|Volume 4 Issue 3||March 2010|
|In This Issue|
|Data Security: The new Massachusetts law you can't ignore|
|From the mailbag: Two readers respond to last month's newsletter on paperless billing|
|If you haven't heard about the new "Protection of Personal Information" Massachusetts law yet (and almost no one I've talked to recently has), you should learn about it right away, not only because it affects how your organization handles personal information, but also because it carries heavy fines for non-compliance. |
You should also learn about this law for yourself because its goal is to protect every employee and consumer in Massachusetts from identity theft.
|Data Security: The new Massachusetts law you can't ignore |
In December 2006, thieves broke into TJX Companies' computers and electronically stole over 45 million transactions involving credit cards, debit cards, and checks. TJX (based in Framingham, Mass.) operates over 2,000 retails stores including TJ Maxx, Marshall's, HomeGoods, Bob's Stores, and A.J. Wright.
How did this happen? There were 3 key parts:
In response to massive identity thefts like this and others, the Massachusetts legislature has passed Chapter 93H: "Security Breaches." The Office of Consumer Affairs and Business Regulation has implemented it with the regulation 201 CMR 17.00: "Standards for the Protection of Personal Information of Residents of the Commonwealth." This is one of the strongest data security laws in the country. It went into effect March 1, 2010.
This law applies to every person, business, or organization that provides any goods, services, or employment to residents of (or organizations located in) Massachusetts. It requires those providers to protect any "personal information" about those residents, whether stored on paper or in electronic form.
This law mandates a fundamental change in how all organizations handle personal information. However, I think it's merely catching up with a harsh modern reality. Over the past 10-15 years, the problems of identity theft and invasion of privacy have exploded. 25 years ago the first personal computers were expensive and isolated devices that only a few could use well; security just wasn't an issue. Today they are inexpensive and essential tools in practically every home and office, and they're connected through a worldwide network rich in information, resources, and security threats. Our taking responsibility for protecting our paper and electronic information from being misused or stolen is long overdue. Using state-of-the-art security methods to combat sophisticated modern thieves only makes sense.
Caveat: I am neither an attorney nor an expert on this law, and my understanding of its meaning and implications is ongoing and evolving. I'm writing about this to make you aware of some of these issues, and hope that you will seek detailed technical and legal advice specific to your situation.
Also, this is far too large a topic to cover thoroughly in any single newsletter, so this is the first in a series of newsletters I plan to write about these issues.
What "personal information" does this law cover?
The law defines "personal information" as a combination of two elements:
1. A Massachusetts resident's name, or the name of a company or organization located in Massachusetts
In combination with:
2. Any of the following corresponding pieces of information:
This law requires you to take state-of-the-art actions (within reason) to protect the safety and security of personal information at a level that is probably much stricter than you're doing now, or face stiff fines--$5,000 for each Social Security number or other personal number breached, plus similar fines for failing to follow any of the individual regulations.
The requirements (and their implications) are complicated, and address how you store this information, how you handle it, and how you share it with others, and cover both paper and electronic methods. Complying with this law will likely change a number of aspects of how you do business, and will probably cost you some time and money.
On the one hand, this is really serious, both the fundamental nature of the problem and the need for everyone to comply with this law. On the other hand, there is a reasonable and finite process you can implement that will get you compliant with this law, and you (and your customers) will benefit from the result. In addition, the law's enforcement standard is based on what's reasonable for the size of your business and technically feasible for the type and amount of information you handle.
Don't put this off any longer. Get started now.
Why am I just hearing about this now?
While this law has been in the works for a while, not only has the state adjusted its scope and postponed it a number of times, but they've also not made much effort to publicize it. I only heard about it last fall from some colleagues, and it took me a while to get started on this for my own business.
In the past few weeks, almost no one to whom I've mentioned this law has heard anything about it. My unscientific impression is that most businesses and organizations are behind schedule in getting compliant.
Does this law apply to me?
As far as I can tell, apart from government agencies (which are exempt because they're already held to a higher security standard) the only type of organization providing goods and services to residents of Massachusetts that this law does not apply to would have to:
Certain types of businesses are clearly affected by this law, for example:
You can certainly implement a plan that complies with the letter of this law and nothing more. However, I think that's a short-sighted approach. This law is a wake-up call. This issue is not going away, and it's only going to grow. It's understandable to view this as an unwelcome external intrusion into your operation, but given the value and sensitivity of the information you're probably handling (your customer's as well as your own), I recommend taking this as a great opportunity to address this deep security problem and resolve it in a modern and productive way.
At first, as you implement the changes to your operation required by this law (e.g., putting certain paper records under lock and key, learning how to encrypt your computer data and your backup, choosing better and different passwords, writing your detailed security plan), you'll probably have your hands full. However, once you're underway, I think you'll find that it's less work to, for example, protect personal information on all of your customers, not just the ones who live in Massachusetts, and not just their bank account or Social Security numbers, but all of their information (home address, birthday, notes on work you're performed for them, etc.).
Doing more than strictly required by this law may also go a long way to convince any state investigator that you're not a likely source of leaks, since you'll have done a more-than-thorough job of complying.
It's also likely that other states will be passing similar laws regarding information you may be handling on their residents. You'll be subject to their laws as well, whose details may be somewhat different than this Massachusetts law.
And as you protect your customers' information, I suggest that you also make the (probably small, incremental) effort to protect your own information.
This is ridiculous! I'm already very busy! Why should I have to do any of this?
Identity theft is a serious problem. How would you feel if your local hardware store let your credit card number get stolen, or if your employer left your payroll records out for someone to steal, or if your insurance agent sent your Social Security number to her company via regular (insecure) email?
Here are a number of additional reasons to implement good data security:
While you can (and probably should) find knowledgeable outside people to help with this process, the law specifically requires that someone within your organization be responsible for your data security. Since there are a lot of decisions to make and changes to your habits and procedures you'll probably have to implement, you need to be involved.
How can I get started?
I will be walking you through this process in my upcoming newsletters and sharing with you the things I'm doing within my own business to comply with this law.
In the meantime, here is an outline to help you get started, with the goal of not only strictly complying with the law but also reasonably going beyond its requirements to achieve a good degree of overall data security:
I've also found the following types of tools useful:
As I learn more about this, I will share with you what I've learned and what changes I've made in my business. In the meantime, here are some resources I've found helpful:
The law and regulations:
If you have any comments about this article, send me a reply!
If you have a topic that you'd like me to write about, I'd love to hear about it!
|From the mailbag: Two readers respond to last month's newsletter on paperless billing |
In response to last month's newsletter on paperless billing (http://kadansky.com/files/newsletters/2010/2010_02_24.html: "Should I sign up for paperless billing?"), two readers wrote:
"Very helpful! I've often felt conscience-stricken about all the paper bills I get, and I've found automatic payments very helpful. Luckily, cashflow hasn't been a problem. However, when I buy a new investment I receive paper prospectuses in the mail, followed by annual and semi-annual reports. I've wondered whether they could be sent to me electronically, so I'm going to look into whether I can get them online instead."
"This was a thoughtful and useful newsletter. I've long been wary of paperless billing and automatic payment for the reasons you describe. Furthermore, with automatic payment more parties and technology are involved. If there is a mistake, I suspect that it's harder to resolve a problem. And, as much as companies paint the benefits as 'green,' the companies themselves achieve great cost savings in postage and paper."
How to contact me:
phone: (617) 484-6657
On a regular basis I write about real issues faced by typical computer users. To subscribe to this newsletter, please send an email to email@example.com and I'll add you to the list, or visit http://www.kadansky.com/newsletter
Did you miss a previous issue? You can find it in my newsletter archive: http://www.kadansky.com/newsletter
Your privacy is important to me. I do not share my newsletter mailing list with anyone else, nor do I rent it out.
Copyright (C) 2010 Kadansky Consulting, Inc. All rights reserved.
I love helping people learn how to use their computers better! Like a "computer driving instructor," I work 1-on-1 with small business owners and individuals to help them find a more productive and successful relationship with their computers and other high-tech gadgets.