Data breaches are the leading threat in today’s digital world, with a new cyberattack occurring approximately every 39 seconds. Non-profit organizations are increasingly being targeted by cybercriminals, not only because of the wealth of data they possess, but because they simply do not take the same precautions nor employ the same resources as their for-profit counterparts.  In fact, small-to-medium-sized organizations are actually more likely to be targeted by hackers for that very reason.

The financial cost of managing a data breach is well documented.  A recent study estimated the average cost of a breech in 2021 at 4.24 million dollars, a 10% rise from 2019.  Although less tangible, the potential loss of trust of the nonprofit’s donors, volunteers and the community can be significant. Such a loss is not only difficult to restore, it can also affect fundraising activities, volunteer engagement, and partnerships with other organizations for years to come.

For organizations seeking to decrease their cybersecurity vulnerabilities, a good first step is to obtain a comprehensive understanding of the current risk environment. For example, what kind of data does your organization collect, store, share and transmit?  Where and how is the data being stored, and who has access to the data?  How does the organization transmit data? (Data transmission is often one of the most significant vulnerabilities; any time data is sent from one location to another, there is a risk of interception.) During the COVID-19 pandemic, the risk of insecure data transfer has increased as more and more individuals have begun accessing critical data from personal mobile devices or using personal digital storage solutions.  Assessing these weak points can be achieved through a data-privacy audit whereby information gathered is then used to strengthen the organization’s cyber-readiness.

Additionally, organizations should consider implementing the following measures:

Implement (Or Update) Organization-Wide Cybersecurity Policies
The first step in ensuring the security of an organization’s data is to have consistent, documented cybersecurity policies in place for all employees to follow.

Provide Ongoing Cybersecurity Training
Next, all individuals within the organization who have access to secure data should receive annual cybersecurity training.

Focus Your Cybersecurity Efforts/Revaluate Third-Party Vendors
Focus on security controls that would be the most effective based on your specific needs and resources. And as many breaches occur from the actions/omissions of third-party vendors who store an organizations data, review the legal terms of all such agreements to make sure there are appropriate terms and conditions to protect your organization (read Are You Protected? Five Points to Include in Every Technology Agreement).

Create A Data Retention and Deletion Policy
Most organizations collect more data than they need, and hold the data longer than necessary or practical.  The more data your organization stores, the greater the liability if a breach occurs.  It is imperative that organizations adopt a policy that dictates the types of data to be stored, and when/how that data is deleted when no longer relevant.

Prepare for the Unexpected
Every organization needs a plan for what to do in case of a data breach. An incident response can help organizations plan to comply with applicable laws and regulations, and launch a rapid and coordinated response that will mitigate the damaging consequences of a data breach.  On a side note, the recently enacted NY SHIELD Act requires organizations that collect information from NY residents to have both a Data Retention and Deletion policy as well as an Incident Response plan in place, among other requirements (read The SHIELD Act – A New York State of Mind … and Privacy).

The post Cyber Readiness – If it Ain’t Broke, You May Still Want to Fix It… first appeared on Perlman Sandbox.

Within a week, the group created the ConstitutionDAO, organized its followers on Discord (a messaging and community platform), and raised roughly $47 million in virtual currency.⁴ Armed with their new war chest, the group bid on, but ultimately failed to win, the Sotheby’s auction, losing out to a hedge fund billionaire who purchased the copy of the Constitution for $43.2 million (the Constitution DAO had withheld some funds to cover costs associated with winning the auction).⁵

Following their loss, the creators of the group were faced with what to do with the virtual currency sitting in the DAO’s treasury. Many of the community members sought refunds, only to learn that the transaction costs (also known as gas fees) would eat up much of their original contribution.⁶ Ultimately, the ConstitutionDAO’s founders decided to shut it down.⁷ The token issued in connection with the project, originally intended to be used to allow holders to vote on what the DAO would do in the future, lives on, with some holders still hoping to profit.⁸

What if the ConstitutionDAO had succeeded? Who would have “owned” the copy of the Constitution the group would have purchased? In a later interview one of the founders of ConstitutionDAO, Jonah Erlich, disclosed that the group had partnered with a traditional nonprofit organization that would have had legal custody of the Constitution.⁹ The fact that this new type of organization would be reliant on a traditional nonprofit provides excellent insight into the emerging world of DAOs. It also gives us an entry point to examine this new structure.

WHAT ARE DAOS?

In a traditional corporation or limited liability company, the organization is formed by filing paperwork with a government office, typically a state’s Department of State. By creating a legal entity, the people behind the organization are protected from liability. When someone sues a corporation over a contract dispute or other liability, the directors, officers, employees, members, and volunteers are not liable individually. Rather, it’s the corporation that must answer for its liabilities.

In a DAO, however, there is no formal legal entity. Built using the same blockchain technologies that underly the virtual currency ecosystem, DAOs are organizations that are never incorporated in any state (with limited exceptions). The founders create the DAO, and it simply exists.

While DAOs actual structures vary, most DAOs issue a token that gives members of the DAO voting rights. Once tokens are issued, in order to make decisions, all token holders are allowed to vote. The idea, touted by DAO supporters, is that this new structure democratizes organizational decision-making, placing it in the hands of the members. An oversimplified comparison would be a for-profit company that has no paid executives or board of directors, making every decision by allowing all shareholders to vote.

Although the ConstitutionDAO is a well-known example, DAOs are proliferating in the nonprofit community. Here are a few interesting examples: DiatomDAO is raising support to protect the oceans;¹⁰ KlimaDAO hopes to speed up solutions for climate change by increasing the price of carbon assets;¹¹ Bloomeria is using NFTs to increase biodiversity; ¹² and The Regen Network is issuing a token as part of a group of entities to realign the agricultural economy with ecological health.¹³

While each of the foregoing organizations uses the language of the DAO and decentralization, they also demonstrate how the DAO community encompasses many different structures. For instance, the Regen Network is comprised of a traditional C-Corporation, a traditional 501(c)(3) public charity, and a decentralized DAO program.¹⁴ The DiatomDAO is purely a decentralized entity, “owned and directed” by its token holders (see more on this below). The ConstitutionDAO, while operated as a decentralized DAO, would have relied on a traditional 501(c)(3) public charity (one named EnDAOment¹⁵) had it won the Sotheby’s auction and needed a legal entity with which to hold the copy of the Constitution. As you can see, while many groups use the mantle of “DAO”, the term encompasses many different structures.

WHAT ARE THE BENEFITS OF DAOS?

Now that we’ve discussed what DAOs are, and seen some examples, let’s step back to consider what DAO proponents like about the structure. In theory, a pure DAO offers each supporter the opportunity to participate in the group’s decision-making. If a member of a charitable DAO wants to make a grant, they would propose it to the rest of the DAO community. The members then hold a vote. Using this structure, a DAO represents a more direct form of organizational decision-making and, for donors, more direct-action philanthropy.

Further, by avoiding any legal structure, some DAO proponents believe this new structure will give DAOs greater flexibility. Without a state’s laws dictating how decisions have to be made or how boards have to be structured, a DAO might be nimbler. Some libertarians believe that DAOs, who have no real jurisdictional nexus to any state, might even be able to avoid generally applicable laws.¹⁶

WHAT ARE THE DRAWBACKS OF DAOS?

While there is a lot to be excited about by DAOs, they use an organizational structure in its infancy, with many more questions than answers. One critique is that the voting structure adopted by most DAOs (1 token = 1 vote) replicates existing problems with shareholder structures, namely, that the larger shareholders control organizational decision-making, alienating smaller shareholders. If one person holds 60% of the DAO’s tokens and the DAO implements a 50+1% vote threshold decision-making could be even more centralized than it would be in a traditional organization with a board and executives who can counterbalance a large shareholder’s interests. The DAO community has proposed some possible solutions to this problem, such as limiting votes to one per token holder, or creating non-transferable tokens to limit token holder hoarding. Each of these solutions have drawbacks, but they could drive decision-making closer to the idealized notion of the DAO.

Another issue is the legal uncertainty of DAOs. Assume that the libertarian notion that DAOs are legally unaccountable as organizations, since they are not organized in any state nor do they have any other jurisdictional nexus with any local, state, or federal government. That might put the DAO beyond the reach of regulators and law enforcement, but it would not exempt the individuals participating in or working for the DAO, all of whom are real people subject to normal laws. Actually, the idea of a group of people running an unincorporated organization isn’t new. In New York, for instance, such an entity would be deemed an “unincorporated association.” Under longstanding common law, an unincorporated association is not legally separate from the members who comprise it.¹⁷ That means that members of a DAO could be taking on direct legal risk from their participation in the DAO. If the DAO were to breach a contract, discriminate against an employee, or cause other real-world harm, the DAO’s members might be jointly and severally liable.

It’s also an open question whether regulators will share the libertarian view that DAOs are not subject to local, state, or federal laws. It wouldn’t be surprising to see the Securities and Exchange Commission (SEC) bring an enforcement action against a DAO, given that it has already notified the Decentralized Finance (DeFi) community that it considers many DeFI products analogous to products regulated by the Commission.¹⁸ The SEC has already brought an enforcement action against a Wyoming organization operating under the guise of a DAO, albeit only after the entity sought SEC approval to register two tokens as securities.¹⁹

Finally, DAOs in the philanthropic sector face the additional hurdle of providing tax-deductibility to donors. In general, a contribution to a non-charitable intermediary doesn’t allow a donor to take a tax-deduction. The answer to that question isn’t clear²⁰ as it depends on how the entity is treated for tax-purposes, whether its distributions would otherwise qualify for a tax-deductions, and whether it is considered an agent for the donors or beneficiary charities. A person hoping for a tax-deduction should contact a tax professional to examine the particular DAO’s structure and the taxpayer’s circumstances. To date, I’m unaware of any DAO specifically advertising the deductibility of contributions to its treasury, nor having considered tax-deductibility as part of their DAO structure (except, of course, for DAOs like Endaoment and Regen Network that operate using a traditional 501(c)(3) corporate structure).

WHAT’S NEXT FOR DAOS?

Despite the novelty of and the uncertainty surrounding DAOs, their popularity is undeniable. This was exemplified by the incredible enthusiasm around ConstitutionDAO. Taking advantage of the late 2021 surge in the value of many cryptocurrencies, DAOs provide an opportunity for the crypto community to put its assets to work in novel ways, including philanthropy. While they are evolving, DAOs will likely persevere, barring regulator intervention to shut them down.  Donors and charities looking to participate in the DAO community should do so carefully, and with the benefits of advisors familiar with the DeFi and DAO space.

1 https://www.sothebys.com/en/digital-catalogues/the-constitution-of-the-united-states

2 Id.

3 https://www.theverge.com/22820563/constitution-meme-47-million-crypto-crowdfunding-blockchain-ethereum-constitution

4 https://www.constitutiondao.com/

5 https://www.vice.com/en/article/qjb8xv/hedge-fund-ceo-who-bailed-out-gamestop-short-seller-bought-the-constitution

6 https://www.theverge.com/2021/11/24/22800995/constitutiondao-refund-progress-steep-gas-fees-cryptocurrency

7 https://www.theverge.com/2021/11/23/22799192/constitutiondao-shutting-down-lost-auction-refunds

8 The latest price quote for the PEOPLE token can be found at  https://coinmarketcap.com/currencies/constitutiondao/.

9 https://www.theverge.com/22820563/constitution-meme-47-million-crypto-crowdfunding-blockchain-ethereum-constitution.

10 https://diatom.fund/

11 https://www.klimadao.finance/

12 https://bloomeria.org/

13 https://www.regen.network/

14 https://www.regen.network/faq/organization

15 https://endaoment.org/

16 For instance, in his conversation on the Deep Background podcast, Erik Voorhees argued that a DAO could avoid the difficulties of employment law because no states employment laws would apply. https://www.pushkin.fm/episode/whats-the-deal-with-decentralized-autonomous-organizations/

17 See, generally, New York Elec. C. Assn. v. Local Union No. 3, (NY Sup. Ct. 1941), available at https://casetext.com/case/new-york-elec-c-assn-v-local-union-no-3

18 https://www.sec.gov/news/statement/crenshaw-defi-20211109

19 https://www.sec.gov/news/press-release/2021-231; https://www.coindesk.com/policy/2021/11/11/sec-stops-wyoming-based-dao-from-registering-2-digital-tokens/.

20 For an excellent discussion, see Prof. Samuel Brunson’s blog post https://lawprofessors.typepad.com/nonprofit/2021/11/charitable-daos-revisited.html.

The post DAOs and the Nonprofit Sector – How Can they Work Together? first appeared on Perlman Sandbox.

Virtual currency is gaining mainstream attention with each passing day. Nonprofits such as the American Red Cross, UNICEF, and American Cancer Society leverage platforms including The Giving Block and other services to accept a wide range of virtual currencies, as part of their overall fundraising strategies.

At our firm, we continue to work with nonprofit clients as they consider whether and how to fundraise using cryptocurrency. Here are a few questions we have been asked and other questions charities should be asking of potential fundraising platform partners.

Frequently Asked Questions

Should we accept virtual currency?

For many organizations, this is an easy answer – yes. There are few risks to accepting donations of virtual currency, especially if nonprofits immediately liquidate those donations.  Donors of virtual currency typically skew younger, possibly opening up a new demographic of supporters for the organization. The board should consider including virtual currency in its Gift Acceptance Policy, a document every organization should have to guide its board, executives, and staff in their development work.

Should we immediately liquidate donations of virtual currency, or hold onto them?

This is more difficult to answer, as it is based on how much risk the organization can tolerate. Virtual currency is highly volatile – its value can skyrocket or plummet within a matter of hours or days, making it a risky asset to hold onto. Whether to hold onto virtual currency is a decision that should be made with the input of a nonprofit’s board and executive team. If virtual currency is held as part of the organization’s investments, or if a donor asks the organization to hold the virtual currency as an endowment or long-term investment, the organization should consider how that fits within the organization’s overall investment strategy and portfolio, and the applicability of state laws governing the prudent management of institutional funds/assets.

One concern is volatility – few organizations want to see their donations halve in value. For many organizations, the potential upside isn’t worth the potential risk.

A second concern is regulatory risk. As the Chinese central bank, SEC, FINCEN, IRS, and other domestic and international regulators grapple with how to regulate virtual currency, the liquidity and accessibility of virtual currency markets is up in the air. Even major players like Coinbase and Ripple have been subject to or threatened by regulatory action.

Charities are often cautious when holding virtual currency, concerned that the regulatory environment could shift in a way that devalues or freezes their holdings. If a nonprofit is using a virtual currency account on a platform that is subject to an SEC action, for instance, the platform might be forced to freeze transactions until such time as the SEC allows it to continue operations.

Organizations that are highly diversified and have the financial cushion to absorb a zeroing out of their virtual currency donations, taking into account the diversification of risk across the organization’s entire investment portfolio,  might be comfortable with the risks of virtual currency. The potential upside of assets like Bitcoin are hard to ignore – despite volatility, Bitcoin’s value has been on a consistent march upward. Other coins, like Ethereum, have not been far behind. If your organization is willing to take the risk, and has considered the prudent investment regulatory considerations, you can create a wallet at a prominent, legally-compliant platform, and park your virtual currency there and “Hold On for Dear Life” (HODL, as some in crypto-world like to say).

Fortunately, the major virtual currency fundraising platforms allow immediate liquidation of donations. Again, this is the option chosen by most nonprofit organizations. As I mentioned above, nonprofits should include virtual currency in their Gift Acceptance Policy and Investment Policy to help guide their development professionals as they consider whether and how to accept virtual currency donations.

How do we treat virtual currency for accounting purposes?

Despite continued regulatory action in other parts of the crypto market, IRS rules around donations of virtual currency have been relatively stable. Since 2014, the IRS has been clear that virtual currency should be treated as property. A taxpayer donating virtual currency they have held for more than a year may deduct the fair market value of the currency at the time of its donation, similar to other forms of property, such as publicly-traded stocks. This provides a tax benefit to donors who invested in virtual currency in its infancy – they can support their favorite charities without being taxed on the gains they’ve enjoyed on paper.

This consistent treatment from the IRS means that charities can rest assured that they can accept virtual currency in the same way that they can accept donations of appreciated stock or other forms of property. The accounting department or external accountants should be able to handle booking donations of virtual currency without much trouble. A caveat is that, in a nonbinding FAQ, the IRS has said that nonprofits must fill out Form 8282 whenever the nonprofit sells, exchanges, or otherwise disposes of its virtual currency. This is a departure from the IRS’s treatment of virtual currency as akin to stocks, which a nonprofit can sell without filing Form 8282. While not insurmountable, nonprofits and their fundraising platforms should discuss how to operationalize capturing the information required for filing Form 8282.

Questions to Ask a Fundraising Platform

Now that we have considered some of the frequent questions nonprofits ask their advisers, let’s consider questions nonprofits should ask a prospective fundraising platform as part of their due diligence.

Are you registered as a professional fundraiser?

Fundraising is regulated in most states, with each state using its own regulatory regime. Individuals and organizations that support charities are often subject to laws regulating charitable solicitation (here’s an excellent overview from my colleague Tracy Boak). Charities are affected by these regulations and are obliged to make sure they only partner with organizations that are properly registered and licensed, if required.

Many fundraising platforms (both traditional and those dealing with virtual currency) take the position that they are not professional fundraisers, due to the way they structure their platforms and services, e.g., because they don’t affirmatively solicit donations on behalf of any charity and don’t take custody of donations. Regardless, a platform should be able to tell you why it isn’t subject to fundraising registration requirements. By asking the question, nonprofits can rest assured their fundraising platform partner is on top of its compliance obligations.

Are you registered as a Money Service Business or Money Transmitter?

Money Service Business (MSB) and Money Transmitter (MT) regulations are implemented at the federal and state levels. Their purpose is to weed out fraud and money laundering in the money transmission business. Generally speaking, MSB and MT laws create licensing structures that require licensed entities to do some due diligence on their customers, including “KYC” (know your customer) and “AML” (anti-money laundering) requirements.

Since 2013, the Financial Crimes Enforcement Network (FinCEN) has applied money transmitter regulations to some entities within the virtual currency ecosystem. According to FinCEN, if a person or organization accepts money or another instrument with monetary value from one person and transmits it to another person, that person may be classified as a money transmitter under federal regulations. (A comprehensive rundown of FinCEN’s guidance is found here). This means that any entity that accepts virtual currency from one party and transmits it to another party could be considered a money transmitter subject to the federal rules. The same rules apply if the entity accepts virtual currency, converts it to fiat currency (i.e., U.S. dollars), and transmits the fiat currency to another person or entity.

FinCEN does provide some exceptions, including those entities that only provide network access or serve as payment processors, exceptions which largely do not apply to crypto-fundraising. Whether a person or entity will be treated as a money transmitter is a facts-and-circumstances determination, but FINCEN clearly intends to define money transmission broadly and interpret its exceptions narrowly (see the discussion on pages 12-22 of the guidance linked above).

Nonprofits considering crypto-fundraising options should ask the potential partner whether it is registered as a money transmitter. If not, ask how they ensure that their services aren’t used inappropriately – do they work with a partner that is a licensed entity? Who does their KYC and AML compliance work?

Do you accept anonymous donations?

Anonymous donations are nothing new – charities have received anonymous donations large and small since long before the birth of cryptocurrency. But many charities are wary of the “dark side” of cryptocurrency and its reputation (rightly or wrongly earned) for facilitating illicit activity. Nonprofits should check with their potential fundraising platform to confirm whether they allow anonymous donations. If so, ask whether the donations are anonymous to the platform, or only to the charity. If the donation is anonymous to the platform, ask whether and how the platform ensures the anonymous donations aren’t connected with illicit activity. The answer may be that the platform does not, or cannot, do anything else to ascertain the identity of donors who wish to remain anonymous. If that is the case, the nonprofit should consider whether it is comfortable with the risks of accepting anonymous donations.

Those risks are generally the same as accepting any other high-value anonymous donation – that a donation of virtual currency could be traced back to illicit activity or a potential clawback, if the virtual currency that is donated doesn’t belong to the donor.  One difference with anonymous donations of cash or other types of property is that the virtual currency environment is highly transparent, even if it may be highly anonymized. Bitcoin transactions are viewable on the blockchain, even if the participants in the transactions may remain anonymous.

Do you issue donation receipts? Do you fill out Form 8282? Will we get a donor list?

One of the core tasks in charitable fundraising is issuing receipts to donors. Donors need to keep those receipts on file, in case they want to claim a charitable deduction. Many platforms will create automatic receipts. Nonprofits should confirm that the receipts issued by its platform partners are compliant with IRS requirements, and ask for copies for your records.

Nonprofits should also ensure that the fundraising platform will provide you with a list of your donors, to make sure you can build out your donor base.

The post What Nonprofits Should Be Asking About Virtual Currency Regulation and Fundraising first appeared on Perlman Sandbox.

You may have heard a LOT about “NFTs”, or non-fungible tokens, recently. The buzz around NFTs reached a crescendo on March 11, when Beeple’s digital artwork with a unique NFT sold in a Christie’s digital auction for over $69 million.  Basketball fans are trading digital highlights in NFT form in an online marketplace. Charmin is even getting in on the NFT-craze, selling unique toilet-paper inspired digital artwork to raise money for Direct Relief.

Given the amount of money swirling around NFTs and the digital art world, nonprofits and their benefactors have started to consider how to leverage the new technology for charitable ends. With any new technology come questions and in this article I will try to cover some considerations for nonprofits that are getting into the NFT-craze.

The Basics – What Are NFTs?
NFTs (non-fungible tokens) are a fully-digital method of proving ownership of an asset. Most assets associated with NFTs are digital assets, but NFTs could be implemented with physical assets as well. In the same way that a unique piece of art might come with a certificate of authenticity and history of ownership, NFTs use a technology that was originally developed in connection with virtual currency (called blockchain) to record and track ownership. Blockchain uses cryptography to validate transactions, making the system relatively secure. Blockchains can be private or public, depending on the use case, and NFTs are mostly stored on a public-based blockchain associated with the cryptocurrency Ethereum.

Almost anything digital can be ascribed an NFT. A tweet can be given an NFT and sold. The rights to music can be sold using an NFT.  Uses for NFTs, and the underlying blockchain, are seemingly endless – anything that involves tracking custody, ownership, or use could make use of NFTs and blockchain.  Whether or not businesses and consumers will want to buy, sell, and store an asset’s ownership records digitally on the blockchain is a different question – while cryptocurrency and blockchain supporters have been touting the technologies for over a decade, blockchain and NFTs have only gone mainstream publicly in the past few months.

Some people question the value of some NFT assets – who really wants to own the rights to an NBA highlight that is available on YouTube for free? Apparently a lot of people (at the time of writing, a Lebron James dunk is listed at $250,000 – it is a very good dunk). The original Mona Lisa painting is extremely valuable, whose worth isn’t decreased by additional prints being sold or versions being viewable for free online. Ownership is key to the asset’s value, whether we’re talking about a physical painting or a digital highlight.

NFTs and Charities – Similar to Auctions of Traditional Art
When an NFT is auctioned to benefit charity, it is deeply analogous to a traditional art auction (a topic I discussed in another post). If the artist or collector who donates a piece of digital art for sale at a charity auction wants to receive a charitable deduction, they may need to get an appraisal. The charity will need to be careful to keep records related to the donation and valuation of the asset. Prospective bidders should be told what the value of the item is, assuming a reasonable value can be determined. And winning bidders must be given a receipt which describes how much of the amount paid exceeds the fair market value of the item, if any.

Valuation of NFT-assets will be an extremely nuanced part of the charity auction process because the market for NFTs is so new and valuations fluctuate wildly. As an example, last year Beeple “dropped” artwork on an NFT marketplace that was resold. Between October 30 2020 and January 9, 2021, a piece that sold for $1 was resold 10 times and increased in value to $7000. Any artist, donor, or charity that places a valuation on donated digital artwork or other NFT-assets should consult with experts to document the valuation appropriately and ensure that everything is properly recorded and filed.

NFTS and Charities – New Platforms and New Problems
When Beeple’s Christie’s auction concluded, the winner paid in cryptocurrency, typical of many of the NFT marketplaces that use the Ethereum-based cryptocurrency Ether. NBA Top Shot, in contrast, will let you sign up with a credit card. As donors and charities work through the various platforms to decide with whom they want to partner to host an NFT auction, they need to consider what methods of payment are available and who their target audience will be. If the pool of potential bidders is Beeple-crazed crypto-enthusiasts, an NFT platform that requires Ether will probably work just fine. If, on the other hand, a charity wants to engage its traditional donor-base, it may want to find an auction platform that can receive traditional payments.

If the auction invites bids in cryptocurrency, the charity also needs to think through whether to hold that currency or convert it into fiat currency immediately upon receipt. Many charities, in the wake of the cryptocurrency boom of 2017, developed policies related to holding cryptocurrency – typically, the currencies were liquidated immediately upon receipt. Charities should consider crypto as a highly volatile asset, with potentially huge upsides and downsides. Most charities hold minimal amounts of crypto and only as part of a comprehensive, diversified investment strategy.

If the charity expects an auction to generate a lot of interest and a lot of funding, the charity needs to do some due diligence on the platform with whom they plan to work. With the interest in NFTs surging, so are the numbers of outlets that claim to support NFT marketplaces. If a charity wants to partner with a relatively new platform, the charity should vet the platform to make sure it is capable of performing – that it can host the auction, accept the payments, and deliver the winnings to the charity. Charities should make sure their agreement with the platform is crystal clear in terms of fees, timing, and the risk of loss if something should happen to an asset. Charities need to work with the platforms to make sure disclosures to bidders and donors are very clear on how the auction or donation will work – some states have begun to consider required disclosures for fundraising platforms, which can serve as a guide for charities and platforms.

Finally, some platforms that are operating in the NFT, blockchain, and cryptocurrency spaces may be subject to regulation as money transmitters, payment processors, or financial institutions. If a charity plans to store its assets with a platform that provides payment processing services, the charity should confirm that the platform is appropriately registered or is exempt from regulation.

Art Charities and NFTs
Similar to the concerns outlined above about vetting platforms, if an art-based charity wishes to accept a donation of NFT artwork to retain as part of its collection, the charity needs to work through the many issues around accepting and storing NFT artwork. Review the terms and conditions of any third-party platform involved in hosting or displaying the artwork. Work with the artist or collector to confirm details around the transfer, valuation, receipt, and the costs associated with the transfer on the network. Many of the tax rules governing NFT-art donations will be identical to those applicable to donations of physical art.

International Concerns
One of the appealing aspects of NFTs and blockchain is that transactions are borderless and frictionless. A digital marketplace based in ether cryptocurrency can receive payment without worrying about converting currency; there are no costs for shipping and the purchases can be delivered instantaneously. A charity that is considering receiving digital payments, selling digital goods, or transferring digital assets using NFTs or cryptocurrency has to be conscious of the risks associated with international transfers. The U.S. Department of the Treasury’s Office of Foreign Asset Control has published some guidance for charities working internationally, both in the context of specific countries as well as more generally. Charities should be cognizant of the risk posed by receiving large payments from or sending payments to individuals or organizations that are overseas and may only be known as a username or Ethereum address. Charities should work with their advisors to ensure they are taking reasonable precautions to avoid the legal and reputational trouble that could arise if the charity does business with disreputable donors or recipients. Additionally, the platforms dealing in NFTs and online fundraising may also have “Know Your Customer” requirements – charities should check with the platform that they are compliant with any applicable rules.

Other Compliance
Whether a nonprofit holds an auction online or in person, selling digital or physical art, there are traditional fundraising compliance considerations that will apply. Depending on the state in which the nonprofit is operating, the nonprofit may be required to register (my colleague Tracy Boak has a great article discussing charitable fundraising regulation). Depending on the nature of the items sold and where buyers are located, there may be sales tax considerations. Charities should check with their advisers to confirm they have considered all legal aspects of online fundraising compliance.

The post NFTs and Charities – What’s New and What Isn’t? first appeared on Perlman Sandbox.

As most organizations continue to have a significant portion of their workforce work remotely, 2020 will likely show a significant uptick in unauthorized access to personal information.  Additionally, the average cost for each lost or stolen record containing sensitive and confidential information increased by 4.8 percent year over year to $148. Such financial repercussions as well as the risk of incurring reputational harm that could follow unauthorized access of customer data, indicate that privacy and cyber security should be a top concern.

Nonprofit organizations hold a variety of personal information on behalf of their constituents and employees, and it is incumbent upon them to safeguard that information. The fact is, that with each passing year, the number of data breaches grows, and the related financial cost and reputational harm along with it. Additionally, the regulatory landscape is becoming more complex, requiring organizations to comply with an increasing number of requirements or face penalties.

Due to the continued need to protect information, New York State enacted Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) on March 21 of 2020.   This new law applies to any organization that receives or collects private information about New York residents through the Internet, and requires, among things that your organization.   The Act requires specific actions and imposes a variety of obligations, and significant fines may be levied for non-compliance.  Among other requirements, to meet the SHIELD Act requirements organizations must:

1. conduct a risk assessment of its cybersecurity program;
2. properly vet all third-party service providers to ensure they can comply with the NY SHIELD Act, and include in its contracts specific provisions related to cybersecurity practices;
3. have policies and procedures related to the deletion and/ or disposal of data within a reasonable amount of time after it is no longer needed for business purposes;
4. develop and implement a written incident/data breach response plan so that you can comply swiftly and completely with the Acts reporting requirements (or face potentially harsh penalties); and
5. designate a “point person” to coordinate your data-security program to meet compliance.

The good news is that conducting a privacy audit can significantly reduce potential “data incidents” and minimize the related risks.  It is also a big step to achieving SHIELD compliance.   A privacy audit is essentially a process to identify, across the organization (and chapters), the types of personal information collected, the ways in which it is protected, and with whom such information is shared.

The following risk assessment methodology is a good place to start.
• Inventory Locate the places in the organization (and vendors operating on its behalf) that house/store Personally Identifying Information (“PII”), identifying both electronic files/databases and physical files
• Safeguards Assess the safeguards in place – including the physical, administrative and technical controls – and whether they are adequate and reasonable considering the type of PII being stored (SSN vs. email address for example might have different levels of protection).
• Gaps Determine the compliance gap – essentially the difference between that what it should be doing, and the organizations actual practices.
• Risk Assessment For most organizations there will be a number of gaps. As a first step, for the PII held in various locations and with various vendors, assess the risk of non-compliance, determine the impact of non-compliance and likelihood of risk occurrence, and use this to help prioritize compliance efforts.
• Remediation Depending upon the finding/conclusions in the previous steps, remediation should be a joint effort among various members of the organization to address and remedy any identified shortfalls/gaps.

As organizations look to identify material risks and implement processes and procedures to protect their data and hence their missions – data privacy and cyber security will no doubt continue to be a critical concern.  Now is the right time to conduct a privacy audit.

The post 2021 – A Very Private New Year – Steps all Nonprofits Can Take first appeared on Perlman Sandbox.

In the run up to this year’s presidential election, author Shea Serrano published A Difficult Conversation, a guide to addressing the growing gap between the people who support Donald Trump and the people who do not. Priced at $0, it is a pay-what-you-want piece of art that, if you are familiar with Mr. Serrano’s Twitter feed, surprised no one. What is surprising is how much people voluntarily paid for the free e-book – at least $98,160.84 to date. In response, Mr. Serrano and his wife decided to donate all of the proceeds to the causes they believe in.

Mr. Serrano’s unexpected philanthropy fits a new pattern, for him and other social media celebrities. Celebrity philanthropy is not limited to the large televised “Live Aid” style fundraisers to raise awareness and funds for important causes.  While that model still exists, social media has created new avenues for small scale, targeted relief amplified by passionate digital followers.  In the early days of the COVID-19 pandemic,  influencers made cash payments to those impacted by shuttered businesses and missed paychecks. This new trend is getting increasing attention, including from at least one former President.

While charities continue to directly raise funds from their current donors, they are finding new supporters through partnerships with these “influencers” , i.e. the individuals who have a large active following of enthusiastic fans on social media.  Influencers have been working with charities for some time, and we’ve long known that consumers respond to them, in much the same way that celebrities shape consumer opinion in the for-profit world. What’s new is the way in which some influencers establish a relationship with their followers and charities; instead of entering into partnerships up front, social media and e-commerce allows influencers to raise large amounts of cash and distribute it to charities and directly to individuals without any extra infrastructure.

With innovations come new questions. In the case of influencer philanthropy, those questions tend to center on compliance. Influencers, and the charities they support, must take into account the social media platforms rules as well as local, state, and federal laws. In this article, I highlight some of the possible issues and considerations. I examine a few different fundraising strategies I’ve noticed. In each case, the considerations for charities may differ from those of influencers.  Some methods are straightforward, requiring little if any compliance considerations for influencers and charities. Methods involving partnerships with for-profit companies or cash giveaways by influencers can have tax and other compliance consequences.

Summary of Influencer Fundraising Models

There are a few ways that influencers try to do good. As described above, sometimes they publicize gifts after-the-fact, creating a halo effect for the influencer as well as spotlighting the charities or causes benefiting from the influencer’s gifts. For these after-the-fact gifts, there’s no pre-existing agreement between an influencer and the charity.  In fact, the charities or the individuals receiving gifts might not know that a gift is coming until they receive a check (or Venmo or CashApp or PayPal).

Another model that has emerged recently is the direct cash disbursement which is advertised in advance to the influencer’s followers. While these types of disbursements aren’t new, they became prominent in the early stage of the pandemic. Influencers told their followers that they had cash to give away– all followers had to do for a chance to receive some cash was comment on the influencer’s post and follow other Instagram accounts that had paid for the privilege of being part of the promotion. The influencer would, in turn, receive a payment from a social media marketing firm that set up the campaign.

A third method involves influencers asking their followers to send cash which the influencer will then distribute. The recipients of the cash vary – sometimes the funds are given to organizations, in other cases the money is given to individuals that the influencer deems worthy of support. At times the influencer will be specific about the organization or person that is the intended recipient, but many times the beneficiary is open-ended.

A fourth method involves for-profit charitable partnerships. For example, a dog-themed Instagram account raises awareness for a local shelter by telling their followers about a charitable sales promotion where the purchase of a particular dog food triggers a donation to the shelter. The influencer may be compensated by the for-profit, the nonprofit, or may receive no compensation at all, depending on the arrangement. Alternatively, an influencer might try to sell one of their own products (a book, for instance) and include a promise to donate some proceeds to charity.

Finally, some influencers simply attempt to drive traffic to individual fundraising campaigns that are already underway. One of Twitter’s most popular canine evaluation accounts, @dog_rates, highlights one or two fundraisers every Friday to support a dog and its humans. The influencer selects one campaign to highlight, driving small dollar donations from the account’s 8.8 million followers.

Compliance Issues

For each of the models described above, there are a few overarching compliance issues that influencers and charities need to consider. There may be tax consequences from their fundraising, for influencers, charities, or their donors. They must also review the terms and conditions for the sites on which they’re fundraising.

Platforms

The platforms’ rules are the first thing to review before launching a new fundraiser. Facebook, Twitter, and Instagram each publish specific rules governing promotions and fundraisers. In each case, some of each platform’s general guidelines will also apply to influencer fundraisers, such as the rules encouraging authenticity and discouraging fraud.

Federal Trade Commission

In addition to the platforms, the Federal Trade Commission (FTC) has published guidelines on the appropriate disclosures for influencer behavior. While targeted primarily at influencers working with for-profit brands, the disclosure guidelines are helpful for all influencers interacting with US users. These recommendations include:

• Tell users if you will receive any kind of financial, employment, personal, or other benefit in connection with a post
• Ensure that disclosures are prominent
• Use clear, simple language
• Be honest

These types of disclosures are especially important if an influencer’s post involves any possible compensation for the influencer. For instance, if the influencer is selling an item and promises that a portion of the proceeds will go to charity, they should be clear how much will be donated (a percentage or flat amount per sale), how long the promotion runs, which charity will receive the donation(s), and if there’s a minimum guaranteed donation. If the influencer is being paid to help drive dollars or attention to a charity or fundraiser, they should include a disclosure to that effect so their followers understand their motivation.

Taxes

Influencers, charities, and individuals each need to consider the tax consequences of online fundraisers. Whenever influencers collect donations from their followers, they may need to report those donations as income. There are exceptions where the influencer is acting as the agent for the recipient, but the default rule is generally that income is taxable. If the influencer makes a donation directly to an individual rather than to a charity, the individual should be able to treat the income as a gift (and therefore not taxable) but should check with a professional to confirm. There may be ways to structure a campaign to ensure the recipient doesn’t have a big tax bill if the fundraiser is especially successful.

Next, some donors want to know if their donation is tax-deductible. Although small donors aren’t typically taking their tax bill into consideration when they decide to send $10 to an influencer, the influencer collecting donations should clarify whether donors will be eligible for a tax deduction. There are multiple ways to structure campaigns that may permit donations to be tax-deductible.

State Registrations

If an influencer is receiving any kind of compensation in exchange for raising money for a charity, they may have to register to solicit with one or more states. They could be considered either a professional fundraiser or a commercial co-venturer, depending on the arrangement. Each state treats paid fundraisers differently, so the influencer must be careful to check with counsel who understand what filing requirements apply.

Best Practices

Regardless of what rules apply, best practices for any kind of fundraiser are diligence and transparency. Influencers can be diligent by planning out their posts and fundraisers. The first step is to research the charity that the influencer seeks to support. As multiple organizations may have confusingly similar names, checking will help to avoid directing someone to the wrong organization! Unless the influencer has first-hand knowledge of the charity, they should also review the charity’s most recent financial filings to make sure it is healthy and can legally use the funds the influencer plans to raise.

The influencer should get in touch If they have identified a charity they want to support. The charity may agree to collaborate to increase the influencer’s reach or, at the least, capitalize on the attention the influencer will bring. The charity may also want to set some guidelines, either through a formal agreement or just through discussions, to make sure the influencer doesn’t do or say anything that would harm the charity’s reputation or tax status.

Finally, the influencer should value transparency by explaining exactly what they plan to do with the money they raise, including the timing for distribution, the intended recipients, and what is yet unknown.  It’s possible that the influencer won’t know in advance who will receive the cash they raise, but that’s not necessarily a problem. If the influencer sets some criteria, that at least should be shared with their followers.

The post Influencer Philanthropy and Social Media – What are the Rules, What are Best Practices? first appeared on Perlman Sandbox.

The reality is that most of the “default” third-party terms are invariably one-sided in favor of the vendor. Should things go awry as they did with the Blackbaud incident, it is vital to have the appropriate legal terms in the contract to protect your interests.  While it is impossible to provide an exhaustive list of issues to be considered in negotiating a contract, I recommend that the following five points should always be addressed prior to signing a third-party technology contract.

1. Adjust the Limitation of Liability Cap

Vendors routinely attempt to limit any claims for loss or damage that might be incurred.  Typically, they try to limit the recovery period to six months, or even less, of fees paid.  I suggest that the “cap” be set at some multiple of the contract value, and not be tied to monies paid to date. This avoids having limited recompense for claims that occur early on in the contract term.

2. Draft Exclusions to the Limitation of Liability Cap

Related to the first provision, most types of damage are “capped” at some pre-agreed dollar amount.  However, certain damage, because it poses a greater risk to your organization and its reputation, should be excluded.  As an example, damage that results from a data breach, indemnified claims and breaches of your confidential information should never be capped. In the case of the Blackbaud breach, such an exclusion would have allowed your organization to fully recover all losses and expenses.

3. Require Breach Notification and Credit Monitoring Expenses

The Blackbaud incident illustrates that breaches happen.  Although unfortunate, the reality is that no system or platform is “breach proof.”  Even if your vendors maintain all the various physical, logical and administrative security precautions that have been reasonably requested, breaches can occur.

If a breach occurs and notification is required, your vendor is obligated to notify you alone, not your end-user donors.  For this reason, I strongly recommend that you require any vendor that has access to personally identifiable information on your behalf, to agree to pay for all fines, expenses and costs related to the breach, including notification to your donors, regulatory fines, and credit monitoring services for the potentially affected individuals.  They should also be required to promptly notify you of any breach or suspected breach – my recommendation is within 48-72 hours.  Blackbaud took over two months to provide notification!  This is reprehensible – but they are now the exception that proves the rule: contractually obligate your vendors to timely notice.

4. Insist on Specific Cyber/Privacy Representations and Warranties

During the sales pitch, prospective clients are presented with polished and detailed marketing materials that exhaustively detail the various aspects of the vendor’s product, including the various cyber-security precautions they have in place.  However, most contracts provide scant details of the actual precautions to be undertaken.  Bottomline, if a vendor is getting access to any personally identifiable information, you should have specific and detailed cyber-security and privacy requirements spelled out in the contract.

5. Request Transition Services

Vendor relationships do not last forever.   When the time comes to change a vendor, the transition can be a lengthy and arduous process.  When the existing vendor is reluctant to assist with the facilitation of the transition, the client gets stuck with the logjam.  To mitigate this issue, I always insist on including a provision in the contract that requires the vendor to provide ongoing services and specific transition support at their current standard rates for a specified period of time.

In the sentiments of Robert Frost, good contracts make good vendors.  As the Blackbaud data breach illustrates, “stuff” happens.  While this is one of many third-party providers to suffer a data breach, the attack on Blackbaud serves as a stark example of why organizations need to take the time to carefully evaluate third-party vendor privacy and cyber security practices, as well as insist on specific contractual terms that define accountability and responsibilities in the event of an incident.  (And FYI, the NY SHIELD Act requires all organizations that collect information on NY residents to review all such contracts with third-party vendors to endure that such contracts impose specific technological, administrative and physical safeguards). Failure to do so could leave your organization with limited recourse and remedies when the worst happens.

The post We Won’t Get Fooled Again – Blackbaud Data Breach first appeared on Perlman Sandbox.

This is a good time to audit the protocols your organization recently implemented and ensure that your colleagues recognize and alleviate risks when they are routinely working from home.  Below are some typical risks, with strategies to minimize those risks.

• Unsecured WIFI networks: Home networks (and use of public networks) may be vulnerable to malware or ransomware attacks through their wireless router – Secure home WIFI networks with a robust password and, when possible, avoid use of public networks. 
• Working on unsecured personal devices: Home computers may lack critical security patch management – Employees should only conduct work on their employer-issued computers. Where this is not possible personal laptops should not be allowed to leave the home. 
• Transferring corporate data using personal email accounts: Employees may send sensitive information to their personal email accounts; non-enterprise email accounts usually lack the protections that commercial accounts often have – Advise employees against sending sensitive company data to their personal email accounts, and to permanently delete any corporate data remaining on their email accounts after they return to their normal working arrangement. 
• “Hard-Copy” document management and destruction: Employees may take hard-copy sensitive or confidential materials off-site that they would not otherwise – Advise as to proper destruction and to avoid disposing of documents at home or in a public place without proper cross-cut shredding. 
• Unsecured connections to organizational systems: Absent a secure virtual private network (VPN), employees may attempt to connect to your systems in an insecure manner – Investigate the viability of configuring a VPN for employees accessing your systems.
• Syncing with personal cloud storage accounts: Employees working remotely may use a personal cloud service account to transfer documents or data to and from office that may be less secure – Monitor use and consider creating a list of recommended providers.
• Key vendor relationships: Most organizations rely on third-party vendors to support both internal and external mission-critical services.  These services could be impacted should these companies also ask their employees to work from home – Proactively reach out to these vendors to inquire as to their plans to continue to support your organization and to keep your data safe (as summarized above); also review the contracts in place to be aware of your rights and remedies.

It is important to remember that although COVID-19 has posed challenges in regard to good cyber practices, privacy laws, regulations and expectations still apply. 

For example, the New York State’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”), went into effect on March 21 of this year.   This new law applies to any for profit or nonprofit organization that receives or collects private information about New York residents.  Simply put, if your organization has a website, it’s likely you need to comply with the provisions of the SHIELD Act (and there are substantial fines for noncompliance).  Among the many obligations, the SHIELD Act expects organizations to 1) implement reasonable [administrative, physical and technical] safeguards to protect the security, confidentiality and integrity” of data, and 2) properly vet all third-party service providers and include specific provisions related to cyber-security practices, and 3) designate a “point person” to coordinate your data security program.   Many organizations would have fallen short of these requirements prior to COVID-19 — many more will fall short today as employees continue their work from home.  While meeting these requirements may seem daunting, they are more easily achieved than one might initially think.  I routinely help organizations to achieve compliance with the SHIELD Act and other similar regulations and best practices, and in doing so these organizations become better “stewards” of the personal information they collect on behalf of their employees and donors.

Jon Dartley is an attorney with in-depth knowledge of the laws of data privacy regulation. You may reach him at jon@perlmanandperlman.com. 

The post Is it Time for a Cyber Risk Check-up? first appeared on Perlman Sandbox.

• Unsecure WIFI networks: Home networks (and use of public networks) may be vulnerable to malware or ransomware attacks through their wireless router – Secure home WIFI networks with a robust password and, when possible, avoid use of public networks.
• Working on unsecure personal devices: Home computers may lack critical security patch management – Employees should only conduct work on their employer-issued computers. Where this is not possible personal laptops should not be allowed to leave the home.
• Transferring corporate data using personal e-mail accounts: Employees may send sensitive information to their personal email accounts; non-enterprise email accounts usually lack the protections that commercial accounts often have – Advise employees against sending sensitive company data to their personal email accounts, and to permanently delete any corporate data remaining on their email accounts after they return to their normal working arrangement.
• “Hard-Copy” document management and destruction: Employees may take hard-copy sensitive or confidential materials off-site that they would not otherwise – Advise as to proper destruction and to avoid disposing of documents at home or in a public place without proper cross-cut shredding.
• Unsecure connections to organizational systems: Absent a secure virtual private network (VPN),employees may attempt to connect to your systems in an insecure manner – investigate the viability of configuring a VPN for employees accessing your systems.
• Synching with personal cloud storage accounts: Employees working remotely may use a personal cloud service account to transfer documents or data to and from office that may be less secure – Monitor, recommend/advise.
• Key vendor relationships: Most organizations rely on third-party vendors to support both internal and external mission-critical services.  These services could be impacted should these companies also ask their employees to work from home – Proactively reach out to these vendors to inquire as to their plans to continue to support your organization and to keep your data safe (as summarized above); also review the contracts in place to be aware of your rights and remedies.

The post COVID-19 and Cyber-Readiness – Good Practices for Remote Work first appeared on Perlman Sandbox.

The CCPA’s broad privacy requirements are entirely new, and are certainly among the strictest privacy laws in the United States. It is important to note that CCPA is not a replacement for other existing California privacy law – all of those laws remain  in effect. Here the focus is on CCPA.

Does it Apply to Your Company?
CCPA applies to any for profit company in the world which collects personal data, and

1. Has annual gross revenues of at least $25 million; or
2. Obtains personal information of at least 50,000 California residents, households, and /or devices per year; or
3. Derives at least 50% of its annual revenue from selling California residents’ personal information

What to Do to Prepare
To comply,  companies will have to adopt a variety of new measures, including:

• Draft and post a comprehensive privacy notice ( send me an email request for a more detailed list of elements to include)
• Conduct a data inventory to “map” the use of California residents personal data and instances of “selling” data
• Implement procedures to meet the new individual rights for data access, deletion and opting-out
• Update all vendor agreements with third-parties who may be processing such data on behalf of the business

What are the Penalties for Non-Compliance?
Non-compliance with CCPA puts a company at risk for large fines. The Attorney General can levy fines of  up to $7500 per violation, and make the party subject to “private actions” from California residents.

Jon Dartley, Esq., 212.889.0575 ext. 224
jon@perlmanandperlman.com

DISCLAIMER:
These materials were prepared for informational purposes only. The information contained herein is general in nature and may not have application to particular factual or legal circumstances. These materials do not constitute legal advice or opinions and should not be relied upon as such. Transmission of the information is not intended to create, and receipt does not constitute, an attorney-client relationship. Recipients of this information should not act upon any information in this article without seeking professional counsel.

The post California Consumer Privacy Act (CCPA) – You are not California Dreamin’! first appeared on Perlman Sandbox.