Mass. Data Privacy Rules Could Affect How Charities Nationwide Do Business

Many charities across the country that store or transmit financial or other personal information about donors, clients, or employees who live in Massachusetts could be affected by tough new regulations just enacted in that state.

The rules designed to protect donors and others from identify theft went into effect March 1 and apply to businesses and nonprofit groups.

The requirements seek to protect the confidentiality of Social Security, credit card, bank account and driver’s license numbers and other so-called personal information of Massachusetts residents.

Charities often hold such information about donors who make contributions by check or credit card, as well as about clients who receive services.

Making Adjustments

Under the Massachusetts rules, nonprofit groups and businesses nationwide that keep personal information on Massachusetts residents in paper or electronic records must create a written “comprehensive information security program” to protect the data.

Groups that electronically store or transmit the information must ensure it is encrypted when stored on laptop computers or transmitted over the Internet.

Charities that hire outside companies to help them carry out their work, such as professional fund raisers and telemarketers, will eventually be required to make their contracts specify that security steps in the new rules are followed.

While nonprofit legal experts say the Massachusetts regulations are considered to be the nation’s strictest, they also say most charities should be able to meet them. “The rules frankly aren’t that hard for most organizations to comply with,” said Andrew M. Grumet, a New York lawyer whose firm is helping charities adjust to the changes.

Michael Weekes, president of the Providers’ Council, in Boston, said his organization supports the rules.

“Personal information should be protected, and we certainly don’t want to do anything that will create situations in which that information has been breached; we get that,” said Mr. Weekes, whose association represents 300 grass-roots organizations that provide education, health, and social services.

Penalties Unclear

Under the rules, an organization’s written security plan can be tailored depending on several factors, including the size and scope of the charities or businesses, and the amount of stored data they maintain.

These allowances were “primarily intended to ease the burden of the regulations on entities like nonprofits that may not handle a significant amount of personal information or may not have the resources to develop a sophisticated security program,” said a blog posting by the Boston lawyers Amy Crafts and Scott Harshbarger, former attorney general of Massachusetts.

Massachusetts has not spelled out the penalties for failing to comply. But experts said that such a failure accompanied by a security breach could open a charity up to serious consequences, such as action against it by the Massachusetts attorney general, lawsuits from affected donors and clients, or bad publicity in the press.

“In my mind, I would put failing to comply in the category of a potential organization ender,” said Mr. Grumet.

For more information on the new requirements, go to the Massachusetts Office of Consumer Affairs and Business Regulation, http://www.mass.gov/consumer.

Key Data Security Steps Charities Must take

• Create a written “comprehensive information security program” to protect credit-card numbers and other financial and personal data
• Designate one or more employees to maintain the security program
• Spell out consequences for employees who fail to follow the plan
• Set safeguards to protect data used outside the office
• Follow a “reasonably safe” method to assign and select passwords
• Restrict access to personal data to those who need such information to do their jobs