BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms.

Navigating Data Privacy and Cybersecurity ForNonprofits

November 2019

2

With You Today

DERRICK KINGDirectorGovernance, Risk & Compliance

703-245-8659 (O)703-966-0217 (M)dking@bdo.com

3

Topics

Privacy & Cybersecurity Drivers

Overview of Privacy and Cybersecurity Frameworks and Enforcement

Privacy and Cybersecurity Laws

• EU General Data Protection Regulation

• New US State Consumer Privacy Laws

• US State Breach Notification and Cybersecurity Laws

• US Federal Privacy and Cybersecurity Laws

Future-Proofing Your Privacy and Cybersecurity Program

4

Privacy & Cybersecurity DriversWhy Privacy and Cybersecurity is a Hot Topic

INNOVATION

Implementations of Artificial Intelligence, Blockchain, Robotic Process Automation,

Internet of Things, etc. are bringing about new and

different uses of personal data and privacy concerns.

And, of course, more places to put PI.

DATA BREACHES & HACKS

Data breaches and hacks lead to adverse media attention,

business disruption, customer trust erosion, goodwill and

reputation loss, criminal and civil penalties and costs,

complaints and lawsuits, and loss of revenues.

REGULATIONS

New privacy and data protection laws and

regulations (with teeth) are being drafted and going into

effect in the US , EU, and across the world.

The US states are individually crafting their own unique

versions.

Overview of Privacy and Cybersecurity Frameworks

6

Privacy Frameworks and Enforcement

General law governing a broad range of data processing activities in the private and public sector (e.g., GDPR)

EU Member State Data Protection Authorities

Private Right of Action

Comprehensive Laws

(Europe)

Sectorial Model(United States)

Privacy and cybersecurity legislation is adopted on a needs basis, when specific sectors and circumstances require it (e.g., HIPAA)

Federal Laws: Sector Specific Agencies or the FTC

State Laws: State Attorney General or Private Rights of Action

Self Regulatory Model

(United States)

Self-regulation refers to companies and industry associations which establish codes of practice and implement self-policing techniques (e.g., Digital Advertising Alliance)

Industry Associations against Members

Co-Regulatory Model

(Canada)

Industry develops the rules for privacy and cybersecurity protection

Industry Enforcement and Agency Oversight (e.g., Office of the Privacy Commissioner in Canada)

7

Fair Information Privacy Principles A Common Basis for a Majority of Privacy Frameworks

1. Transparency Inform individuals about data processing practices

2. Individual Participation Involve individuals in decisions regarding the processing of their

personal data Provide mechanisms for exercising individual privacy rights

3. Purpose Specification Articulate the purpose for the processing of personal data

4. Data Minimization Only collect personal data that is directly relevant and necessary for

the articulated purposes

8

Fair Information Privacy Principles A Common Basis for a Majority of Privacy Frameworks

5. Use Limitation Only use data for the articulated purposes or compatible purposes

6. Quality and Integrity Ensure personal data is accurate, relevant, timely, and complete

7. Security Protect personal data with appropriate security measures against

unauthorized access, loss, destructions, modification, and unintended and inappropriate disclosure

8. Accounting and Auditing Be accountable for complying with the principles Provide training to relevant personnel Regularly review and audit the compliance with the principles and

other applicable privacy requirements

The General Data Protection Regulation (GDPR)

10

The General Data Protection Regulation (GDPR)

Applies to:

Private and public sector

For profit and nonprofit organizations

Both those who “control” or “process” information

The GDPR became effective in May 2018 and applies to organizations wherever they are located that: Offer goods and services

(including free services) to people in the EU; or

That monitor the behavior of people in the EU (e.g. website analytics)

11

GDPR Application to Nonprofits in the United States

If you are unsure whether your nonprofit is subject to GDPR, start by considering the following questions:

Do you have affiliates established in an EU member state?

Does your organization offer goods or services to individuals in the EU?

Does your nonprofit solicit contributions from individuals in the EU?

Does your organization collect, process, view, or store EU personal data?

Does your nonprofit receive contributions from EU organizations or individuals?

* You can use this as a checklist within your organization.

12

Processing

Any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Personal Data

Means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

“Controller” and “Processor”

Controller: Determines the purposes for which and the manner in which personal data is processed.

Processor: Processes personal data on behalf of the controller.

Sensitive Personal Data

Refers to special categories of personal data that bear extensive risks to the rights and freedom of individuals and are subject to additional protections (e.g., genetic data, biometric data, criminal information, religious and sexual orientation).

GDPR Definitions

13

GDPR Detailed Overview A Framework to Understand the Requirements

RIGHTS OF THE DATA SUBJECT Right to Know Right to Access Right to Data Portability Right to Rectify Right to Restrictions Right to Object to Automated Decisions Right to be Forgotten

PRINCIPLESDATA

SUBJECTRIGHTS

CONTROLLER OBLIGATIONS

PROCESSOR OBLIGATIONS (OPERATIONS

AREAS)

PRINCIPLES Fair, lawful, and transparent Purpose limitation Data minimization Accuracy Storage limitation Integrity and confidentiality Accountability

OPERATIONS (PROCESSOR) AREAS Contract requirements Policies and procedures Written records of processing activities Technology Third-party risk management and vendor

accountability Information security Website activity Information governance/records retention Breach notifications Data Protection Impact Assessment (DPIA) Data transfer mechanisms Data subject access requests intake,

verification, and fulfilment

CONTROLLER OBLIGATIONS Written records of processing Legal basis for processing Cross-border transfer mechanisms Transparent notices Freely given, specific, informed and

unambiguous consent & withdrawal mechanisms Privacy by design and by default Privacy Impact Assessments (PIA) & Data

Protection Impact Assessment (DPIA) Constraints and requirements for automated

decisioning Security obligations Obligatory Data Protection Officer (DPO) Representatives Documented accountability mechanisms

14

GDPR by the Numbers

Number of Complaints to Data Protection Authorities: 144,376

Main Types of Complaints: Telemarketing Promotion Emails Video Surveillance/CCTV

Privacy Awareness in the Europe: 67% of Europeans have heard of the GDPR 57% of Europeans know of Data Protection Authorities

and their Enforcement Power

Number of Breach Notifications: 89,271

Data from May 25, 2018 to May 25, 2019; Source: EU Commission Website

15

GDPR Enforcement Against Nonprofits and the Healthcare Industry

FACEBOOK V. WIRTSCHAFTSAKADEMIE SCHLESWIG HOLSTEIN

A nonprofit organization (Wirtschaftsakademie) collected user data of their Facebook page visitors without providing privacy notice

The Court of Justice of the EU held that the organizations acted as a “joint controller” of data together with Facebook

The German DPA was able to enforce notice requirements against the nonprofit organization

CENTRO HOSPITALAR BARREIRO MONTIJO

A Portuguese hospital allowed unlimited access to patient data which should have only been accessible for doctors (985 profiles with access existed but only 296 doctors worked at the hospital)

It failed to provide adequate data security measures to protect patient dataThe hospital was fined 400,000 Euros

16

GDPR Article 32 Cybersecurity RequirementsIntentionally Broad to Allow Varying Industry Standards

Pseudonymization and encryption

Ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services

Ability to restore the availability and access to personal data in a timely manner

Regular testing, assessing, and evaluating the effectiveness of technical and organizational measures

OFFICIAL GUIDANCE The UK (ICO) and French (CNIL) Data Protection Authorities Published Official Guidance:

• ICO Cyber Essentials: https://www.cyberessentials.ncsc.gov.uk/• CNIL Security Guide: https://www.cnil.fr/en/new-guide-regarding-security-personal-data

Industry Standards:• ISO 27001; AICPA Trust Service Criteria; Cloud Security Alliance Consensus Assessments Initiative

Questionnaire; NIST 800-53; COBIT 5.0; and ENISA IAF

US State Consumer Privacy Laws

18

Recent Development of State Consumer Privacy Laws

January 2019

The Vermont Data Broker Regulation requires data brokers to register annually with the Vermont Attorney General and must disclose information regarding their practices related to the collection, storage or sale of consumers’ personal information.

Vermont

Nevada

October 2019

Nevada passed a privacy law which requires the Operators of online services to give consumers the right to opt out of the sale of their personal information.

July 2020

The Maine Act to Protect the Privacy of Online Consumer Information prohibits internet service providers from any disclosure of customer data without consent subject to limited exceptions.

Maine

January 2020

California toughens consumer privacy law. Expands definition of personal information, introduces individual privacy rights and notice requirements, requires the provision of an “Opt-out of Sale” button on websites, and introduces a right against discrimination when exercising privacy rights.

California

In Process

Several newly proposed state privacy laws extend individual privacy rights and impose notice and opt-out requirements for the sale of personal data. They also extend privacy enforcement methods in case of violations.

HawaiiIllinois

Louisiana Maryland

MassachusettsMinnesota

New JerseyNew York

PennsylvaniaRhode Island

TexasWashington

19

California Consumer Privacy Act (CCPA)

The CCPA going into effect January 1, 2020, gives Californians extensive consumer privacy rights. The act sets requirements that regulates and attempts to limit the sale of personal information (PI). Applies to “for profit” businesses that: Have annual revenues > $25M

Have 50% annual revenues from sale of personal information

Buy, sell, share PI of > 50,000 CA residents

PRIVATE RIGHT OF ACTION AND PER CAPITAL FINES UP TO $750 PER RECORD

HIGHLIGHTSBroad definition of PI includes identity, commercial, professional, electronic, behavioral, inferential, financial, transactional, biometric, and educational data.Enhanced disclosure obligations to consumers how and from whom PI is collected, used, shared, disclosed, or sold to.Enhanced consumer rights including:1. Right to Know 2. Right to Access3. Right to Data Portability4. Right to Say No or Opt-out5. Right to Equal Service6. Right to Deletion

20

Why is the CCPA Relevant For Nonprofits?

Contractual Obligations: Data Processing Agreements will likely require nonprofits to abide to CCPA-compliant

data collection and retention policies of for-profit partners

For-Profit Subsidiaries: A nonprofit may control a for-profit subsidiary which is subject to the CCPA

Joint Ventures with For-Profit Businesses: Both the nonprofit and the for-profit entity will likely need

to agree on how data will be collected, stored, used, retained,or deleted

Best Practice: Complying with Fair Information Privacy Principles and industry

best practice requirements does not only provide positive PR, butalso builds trust with sponsors and business partners

21

State Privacy Laws Relevant For NonprofitsNew York Privacy Act (Senate Bill S5642)

The New York Privacy Act is currently in the Senate’s Consumer Protection Committee. If passed, it will give NY residents the most sweeping, comprehensive and empowering consumer privacy rights in the country. Applies to all businesses including nonprofits.

Requires businesses to act as so-called “data fiduciaries.”

Distinguishes between “controllers” and “processors” and requires a legal basis.

PRIVATE RIGHT OF ACTION AND ATTONEY’S FEES

HIGHLIGHTSBroad definition of PI includes identity, commercial, professional, electronic, behavioral, inferential, financial, transactional, biometric, and educational data. Enhanced disclosure obligations to consumers how and from whom PI is collected, used, shared, disclosed, or sold to.Enhanced consumer rights including:1. Right to Know 2. Right to Access3. Right to Correct4. Right to Data Portability5. Right to Say No or Opt-out6. Right to Deletion

US State Breach Notification Laws

23

Threat Landscape

Increasing Intrusions

Nonprofit Case Study:

In May 2017, fraudsters hacked a “Save the Children Foundation” employee’s email address and created a number of false invoices. The foundation lost $1 million due to this attack.

February 2016, the Urban Institute’s National Center for Charitable Statistics was the victim of a malicious attack that compromised 600–700 organizations. 2005

Risk is everywhere!

*Rate of breaches increasing since 2005

2008

2009

2010

2011

2012

2013

2014

2006

2007

2015

HackingTeam

2016

2017

2018

2019

24

Threat Landscape

Who Is Stealing Your Information?

Internal actors were responsible for 43% of data loss, half of which is intentional, half accidental.

25

New Data Breach and Cybersecurity Laws in the United States

April 2018Delaware broadens and toughens data breach notification law. 60 day breach notification deadline. One (1) year of credit monitoring similar to as CA and CT. Imposes new cybersecurity standards to implement reasonable information security measures on companies.

Delaware

Oregon

June 2018Oregon broadens and toughens data breach notification law. 45 day breach notification deadline. One (1) year of credit monitoring similar to as CA and CT. Imposes new cybersecurity standards to implement reasonable information security measures on companies.

July 2018Becomes the 49th State to adopt a data breach notification law. 60 day breach notification deadline.

South Dakota

April 2018Arizona toughens data breach notification law. Expands definition of personal information to include biometric, health insurance & login data and private keys to authenticate records. 45 days breach notification deadline.

Arizona

June 2018Becomes 50th State. Includes requirements for an employee to coordinate security measures, identify risks, adopt and assess safeguards to address risks, retain service providers contractually required to maintain safeguards, evaluation of security measures for sensitive PII, and keeping board of directors and leadership informed.

Alabama

26

US State Breach Notification Laws

Apply to for-profit and nonprofit organizations “Personally Identifiable Information” is generally defined narrow and is often

limited to:• Social Security number• Driver’s license number• State identification card or passport number• Financial account number in combination with any required security code,

access code, or password that would permit access to an individual’s financial account

Require notice of security incidents to the State Attorney General and/or affected individuals based on the level of harm or risk caused to individuals or the number of affected individuals

Violations may result in high civil penalties per violation, private right of action and restitution claims

27

Roadmap to a Robust Breach Response Program

Understand the collection and

flow of Personal Information in your systems.

Determine security gaps and understand what breach protection

measures you have in place.

Understand which breach laws apply

to you.

Develop incident response

strategies, roles, responsibilities,

and easily accessible

procedures.

Know who to consult in case of a breach (e.g.,

outside counsel, cyber liability

insurance, consultants).

28

Best Practices to Implement Cybersecurity

SOFTWARE PATCHINGLack of software updates

ACCESS CONTROLWho has access to your system and do they really need it?

THIRD PARTY VENDORSAre your third party vendors secure?

PEOPLEInternal actors up to no good or being exploited

US Federal Privacy and Cybersecurity Laws

30

Other Relevant Federal Privacy Laws

HIPAA: Applies to organizations that provide health care services or conduct data processes on behalf of health care providers.

FCRA: May apply when organizations use consumer reports to make employment decisions, including hiring, retention, promotion or reassignment.

COPPA: Applies to organizations that provide online services targeted to children and that collect data.

FERPA: Applies to federally funded educational institutions.

Future-Proofing Your Privacy Program

32

Future-Proofing Your Privacy ProgramHow to Comply

ASSIGN ACCOUNTABILITY & OWNERSHIP

ESTABLISH STANDARDS, PROCEDURES &

CONTROLS

KNOW YOUR DATA FLOWS & PROCESSING

MONITOR & REMEDIATE

ESTABLSH PRIVACY PRINCIPLES AND POLICES

ADOPT PRIVACY BY DESIGN & DEFAULT

MINDSET

TRANSPARENT AND LEGITIMATE DATA USE

ESTABLISH END-TO-END SECURITY

33

Challenges When Implementing Privacy and Cybersecurity

Protect through the entire lifecycle

Discover relevant business functions and data

Identify gaps and govern processing

Build a roadmap to manage data throughout it’s lifecycle

Meet at incremental times to check in on progress of the governance committee

Implement technologies to better manage data

Train personnel on data governance practices

Evaluate policy and procedure gaps

Define classification and retention schemas

Outline roles and responsibilities to manage data

Identify potential technology solutions to better manage data

Get buy-in to form a governance program

Form a governance committee

Map data sources Understand how data is

managed throughout the organization

Identify sensitive data used by businesses

34

BDO Privacy Services Overview

Focus on staffing solutions for a wide range of publicly traded and privately held companies. Partners with IT leaders to deliver strategy and technology solutions to address business needs through CIO

Advisory, Program/Project Management delivery, Outsourcing, and Staff Augmentation.

Outsourced DPO and Privacy Services

Undertake interview process that exposes risks and challenges. Integrate leading practices and industry knowledge into privacy approaches. Define a longer-term strategy that supports privacy objectives of the company. Delineate the discrete initiatives that combine to create a successful privacy compliance program.

Strategy and Readiness

Evaluate products, processing activities and processes, monitoring procedures or vendors Conduct vendor/third party GDPR and CCPA readiness assessments. Identify technical controls, policies, procedures, process or documentation that require updates .

Assessments

Implement requirements to align with Privacy by Design and Default Implement BDO’s Data Reduction by Design strategies using Records Management Align business practices, policies, and procedures with GDPR Articles and CCPA requirements Implement practices to train, communicate and manage the data privacy program. Identify overlaps between GDPR and other privacy regulations and construct a shared solution approach

Implementation Services

Staffing for tracking, reviewing, and responding to GDPR and CCPA data subject/consumer requests Online reporting to ensure regulatory timing requirements using automated workflow Long-term outsourcing or short-term outsourcing

Outsourced Data Subject Request Services

Up to date regulatory information tailored and sent to the company and the chief privacy officer Privacy software platform implementation and support using industry leading software

Privacy Desk

This document contains information that is proprietary and confidential to BDO USA, LLP, the disclosure of which could provide substantial benefit to competitors offering similar services. Thus, this document may not be disclosed, used, or duplicated for any purposes other than to permit you to evaluate BDO to determine whether to engage BDO. If no contract is awarded to BDO, this document and any copies must be returned to BDO or destroyed.

Material discussed is meant to provide general information and should not be acted on without professional advice tailored to your needs.

© 2019 BDO USA, LLP. All rights reserved. www.bdo.com

BDO is the brand name for BDO USA, LLP, a U.S. professional services firm providing assurance, tax, and advisory services to a wide range of publicly traded and privately held companies. For more than 100 years, BDO has provided quality service through the active involvement of experienced and committed professionals. The firm serves clients through more than 60 offices and over 700 independent alliance firm locations nationwide. As an independent Member Firm of BDO International Limited, BDO serves multi-national clients through a global network of more than 80,000 people working out of nearly 1,600 offices across 162 countries.

BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. BDO is the brand name for the BDO network and for each of the BDO Member Firms.

www.bdo.com