Picture yourself waking up on a Saturday morning to the smell of coffee and breakfast. As you tumble downstairs to pour yourself a cup, you notice a pile of mail on the kitchen counter and start rifling through. One envelope in particular, labeled CONFIDENTIAL in all capital letters, catches your eye. As you read the letter titled “Notice of Data Breach” your heart sinks. A ransomware attack targeting an organization you trusted with your personal information has possibly compromised your Social Security number, tax identification number, credit card information and more. The targeted organization of the ransomware attack, whether it is a bank, nonprofit organization or public company, is now required to inform all its customers or members of this unfortunate data breach. But what can these institutions do to further protect their customers and members and ensure that these attacks happen less frequently?
Data privacy breaches, administered through internal hacking or third-party vendors, have negatively impacted countless nonprofit organizations. Data privacy litigations have famously, or infamously, involved giant corporations. However, nonprofits are especially vulnerable because they often don’t have the personnel dedicated to cybersecurity and are facing these challenges with more limited budgets. Nonprofits also face risks in addition to the financial burden of litigation - including but not limited to loss of trust from the community the nonprofit serves, major disruption of daily operations, weakened donor confidence and loss of grant funding. This blog post examines past data breaches, the evolving regulatory and legal landscape regarding data privacy, and the ways in which nonprofit organizations can learn from past breach events to minimize risk and prevent future cyber-attacks.
What Is a Data Breach?
In our increasingly digital world, data breaches are becoming more commonplace because larger amounts of personal information are being stored online, and hacking is a profitable industry. The two biggest data breaches within the past decade alone, Adobe and Adult Friend Finder, compromised the personal data of more than 3.5 billion individuals. A data breach is a type of cybercrime where hackers, many of them professionals, crack the security measures of an organization or a third-party cybersecurity provider without authorization in order to collect the private information of users. Cyber-attack victims range from huge for-profit businesses to nonprofit organizations to municipalities of any size. Hackers threaten to release private information unless they are paid ransoms, claiming that upon payment the stolen data will be destroyed. Hackers can also turn a profit by selling private information over the “dark web,” a portion of the internet that can only be accessible using special untraceable software, or by using personally identifiable information like credit card or social security numbers to steal identities and empty bank accounts. While paying ransom to hackers is not illegal, United States and international law enforcement agencies such as the Federal Bureau of Investigation and Europol strongly advise against it because hackers may come back, knowing that the organization has a willingness to pay.
On an individual user level, targeted data breaches can generally occur in one of four ways – (1) exploitation of system vulnerabilities, (2) weak passwords, (3) downloads or (4) targeted malware attacks. It is important for internet users to always use strong passwords, keep their software up to date, double-check download sources and be hyper-aware of compromised web pages or phishing emails. On an organizational level, there are two types of data breaches – direct and third-party breaches. Both types of breaches typically occur when hackers target common weaknesses at either the organizational or employee level, like phishing, malware and vulnerabilities. Phishing generally takes the form of fraudulent emails designed to convince an employee to click on an attachment and can expose the whole company to cyber criminals looking to infect an organization’s computer system. Malware, or malicious software, can include viruses or spyware and has the potential to affect all systems such as mobile devices, the organization’s servers, and networked technology. Vulnerabilities are holes in the software code that function as ‘doors’ for hackers to enter secure systems. Holes can be closed by updating software regularly and scanning internal networks on a quarterly basis to ensure optimal performance.
A direct data breach occurs when hackers breach the security of the organization itself. An example is the 2019 Capital One data breach where 100 million account holders in the United States and Canada had their addresses, self-reported incomes, credit scores, bank account numbers, payment histories and more stolen by a former Amazon Web Services software engineer. Citing Capital One’s failure to effectively establish risk assessment procedures and to correct the breach in a timely manner, the Office of the Comptroller of the Currency fined Capital One $80 million dollars. Another example is the 2016 Uber data breach where over 600,000 driver accounts and 57 million user accounts were hacked for personal identification and credit card information. Instead of reporting the breach, Uber secretly paid a $100,000 ransom to the hackers. Uber was charged with the largest data breach fine in history ($148 million dollars) for violating state notification laws regarding data privacy. Internal breaches, like the 2020 Mayo Clinic breach, are also very common. In the Mayo Clinic breach, a former employee accessed 1,600 patient health records, which included medical history, record numbers and medical images taken in connection with treatments.
A third-party data breach is when the external theft protection measures that organizations use to keep user information secure are hacked. An example of this is the 2019 Blackbaud data breach. Blackbaud is one of the largest cloud computing and cybersecurity software companies with more than 25,000 institutional customers worldwide, including educational establishments, healthcare entities, nonprofits and foundations. The Blackbaud phishing hack began on February 7, 2020 and was finally discovered on May 20, 2020. By this time, hackers had compiled unencrypted data including bank account information, Social Security numbers, account passwords and medical information from more than six million individuals. Blackbaud’s affected client list includes Inova Health Systems in Virginia (one million individuals affected), Northern Light Foundation (657,692 individuals affected), and Saint Luke’s Foundation (360,212 individuals affected), just to name a few. Blackbaud paid the hackers a ransom one week after the breach was discovered and currently believes the stolen data has been destroyed. However, Blackbaud did not publicly notify its clients about the significant data breach until mid-July 2020. In September, a Securities and Exchange Commission (SEC) filing revealed that hackers had access to more unencrypted data than Blackbaud had originally disclosed. More than ten separate class-action lawsuits seeking damages, restitution and injunctive relief have been filed in multiple U.S. District Courts against Blackbaud under common law negligence and contract causes of action.
Organizations, including nonprofits, face cybersecurity risks from a variety of sources – direct attacks on their internally-housed data, internal attacks from current or former employees and hacks through trusted third-party vendors. Large corporations have the funds to house their own internal data management systems and, while they may share some data with third-party vendors, it is not very common. In contrast, small nonprofits do not have the resources to manage the private data of all their members, donors and employees so it is natural for these organizations to utilize commercial third-party vendors for a variety of business needs, including cybersecurity. Therefore, thorough vetting of third-party vendors is very important because while it is less profitable for professional hackers to breach a small nonprofit, hacking giant third-party vendors that store information for hundreds of nonprofits can be very lucrative. The pervasiveness of high-risk ransomware attacks highlights the increasing need for nonprofits to familiarize themselves with data privacy regulations and laws while simultaneously prioritizing cybersecurity and risk management.
The Current Statutory and Legal Landscape for Data Privacy Breaches
The number of data breaches in 2020 spanned every industry and was almost double the number of cyber-attacks in 2019. Despite this alarming upward trend, there is currently no comprehensive U.S. federal legislation regarding data privacy. Instead, at the federal level there is a patchwork of sectorial laws governing privacy. For example, HIPAA governs medical information. (See our prior article and FAQs on privacy laws.) The Biden Administration is expected to pursue federal privacy legislation given Vice President Harris’s prior experience with privacy issues as California’s Attorney General and as a U.S. Senator. The current Administration is also expected to reestablish The White House Office of Cybersecurity, which was eliminated under the Trump Administration. However, because the most pressing issues are the elimination of COVID-19 and revitalization of the U.S. economy, state data privacy statutes and state data breach notification laws are likely to continue to govern data privacy in the short term.
All fifty states, including the District of Columbia, Guam, Puerto Rico, and the Virgin Islands, have data breach notification laws which require private, nonprofit and governmental entities to swiftly inform members and users of breaches involving private personally identifiable information. However, less than 25 states have data security legislation that outlines required data security practices, and state data security statutes rarely allow for a private right of action to redress breaches. Therefore, plaintiffs must rely on common law causes of actions like tortious negligence or fraud to survive dismissal. The most comprehensive state data privacy statute, which permits private causes of action for ‘consumers’ and requires companies to ask users for data collection/sharing permission, is the California Consumer Privacy Act (CCPA). CCPA defines ‘consumer’ as a resident of California, meaning that only individuals who are domiciled in or are permanent residents of California can bring suit. Cal. Civ. Code § 1798.140(g). CCPA applies to for-profit companies, both U.S. and foreign, that meet one of three threshold requirements: (1) grossed a minimum of $25 million in annual revenue, or (2) stored the personal data of at least 50,000 people, or (3) collected more than half of their annual revenue from the sale of personal data. Cal. Civ. Code § 1798.140(c)(1). Although CCPA does not currently apply to nonprofits, Data Processing Agreements signed between nonprofits and data storage firms often require nonprofits to follow requirements similar to CCPA data collection and retention policies. California consumers have standing to sue if a company fails to provide a mechanism to opt out of third-party data sharing, or if a company does not comply with a consumer’s request to provide a list of all stored personal data and/or a list of all third-party vendors with whom personal data was shared. The majority of state statutes impose penalties on companies that negligently expose personal data or fail to expeditiously inform users of data breaches. Nevada, Maine and New York have enacted comprehensive consumer-favored data privacy statutes similar to CCPA, and it is likely that many other states will follow.
The cost of effectively responding to data breaches and handling subsequent legal issues is very high. All organizations, but small nonprofits especially, face additional ‘headline risks,’ such as reputational damage and major disruptions in daily operations. Data breach litigation has become very factually and legally complex. Two of the most difficult issues involve standing to sue in the absence of a federal privacy law and the liability of corporate directors and officers for data breaches.
Article III standing requires: (1) an injury-in-fact which is (a) concrete and particularized, and (b) actual or imminent; (2) causal connection between the injury and defendant’s contested act; and (3) a likely, rather than speculative, chance that a favorable decision by the court will redress plaintiff’s injury. See Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992). In the data breach context, there are many complicated questions regarding standing – what type of personal information breach constitutes an injury-in-fact; is there an injury-in-fact if personal information is leaked but not used in a fraudulent scheme; what is the proper redress for an organization versus an individual plaintiff? Cases throughout the country have grappled with these questions in determining the particularities of what constitutes sufficient standing. See Blahous v. Sarrell Reg’l Dental Ctr. for Pub. Health, No. 2:19-cv-798-RAH-SMD, 2020 WL 4016246, at *7–8 (M.D. Ala. Jul. 16, 2020) (ruling that data privacy breach disclosing patient’s Social Security number and health information is not sufficient for standing); but see Antman v. Uber Technologies, Inc., No. 3:15-cv-01175-LB, 2015 WL 6123054, at *10–11 (N.D. Cal. Oct. 19, 2015) (ruling that data privacy breach disclosing full names and driver licenses, unlike a breach of Social Security or account numbers, is not a credible risk constituting standing).
The current circuit court split regarding standing in data breach cases has further complicated privacy legislation. Despite the Supreme Court’s 2013 ruling in Clapper v. Amnesty International, which stated that injuries must be real and imminent rather than speculative, and the 2016 ruling in Spokeo, Inc. v Robins, which stated that statutory violations alone do not show standing because harm must be concrete, appellate and trial courts alike are having trouble applying standing requirements in a data privacy context. See Clapper v. Amnesty Int'l, 568 U.S. 398, 408–10 (2013); see also Spokeo, Inc. v. Robins, 136 S.Ct. 1540, 1544, 1548–50 (2016).The D.C. and Ninth Circuits have ruled that disclosing ‘sensitive personal information,’ like Social Security numbers, is sufficient for standing because it creates a substantial risk of an injury. The Fourth, Seventh and Ninth Circuits have ruled that criminal activity after the data breach, rather than the breach itself, creates an injury-in-fact and constitutes standing. The Third and Eighth Circuits have the highest bar to standing because they regularly dismiss cases that fail to allege criminal activity, even when data breaches disclose Social Security numbers and other highly protected data.
Liability of Corporate Directors and Officers
Corporate directors and officers may face personal liability for data privacy breaches. In claims against the directors of Target and Home Depot a few years ago, courts dismissed personal fiduciary liability claims because cybersecurity monitoring was not considered a ‘known duty’ that would trigger a director’s personal liability. Generally, the “business judgment rule” will protect a Board’s decisions as long as directors acted with good faith in the corporation’s best interest and did not engage in grossly negligent behavior breaching the duty of care. However, recent rulings suggest that the expectations of director responsibility are expanding because cybersecurity measures are becoming essential best practices.
In 2019, a district court judge in Georgia did not dismiss a fiduciary duty claim against an Equifax, Inc. director based on findings that the director had personal knowledge of software vulnerabilities and intentionally misrepresented the strength of security measures. See In re Equifax, Inc. Sec. Litig., 357 F.Supp.3d 1189, 1240, 1246, 1252 (N.D. Ga. 2019). Similarly, in California, a judge approved what is believed to be the first CCPA settlement against directors where plaintiffs have been awarded monetary damages, citing the growth of the cybersecurity industry, complexity of frequent data breaches, and the high-risk data breaches pose to companies in establishing director fiduciary duty for cybersecurity. The Delaware Supreme Court, which is highly regarded nationally for its corporate law precedents, ruled in 2019 that directors who fail to install security measures, do not continually monitor and address cybersecurity vulnerabilities, or intentionally/consciously disregard data privacy issues can be held personally liable. See Marchand v. Barnhill, 212 A.3d 805, 821 (Del. 2019).A subsequent 2019 Delaware Court of Chancery ruling stressed the importance of the board of directors’ efforts to oversee cybersecurity in compliance with relevant regulatory statues. See In re Clovis Oncology, Inc. Derivative Litig., No. 2017-0222-JRS, 2019 WL 4850188 at *12–15 (Del. Ch. Oct. 1, 2019).
All organizations, nonprofits included, have an obligation to abide by applicable statutory regulations and legal precedent. Directors must uphold their fiduciary duty by swiftly addressing data privacy vulnerabilities or breaches and upholding strong cybersecurity measures.
Minimizing Risk and Preventing Data Privacy Breaches
Data privacy breaches are a threat to any organization regardless of size, resources or mission statement. Nonprofits can be prime targets for hackers because of the large amount of personal information collected about volunteers, donors, employees and grantees as well as internal governance information stored on either internal servers or through third-party cybersecurity companies. Nonprofits risk exposure through cloud services, software systems, third-party vendors like payroll services or IT consultants, project collaborators and employees and should enact policies and procedures for preventing data breaches and responding to a potential ransomware attack. Unfortunately, there is no quick fix for building strong cybersecurity measures. Thankfully, minimizing risk and preventing data breaches is not costly and is largely intuitive.
To prevent data privacy breaches, a risk assessment is necessary to understand what kind of sensitive data is stored, how it is stored and where it is located. Both physical and online security is very important. Physical security includes ensuring that physical devices cannot be easily carried away from the office, installing a physical alarm system in the office, requiring employees to log out at the end of the day and storing external hard-drive backups in secure locations. Online security includes installing automatic software updates to ensure vulnerability ‘holes’ are not preyed upon, enabling firewalls, setting complicated passwords that are regularly changed, and installing individualized screen locks on all digital devices. These physical and online measures will ensure that employees cannot access data after leaving the organization and that outside hackers have a harder time stealing private personal data.
To minimize the risk of allegations of breach of fiduciary duty, nonprofit directors and officers must be well-informed about the organization’s data collection practices and vulnerabilities to breaches and assure that reasonable measures (such as those discussed above) are in place to minimize the risks. Nonprofit directors and officers are faced with a unique ‘fiduciary choice’ because they must balance their resources between what is best for the organization’s cybersecurity and what is best to further the organization’s charitable mission. This is different from for-profit corporations, that work mainly to protect shareholder interests and meet business objectives. Poorly handled nonprofit data breaches may cause litigation, penalties/fines, media criticism leading to loss of reputation and disgruntled donors. It is imperative that directors and officers be familiar with applicable regulatory and legal precedents regarding data privacy. Additionally, training all employees on organization-specific and general data security measures will emphasize the importance of preventing data breaches. Finally, some industry best practices are highly advised such as creating a senior level position dedicated to implementing internal cybersecurity measures, drafting clear organization-specific data security policies, and purchasing insurance.
Nonprofits should engage in all appropriate measures outlined in this section to demonstrate that they have prioritized protecting sensitive private data, analyzed and addressed security vulnerabilities and planned for potential data privacy breaches or ransomware attacks.
Nonprofits are prime targets for data breaches. Small nonprofits with limited security and risk-management strategies are particularly vulnerable to a hacker’s efforts. All companies, nonprofits included, should familiarize themselves with applicable federal and state data privacy laws, state data breach notification laws and legal precedents. In order to prioritize cybersecurity, nonprofits should carefully consider third-party partnerships, consider purchasing cybersecurity insurance coverage and train all employees and directors on data security measures, legal obligations to users and the seriousness of ransomware attacks.