Presentation is loading. Please wait.

Presentation is loading. Please wait.

ADVANCING TRUST IN THE CHARITABLE SECTOR CONFERENCE June 12, 2015

Published byMelina Richards Modified over 5 years ago

Similar presentations

Presentation on theme: "ADVANCING TRUST IN THE CHARITABLE SECTOR CONFERENCE June 12, 2015"— Presentation transcript:

1 ADVANCING TRUST IN THE CHARITABLE SECTOR CONFERENCE June 12, 2015
BBB WISE GIVING ALLIANCE & THE INTERNATIONAL COMMITTEE OF FUNDRAISING ORGANIZATIONS BREACH OF DONOR DATA: BEYOND ONLINE SECURITY ADVANCING TRUST IN THE CHARITABLE SECTOR CONFERENCE June 12, 2015 Ellen Willmott General Counsel & Corporate Secretary The opinions expressed here are my own and not that of The Susan G. Komen Breast Cancer Foundation, Inc. 06/12/2015

2 HYPOTHETICAL: ITS FRIDAY AT 4 PM and THE Head of PROGRAM Calls to say – We’re Getting lots of angry calls about a “SAVE THE DATE” POSTCARD Sent to 10,000 SURVIVORS. WE DON’T KNOW WHY, HELP! 11/28/2018

3 OTHER TYPES OF PROTECTED DONOR DATA
A charity’s obligations to protect donor data extends beyond the protection of credit card and other financial information Under most state law schemes regulating , “sensitive personal information” or “protected personal information” includes an individual’s name (or first initial with last name) in combination with: The physical or mental health or condition of the individual; The provision of health care to the individual; or Payment for the provision of health care to the individual Many charities, particularly those in social and health services, collect certain types physical health information, and may be subject to the same breach notification requirements 11/28/2018

4 REGULATION OF Non-Financial Donor Information
While not all states include personal health information in the definition of protected/sensitive information in the privacy/breach notification laws, many do (e.g. CA, FL, VA, TX) HIPAA (Health Insurance Portability and Accountability Act) also governs protected health information of employees/volunteers covered under a regulated health plan (HIPAA obligations are not discussed here) State breach notification laws are strict liability –intent is irrelevant PERKINS COIE (nationally ranked law firm) maintains an excellent chart on state security and privacy laws 11/28/2018

5 What is the Risk? WHAT IS THE RISK TO YOUR CHAIRTY?
Publicity regarding breach of security/privacy laws: unauthorized access to the information (“unauthorized access of data in electronic form containing personal information”) unauthorized use of sensitive personal information - even if the access is authorized (“access by an employee or agent of the [charity] is not a breach of the security of the system, provided the information is not used for a purpose unrelated to the business or subject to further unauthorized use”) State law regulatory compliance Charity is responsible for complying with breach notification requirements in each state in which affected individual resides Third-party vendors maintaining databases may share in responsibility depending on type of breach and contract terms The charity spends valuable resources to comply with each state that regulates (italicized portions, excerpted from Fla. Stat. § ) 11/28/2018

6 Implement a response team/plan to manage
WHAT DO WE DO? Protect “sensitive” personal information (encryption, restricted access, etc.) Educate staff that has access to such information on what uses are permitted Review, understand and coordinate check the information provided to donors/stakeholders at the point of collection (REMEMBER: a charity collects information from may sources: message boards/chat rooms, event registrations, donation forms, direct service/reference pages, business reply envelopes - what do you tell donors and stakeholders at each point of collection? Implement a response team/plan to manage 11/28/2018

7 WHERE’s THE BREACH? So, why would that hypothetical “Save the Date” card be problematic? WHAT IF POSTCARD SAID…. Mr. JOE SMITH #5 ANY STREET HOMETOWN, AA 00000 Dear Mr. Smith, CONGRATULATIONS. IT IS TIME TO CELEBRATE YOUR VICTORY!!! SAVE THE DATE: January 1, 2014 OCCASION: CELEBRATING YOUR 5th YEAR AS A CANCER SURVIVOR WHERE : NEW LOCATION The access to “survivor status” information may be authorized - BUT the use of that information in an unprotected mailer could be state law breach if the charity doesn’t have permission to publish the individual’s health status 11/28/2018

8 Confidential & Proprietary
Conclusion Know what information is considered “sensitive” “protected” and/or “personal information” for state law purposes – manage to the most restrictive state Understand what donors/stakeholders are told at the point of collection (in every format) Use commercially reasonable measures to protect the information Educate those with access to protected information on what may and may not be done with that information Have a response team/plan in place to manage a breach situation Confidential & Proprietary 11/28/2018

Download ppt "ADVANCING TRUST IN THE CHARITABLE SECTOR CONFERENCE June 12, 2015"

Similar presentations

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.

1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”

 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
Regulatory Issues in Campus Computing Privacy and Security in a Digital World Presented by David Gleason, Esq. University Counsel University of Maryland,

Regulatory Issues in Campus Computing Privacy and Security in a Digital World Presented by David Gleason, Esq. University Counsel University of Maryland,
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
HELPING PATIENTS KEEP IT CONFIDENTIAL KEEPING IT CONFIDENTIAL IN CALIFORNIA New Privacy Protections Under SB 138 Ruth Dawson ACLU of Southern California.

HELPING PATIENTS KEEP IT CONFIDENTIAL KEEPING IT CONFIDENTIAL IN CALIFORNIA New Privacy Protections Under SB 138 Ruth Dawson ACLU of Southern California.
Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA)
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.

Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.
Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A. 2618 Centennial.

Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A Centennial.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Similar presentations

Ads by Google