General | Add-On Data

Blog

April 19th, 2010

Lack of Compliance Could Cost You (as Much as) $50,000

On March 1, 2010, the Massachusetts Data Protection Law or Massachusetts 201 CMR 17.00 went into effect!

The privacy regulations adopted by the Massachusetts Office of Consumer Affairs and Business Regulation require that any person or organization maintaining personal information of a Massachusetts resident, whether in paper or electronic form, must develop and implement a comprehensive, written information security program (WISP).

Why the new law?

Over the past five years there have been a significant number of high-profile, large-scale “data loss” incidents where the personal information of millions of people, including credit card and social security numbers, have been stolen or misused. Some of the best known affected businesses include BJ’s Wholesale Clubs, Hannaford Supermarkets, Heartland Payment Systems, Blue Cross Blue Shield of MA, and TJX. However, they are not alone.

While the breaches have been investigated by a slew of government organizations including state and local police departments, Federal Bureau of Investigation, US Secret Service, and others, the existing laws did not specify non-criminal penalties for organizations, merchants, and others who bear some responsibility due to lax or circumvented data security policies, little or no network monitoring, and/or the lack of oversight that allowed these breaches to occur.

Who’s covered by the new law?

Any person, partnership, corporation, or other legal entity other than the government (they are required to comply with other regulations) who owns, licenses, stores, or maintains the “Personal Information” of any Massachusetts resident. Personal information is defined as a name in combination with one or more of the following items:

Social Security Number
Driver’s License Number
Credit or Debit Card Number with or without PIN, CCV, password or other security code
Bank Account Number

Therefore, as a result, these regulations cover all employers, professional service providers, and most all businesses that that accept checks, credit or debit cards, regardless of their location, both in and out-of-state. Also, if you have any employees or subcontractors, you need to protect their Social Security/Taxpayer ID numbers.

Only sole proprietor, cash-only businesses are reasonably excluded.

What do you need to do to comply?

1. Appoint an Information Security Manage (ISM).

The Information Security Manager is the company employee responsible for constructing, executing, maintaining, and auditing your information security program. This person is also responsible for training other employees on program compliance. While you may work with a consultant on many of these issues, the ISM should be a company employee.

2. Draft a Written Information Security Program (WISP).

The Written Information Security Program is a physical document that describes WHAT personal information is collected by your organization; WHERE and HOW it is used and stored; WHO may access it; HOW, WHEN, and WHAT protections are in place against unauthorized access; HOW compliance is monitored and audited; and finally, WHAT to do in the event of a problem.

While most WISP documents are based on templates and samples, it’s important to have this document reviewed by business ownership (C-level and corporate board), legal counsel, HR/personnel management, and IT/technical leads.

3. Implement/execute the Written Information Security Plan, monitor compliance, and review the plan yearly, or whenever necessary.

What is the cost of non-compliance?

The Massachusetts Data Protection Law will be enforced by the Massachusetts Attorney General, who is authorized to bring action under Mass. General Laws c. 93A, §4 that provides for Injunctive relief; Civil penalties not more than $5,000 for each violation, plus the costs of investigation, litigation, including attorney’s fees. The court may also award civil liability for any breach / increased duty of care.

In addition, Mass. Gen. Laws c. 93I concerning the improper destruction and/or disposal of data provides for penalties of up to $100 per data subject affected; not more than $50,000 for each instance of improper disposal.

The Silver Lining.

Despite the new regulations, most organizations should find it relatively easy to comply, as many of the provisions included in Massachusetts 201 CMR 17.00 are basic best practices that other government regulations and industry standards have required for years.

As always, for more information on the Massachusetts Data Protection Law ask us!