Cybersecurity is not a topic traditionally on my radar when thinking of nonprofit boards. But the following blog makes a good case for why I should think otherwise. From Lexology and FisherBroyles please read further.
Privacy and Data Security: Responsibilities of the Board of Directors and Senior Management of for-Profits and non-Profits related to Privacy and Security
Directors and officers have fiduciary obligations to ensure the proper operation of the organization. Specifically, in addition to traditional requirements for financial and strategic transaction oversight, there should be oversight to ensure that the organization takes appropriate steps related to the privacy and security of personal information. The obligations of an organization can extend to personally identifiable health information (PHI), consumer financial information such as credit card and account numbers, the electronic and physical records and information maintained by the organization, business continuity and disaster recovery, and the protection of the ability of the organization to conduct business. These are some of the obligations specifically related to cybersecurity:
• Directors need to understand the importance of cybersecurity and its relationship to organizational risk assessment;
• Public company directors need to address their unique disclosure and control requirements, which are becoming increasingly prominent and were very recently the subject of a Wall Street Journal article entitled “Corporate Judgement Call: When to disclose You’ve Been Hacked;
• Cybersecurity cannot be looked as just an information technology issue, but rather needs to be seen as a component of compliance in general;
• Boards should ensure that they engage and are regularly briefed by those with adequate experience;
• Boards should ensure that management has a risk management assessment process including ongoing monitoring of new legal developments, and should regularly discuss with management the changing level and types of risks faced by the organization, appropriate efforts to mitigate risks including procurement of dedicated insurance coverage, technical measures, plans to address potential incidents, and the plans, staffing and budgets related to each of these areas;
• The risks associated with cyber and related physical threats should be factored into the organization’s business continuity and disaster recovery plans, which should be tested and updated regularly;
• Appropriate, specific benchmarks such as ISO 27001-2 or PCI compliance, should be used to assess the efforts of management;
• The issue of cyber risk allocation must be thoughtfully addressed in the covenant/warranty, indemnity and liability limitation sections of contracts with customers and vendors, particularly cloud vendors.
What about nonprofit boards? These obligations exist for nonprofit organizations as well. While legal responsibility of the board members of a nonprofit organization may vary from state to state, members should understand that there has been litigation on exactly the issue of a nonprofit director’s liability. Some states allow the nonprofit to provide potential enhanced protection for director and officers through charter and bylaw provisions, while others impose by statute different specific obligations on these persons. Irrespective of legal liability, however, the better practices are for each director to understand and ensure that the organization’s plans and actions are appropriate to address these risks in the same manner as for-profit companies.
The federal HIPAA law governing those in the health care field and their vendors imposes specific obligations on covered entities. There are special privacy and security rules associated with PHI. HIPAA rules require covered entities and business associates to implement and maintain security policies and measures to address cybersecurity to some extent in a manner which differs from requirements applicable to other businesses. There is also recent published HHS guidance addressing minimum standards, how to prevent and address breaches and on ransomware.
It is important to understand that many organizations will be business associates under HIPAA even if they are not directly involved in the delivery of health care, and the legal requirements will apply to them. A fundamental element of a compliance strategy in this area is for covered entities to properly determine when business associate agreements are required and ensure that they are obtained.