COVID-19 and Privacy: What do Nonprofits Need to Know?

As the pressures of COVID-19 continue, some nonprofit organizations lead efforts in critical care services, conducting research and delivering personal protective equipment and other critical medical supplies. Others serve a secondary role—providing sustaining support for individuals and families who have been affected by the economic and societal impacts of the crisis. In the midst of this disruption, it’s tough to make time to worry about data privacy.


Why worry?

Nonprofits are susceptible to the same breaches as any other type of organization. And, if your organization was required to comply with the EU General Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA) before COVID-19, it still does, and will continue to in the post-COVID world. While a few countries (Italy, for example) have amended or placed very specific and temporary suspensions on privacy controls in response to COVID-19, most have not, and with good reason. There are indications that bad actors are successfully leveraging new attack vectors brought about by the large number of telecommuting employees. In many cases, employees who are working from home are using networks that lack the level of cybersecurity protections we take for granted in office environments. In other cases, organizations hasten to move forward with new services or offerings, without first ensuring the proper protections and safeguards are implemented. The need for privacy controls during this kind of upheaval is as urgent as ever.


What to do?

Organizations who haven’t taken stock of the data they hold, and how they use and share it, must do so immediately. Performing ongoing vulnerability tests and training staff to identify and prevent breach attempts, while building business continuity and disaster recovery plans will arm nonprofits with the tools they need to not only protect their organizations, but also continue their mission-critical work even in the event of a cyberattack.

Failure to maintain adequate security protocols could lead to sanctions and loss of trust, particularly on the part of donors and sponsors. Even amidst the anxiety and the urgency of the current circumstances, all organizations must avoid shortcuts, particularly related to the collection and processing of Personal Information (PI), particularly Personal Health Information (PHI).


Don’t Special Times Call for Special Measures?

Luckily, most privacy laws include provisions that allow for special processing in the name of humanitarian purposes, including for the monitoring and management of epidemics. Consider the Health Information Portability and Accountability Act (HIPAA), enacted in 1996. HIPAA defines protections that “covered entities” (including nonprofits) must implement to protect PHI. HIPAA allows for limited disclosure of PHI under certain circumstances, including “to prevent a serious and imminent threat.”

GDPR, CCPA and other omnibus privacy regulations also describe specific circumstances in which privacy protections may be temporarily suspended for humanitarian purposes. However, caution is required: these exceptions must be carefully documented, and the suspension of privacy controls must be very specific to the purpose. Nonprofit organizations involved in the COVID-19 response may disclose PHI in the name of their mission, but when asked by the HHS, a state attorney general, Department of Personnel Administration or other enforcement body, they need to be ready to explain their actions.


What’s Next?

Predicting the post-COVID-19 “new normal” in the privacy realm is a dicey proposition. Organizations that never dealt with PHI may suddenly and unexpectedly find themselves doing so. However, a few trends have emerged that seem likely to shape how nonprofits approach assessment, implementation and ongoing management of their security and privacy programs:

  • While existing regulations remain in force, the enactment of new laws will likely be delayed for the immediate future. Brazil, for example, delayed the implementation date of its sweeping privacy regulation until 2021.

  • Cybercriminals, including state-sponsored actors, will increase their activity and broaden their approach to gaining access to PI. Nonprofit organizations in particular may be perceived as soft targets, which lack the resources of large for-profit organizations and are focused on the urgency of serving their mission in the midst of a public health crisis.

  • National-level conversations around the handling of PHI will evolve, pitting individual privacy rights against broader concerns rooted in public health and pandemic response. South Korea granted sweeping surveillance powers to its national health agencies in response to earlier pandemic outbreaks, and then leveraged these to enact contact-tracing and quarantine measures that may have diminished the severity of the outbreak in that country.


What Should You Do?

Going forward, it’s critical that nonprofits understand that compliance doesn’t automatically promise security. Most organizations are in a reactive mode, assuming that because they’re compliant with cyber regulations, they’re free from threat. But, in reality, it’s not a question of if you’re going to have a security breach—it’s about when.
Be sure to keep up with the latest happenings in the nonprofit industry by subscribing to our blog, and following us on Twitter @BDONonprofit.