIELD Act apply to my organization?

New York Stop Hacks and Improve Electronic Security Act (SHIELD)  does NOT apply businesses or nonprofits that have fewer than 50 employees, $3M in gross revenue in each of the past 3 fiscal years, OR less than $5M in total assets. 

SHIELD defines compliance of the policy as:

“reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.” (https://www.nysenate.gov/legislation/bills/2019/s5575

Note that the word “reasonable” has a specific legal definition with a long history within the legal system (cool fact, one of the people most connected to this standard was named “Learned Hand”). 

For purposes of “reasonable” cybersecurity measures, the FTC provides this language: “Employing reasonable safeguards to protect the confidentiality, integrity or availability of data given the type, amount and sensitivity of that data in relation to the size, sophistication and capability of the organization.”

What do they mean for nonprofits? 

One way or another, privacy regulation is coming and will impact all nonprofits in the US, regardless of size or 501c3 status. We can break down your responsibilities into two fundamental capabilities:

1. Know your data

The practices are in alignment with nonprofit values AND good practices anyway. 

On the privacy side, these privacy laws are asking you to do some pretty basic things:

  • Get consent before collecting someone’s personal information
  • Know what you’re doing their information when you do collect it
  • Be able to tell them what information you have about them
  • Be able to delete their information if they ask you to or revoke their consent
  • Take reasonable steps to protect my information
  • Let me know within a reasonable timeframe (48 hrs) if you do expose my information
  • Be ready to handle DSARs (see below)

2. Protect your data

On the cybersecurity side, it’s about those last two items

  • If you aren’t engaging in reasonable cybersecurity practices, you’re not doing a good job of protecting my information
  • If you don’t have reasonable cybersecurity measures in place, you won’t know if my information gets exposed, or be able to tell me in a reasonable if you do find out. 

 

Data Subject Access Requests (DSARs)

Full Guide to DSARs: https://wirewheel.io/wp-content/uploads/2018/10/WireWheel-eBook-Ultimate-Guide-to-Data-Subject-Access-Request-Management.pdf

How should we plan for enforcement as a mid-sized nonprofit? 

Get a handle on your data practices: 

  • Get consent before collecting data
  • Know what data you collect
  • Know where the data lives in your systems
  • Know who you share it with
  • Don’t collect information you don’t need
  • Get rid of data when you no longer need it
  • Communicate all of that clearly in your privacy policy. 

Get a handle on your cybersecurity

  • Designated person responsible for cybersecurity at your organization
    • Outsourced cybersecurity resource as needed
  • Annual risk assessments
  • Ongoing Staff training
  • Phishing Simulations
  • Dark Web Scanning
  • Vulnerability Testing (passive, generally inexpensive)
  • Penetration Testing (active, more espensivep, but look for pro-bono)
  • Incident Response Planning (especially around breach detection and notification)
  • Cyber Liability Insurance (review your plan carefully, ask LOTS of questions)
  • 2FA/MFA (for the love of all things holy, PLEASE – 2FA/MFA
  • Password Managers

How worried should I be if I just ignore all of this security stuff

Yikes, if you are really looking for the answer here beware. But, here are some guardrails to be extra wary of given these new acts:

  • Buying donor lists from a third party and using them to add personal information to existing lists. 
  • Using wealth screening regularly on NY or CA residents if you are a large (+$25M organization).
  • If you have no privacy policy language, or language doesn’t include any of the Google Analytics, Facebook, HubSpot or other tracking software being used. 
  • If your privacy page has no contact info for DSAR messages. 
  • If your site is large (over 50k MAU) and doesn’t ask for cookie consent.
  • If you know that your current cyber security policies haven’t been updated in the past 5 years and worse if you’ve had breaches in the past and have made no effort to improve. 

 

NY SHIELD Cybersecurity Implications

Cybersecurity Program Requirements

The SHIELD law requires “any person or business that owns or licenses computerized data which includes private information of a resident of New York” to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information, including, but not limited to, disposal of data.” The safeguards can be tailored based on the size and complexity of the institutions but must at a minimum include:

  • designation and training of employees to coordinate cybersecurity compliance;
  • the use of third-party service providers capable of maintaining appropriate cybersecurity practices, with safeguards required by contract;
  • risk assessment of the company’s cybersecurity program, including both the network and software design and the information processing, transmission and storage;
  • processes and physical safeguards to detect, prevent and respond to attacks or system failures;
  • monitoring and testing of the effectiveness of the cybersecurity program;
  • processes to safely, securely and permanently dispose of data within a reasonable amount of time after it is no longer needed for business purposes; and
  • updates to the program periodically to address changes in the business or circumstances that would require the program to be changed

Data Breach Notification Requirements

The SHIELD Act expands the definition of data breach to cover any situation involving unauthorized “access” to “private information,” regardless of whether such data is “acquired.” In the event of a data breach, the Act requires prompt notice to affected individuals and to government authorities. The SHIELD Act contains an exception, however, to the requirement to notify affected individuals if the exposure of private information was “inadvertent,” by persons authorized to access the information, and the business “reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.”

The New York Attorney General is charged with enforcing the SHIELD Act. While the SHIELD Act does not create a private right of action, the Attorney General may bring an action for civil penalties or to enjoin unlawful practices. The statute also expands the time period within which the Attorney General may bring an action from two to three years. Penalties for failing to provide notice in the event of a data breach can amount to the greater of $5,000 or up to $20 per instance of a failed notification, up to $250,000 per breach. Penalties for failing to adopt reasonable safeguards can be imposed up to $5,000 per violation.

Coverage of Nonprofits

Nonprofit organizations are covered by the SHIELD Act. The SHIELD Act extends the reach of New York law breach notification requirements to any person or entity with private information of a New York resident, regardless of the company’s size or where it conducts business. The Act provides flexibility in meeting data security requirements for “small businesses,” however. A “small business” is defined as one with (i) fewer than 50 employees; (ii) less than $3 million in gross annual revenue in each of the last three fiscal years; or (iii) less than $5 million in year-end total assets. A small business will be deemed compliant with the SHIELD law’s data privacy requirements if it has adopted “reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.”

Although the law takes effect on October 23, 2019, it provides until March 21, 2020 (240 days after enactment) for the establishment of the required data protection program. Nonprofit organizations that have not previously been subject to cybersecurity regulatory requirements will need to promptly evaluate the sufficiency of both their internal programs and the third-party service providers they use to ensure compliance with the comprehensive cybersecurity requirements of the SHIELD Act. Those that already have cybersecurity programs will need to update them in light of the new requirements.

 

What to do next

  1. Appoint an internal captain (Data Controller) so that there is distinct ownership over compliance. While everyone will have a hand in following new policy, there also needs to be someone who “owns” it on the whole.
  2. Audit your data. Perform a data audit and inventory with digitalimpact.io. This can be done in a few minutes with the right people in the room. From this audit, identify all of your organization’s data processors and check their privacy policies and recommended disclosures.
  3. Understand the risk. Your new captain (Data Controller) should then review the links in this article with an eye to what areas will be the most sensitive for your organization. Create a risk assessment of your inventory to better understand the level of investment needed and create.
  4. Talk to a lawyer. Try to find a pro-bono lawyer to join your board (legal fees can add up). Ask about whether you need to add or update a cookie disclaimer, especially if your website targets NY or CA residents.
  5. Update your privacy policy with your lawyer’s input. Need inspiration? Check out Amnesty International’s clear and comprehensive privacy and cookie policy.
  6. Cookie notices. Consider adding cookie permission pop-ups for your site using CookiePro or Cookiebot.
  7. Prevention and protection. Most of your prep for CCPA and SHIELD will probably be a reactive activity meant to cover legal threats based on the organization’s conduct. Whole Whale created a Cybersecurity Course that will help everyone on your staff build tech capacity and help safeguard against attacks that lead to the most common data breaches.

Updated 2020 cybersecurity tips leaders of orgs should be thinking about for staff.

  • Two-Factor Authentication (2FA) on everything
  • Use a Password manager like lastpass.com 
  • Darkweb Scans
  • Consider threat monitoring (both digital and physical) services if engaged in work that might make you a target
  • Consider Whole Whale’s Cyber Security Course

 

Resources / Links: