We recently had our annual IT and Financial Systems audit performed at our church. There were a number of new questions, one of which follows. “Do you know which breach notification and privacy laws are applicable to you based upon your constituent user base?” Can anyone advise where we can go or who to talk to about finding out what the applicable breach notification and privacy laws are for our church? Would these be federal requirements or state requirements or possibly both? Thank you for any information you can share.
Some countries/states have laws on the books about PII, data protection, etc. Think European countries with GDPR, Singapore with PDPA, California’s “Breach Notification” law, so on and so forth. You’ll want to engage a lawyer to confirm which laws apply in your jurisdiction. On a cursory glance you guys have a breach notification law in Connecticut, but it appears to only apply to businesses and very specific combinations of data (Chp 669 Sec. 36a-701b). Again, consult your legal counsel on applicability of that.
As stated there are laws (that are ever-changing) that may require notification. If you are operating under any compliancy or certifications, HIPAA (medical, counseling), PCI (financial, banking), etc where you are keeping any financial data (book stores, donations, registrations), medical data (Think medical release forms), think Pii (Personally identifiable information, Think anything about a person, Social security numbers for background checks, etc) are all information that you are likely required to protect and in some cases legally report - if not to your administration, Board, Legal team and possibly insurance carrier (Do you maintain cyber insurance, you might consider if you store data and more so if you are writing any sort of code or database). The first step is to communicate and train internally on what your staff should do in the event of a data breach but even data loss. What about the lost laptop, or lost thumb drive, Phished email or credentials, etc
At a minimum here is a link listing individual state requirements - https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
Areas of ministry and licensure of staff members may provide additional organizations that can outline requirements. do you have a licensed counselor on staff? maybe HIPAA could apply
Best is to talk with legal counsel as mentioned.
And, keep in mind, every bit of data you keep is a liability down the road
so think long and hard about what you really need.
Thank you David for the detailed response. I will pass this information along to get us started in the right direction.
Thank you Isaac for the response.