Cybersecurity

Some—Not All—Nonprofits Are Subject to HIPAA Requirements

Print Friendly, PDF & Email

All nonprofits should maintain confidentiality of medical information related to their employees, program participants, and volunteers. Is such information subject to “HIPAA?” For many organizations, the answer is no – HIPAA does not apply across the board to all medical information generally. But privacy concerns may nonetheless warrant protection of such sensitive information. Such protection may be acutely important amidst current COVID times, with individuals’ medical information the subject of intense interest to employers, government agencies, and others.

Nonprofit Holiday Highlights

Print Friendly, PDF & Email

The year 2021 is quickly winding up, and 2022 is just across the horizon! Our law firm’s attorneys and paralegals deeply value the honor and opportunity to assist so many amazing nonprofit organizations and their incredible leaders, and to help advance their compelling and worthwhile missions. Thank you for this opportunity to serve as trusted legal advisors providing client-focused solutions, creative approaches to advance clients’ interests, and vibrant community engagement to help the nonprofit sector flourish. As a parting gift for this year, we’d like to share some holiday cheer – and what better way than through providing links to some key W&O blog articles across our nonprofit practice groups? We hope the W&O blog will continue to be a valuable resource for you!

How China’s New Data Privacy Framework Affects U.S. Nonprofits

Print Friendly, PDF & Email

Nonprofits reaching Chinese donors, employees, contractors, newsletter and program service recipients, and other stakeholders face new legal challenges in the handling of such stakeholders’ personal information. Adopted on August 20, 2021, China’s Personal Information Protection Law (“PIPL”) became effective on November 1, 2021. This extraordinarily brief implementation period leaves for-profit and nonprofit entities alike scrambling to understand their compliance obligations under the new framework. As addressed below, nonprofits must comply with PIPL, and penalties for non-compliance may be hefty. Nonprofits with connections to China thus should assess their data handling practices, disclosure and notice efforts, including efforts related to consent requirements, individual control of personal information, and data audit functions to mitigate risks arising under the new framework.

California Takes the Lead in U.S. Data Privacy: The New Consumer Privacy Act and What Nonprofits Need to Know

Print Friendly, PDF & Email

Nonprofits attuned to growing legal requirements for data privacy and data security best practices are familiar with a kind of alphabet soup of acronyms:  WISP, GDPR, PII, PCI DSS, NIST, and others.  Beginning in January of 2020, an important new law and corresponding acronym will significantly alter the data privacy landscape in America.  The California Consumer Privacy Act (CCPA) provides extensive protections and requirements for entities doing business in California.  While the law doesn’t directly target nonprofits, CCPA impacts most nonprofits’ handling of consumer data, donor information, website user identifiers, and other types of personal information. 

Accordingly, nonprofits all over the United States, as well as international nonprofits who partner with California entities, should proactively implement key components of data privacy compliance, such as through accurate online disclosures, appropriate user opt-out options, and special care in handling the information of minors.  Furthermore, nonprofits should carefully evaluate ways in which certain operations or complex corporate structuring might trigger requirements for particularly strict compliance with CCPA.  We also recommend nonprofits seriously assess the new standards for data handling under CCPA (and other data privacy regimes), even if such statutes do not appear to be expressly applicable to nonprofits organizations.  Through such proactive steps, nonprofits should be well-positioned to act on emerging opportunities related to the security and processing of personally identifiable data in their operations.  There is more to be said about each of the above recommendations, but first a bit of recent historical global context: the European Union’s (EU) predecessor cousin of CCPA:  GDPR.

Subscribe to RSS - Cybersecurity