Massachusetts Personal Information Protection Regulation

The Massachusetts requirement regarding the "standards to be met by persons who own or license personal information about a resident of the Commonwealth of Massachusetts must be met by businesses and organizations starting on 3/1/2010.

In summary, the regulation, 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth, defines the minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records.

The point of the regulation is to prevent identity theft. If your business stores any records for Massachusetts residents that contain the first name and last name or first initial and last name plus any of the following:

• Social Security Number
• Driver's License or State-Issued Identification Card Number
• Financial Account Number
• Credit or Debit Card Number

then you are subject to the regulation regardless of whether your business is located in Massachusetts or not.

So what do you need to do to comply with the regulation?

1. Identify where the Personally Identifiable Information (PII) is stored e.g. paper files, computers, laptops, external hard drives, etc.
2. Identify how the PII is at risk e.g. internal or external theft, hacking, etc.
3. Document in a Written Information Security Plan (WISP) how you will protect the PII
4. Carry out the WISP e.g. train your employees about how to handle sensitive data, encrypt your hard drives, use a secure online file sharing system instead of email for getting PII to customers, etc.

Another Stolen Laptop, Another Business In Trouble

This past summer, Blue Cross/Blue Shield in Connecticut had a laptop stolen. On the laptop was highly confidential information, including tax identification and Social Security numbers for 800,000 healthcare providers nationwide.

Now the company is being investigated by Connecticut Attorney General Richard Blumenthal. "We are vigorously investigating this appalling data loss, needlessly exposing more than 18,000 Connecticut doctors and professionals to devastating identity theft," Blumenthal said in a statement. "Failing to promptly notify providers of the breach is inexcusable -- and a possible violation of state law. Waiting two months left providers severely at risk -- needlessly and irresponsibly exposing them to financial mayhem."

You can guess what the outcome of the investigation will be: fines, statements of apology, agreements to make changes in the way information is kept secure, etc.

Blue Cross/Blue Shield will survive because it is a large company. Your business, on the other hand, might not survive such an incident. Can you afford the legal fees necessary to defend your company against a lawsuit? Your insurance will not cover theses expenses if it can be demonstrated by your insurer that you are not protecting your sensitive data in the industry standard manner. More importantly, what will your customers think when they hear about your loss of sensitive data? They will probably drop your business like a rock.

Laptops, cell phones, Blackberrys, IPhones, etc. are constantly being stolen. It is a fact of life. So, what should you do to protect your sensitive company data?

1. Encrypt the hard drives on all of your laptops (desktops too!) so that if any machine is stolen the data will not be able to be accessed.
2. Minimize the sensitive data that is stored on non-secure devices in the first place by giving employees access to secure online systems that store the sensitive data. If you do this your employees will not have to store any sensitive data on their own devices at all. And you will be able to monitor who is accessing the sensitive data to detect unauthorized usage.
3. Train your employees what to do with the sensitive data. Technology alone can never prevent data from being stolen. You need your employees to use the technology that you give to them appropriately to prevent data loss.

Cyber Crime And Your Business

Yesterday the Government Accountability Office (GAO) released a new report that took a critical look at US federal information system security. The GAO report outlined the groups and individuals that it considers to be key threats to our nation's information systems:

1. Foreign Nations
2. Criminal Groups
3. Hackers
4. Hacktivists (politically motivated hackers)
5. Disgruntled Insiders
6. Terrorists

So what impact do the GAO report findings have on data security in your business? Most businesses do not have to worry about Foreign Nations, Hackers, Hacktivists (unless the business is a political organization), and Terrorists.

Criminal Groups are a legitimate concern for any size business. Almost every business has some exposure to the Internet. Your website, particularly if you sell goods or services over the Internet, and your use of email are the common ways that Criminal Groups can attack you. Cyber criminals are looking for credit card and bank information, Social Security numbers, etc. to steal online.

Disgruntled Insiders, both employees and contractors, are also a definite legitimate concern for any business. These individuals frequently have extensive access to the software systems (financial, payroll, human resources) where your key data is stored. These people can easily steal from you and cover their tracks.

Actions should you take to counter these threats:

1. Figure out whether your website is exposing any sensitive information e.g. do you have a "private area" of the website that you use to share information with others? Is this part of the website really secure? Strengthen the security of this private area or replace it with an online secure web file sharing system.
2. Do not use email to send and receive sensitive data or files. Email is not secure. Install secure file sharing software or use an online secure file sharing system to protect this data.
3. Set up your internal computer systems to keep track of all user actions in a log. Review these logs regularly to detect and stop data information theft.
4. Reduce the access levels of your employees and contractors on your internal computer systems to the level that they really need to do their jobs. An employee rarely needs to be set up as a System Administrator to do his/her job.
5. Encrypt your stored files to prevent employees and contractors from having access to information that they should not be able to see. Laptops need to have full-disk encryption because they are frequently stolen.