December 21,2009 Edition
  10 Points
  Agenda
  Bankruptcies
  Briefcase
  Building Permits
  Chamber Corners
  Company Notebook
  Court Dockets
  DBA Certificates
  Incorporations
  People on the Move
  Picture This
  Real Estate
Subscriptions
Sales Department
Editor


Please enter a word or
a phrase

 
Putting a Lock on Personal Information

Coping with the State’s New Identify-theft Legislation

By GEORGE O’BRIEN

By March 1, just about every business in the state — as well as nonprofit organizations and government agencies — must be in compliance with the state’s tough new regulations regarding the safeguarding of personal information. Implementation of the measure has created some solid business opportunities for technology and information security companies, as well as employment-law specialists, who are reporting that, as the often-pushed-back deadline for compliance approaches, businesses are finally starting to sit up and take notice of the legislation and its many ramifications.

Charles Christianson was poring over a page of security breaches and potential breaches reported by an organization called the Identity Theft Resource Center, looking to make a point.

It was just one of 84 such pages, detailing nearly 400 breaches reported in 2009 involving more than 219 million people, said Christianson, president of Peritus Security Partners, which has offices locally in East Longmeadow. But it shows clearly the extent of a burgeoning problem.

There was one report involving Suffolk Community College in South Carolina, which has agreed to pay a company for the next year to monitor the credit of 300 students whose last names and Social Security numbers were mistakenly listed in an attachment to an e-mail sent to those students in September. There was another concerning the Blue Cross Blue Shield national office, which had a laptop computer stolen from an employee, potentially exposing the Social Security numbers of tens of thousands of physicians nationwide. The insurance giant encrypts all of its information on company computers, the resource center reported, but an employee who was authorized to have the information violated company rules by downloading an unencrypted version onto a personal laptop.

And then, there was an incident involving Rocky Mountain Bank in Wyoming, when an employee sent an e-mail to the wrong person. The message, intended for a bank customer, included an attachment that should not have been sent, containing confidential customer information for 1,325 individual and business accounts. Which begs the question: why was that information being sent to a customer?

It is these kinds of calamities that a new Massachusetts law — known to those well-versed in its contents as 201 CMR 17, or the Massachusetts Personal Data Protection regulation — was designed to prevent, said Christianson, noting that the measure is scheduled to take effect March 1. That means he and others with the company are quite busy these days, trying to inform business owners of the new legislation, and then, if they’re hired, helping them move into compliance.

Thus, the personal-information measure represents a significant business opportunity for companies like Peritus, and also area employment-law specialists, who can assist companies and nonprofits create what’s known as a WISP, or written information security program (much more on that later), which, in essence, protects personal information from the kinds of breaches detailed above.

Christianson said Peritus has put its message before perhaps a few thousand business owners at informational seminars over the past few months, and has completed more than 40 WISPs to date, with the promise of many more over the next several months.

Meanwhile, Amy Royal, a partner with the Northampton-based law firm Royal & Klimczuk, which specializes in employment-law matters, said the personal-information law has provided an additional service the firm can provide to its existing clients and, hopefully, some new ones.

She noted that, as the year draws to a close and the March 1 compliance deadline draws ever closer, business owners and managers are starting to sit up and take notice of the new law and the steps needed to prepare for it.

“A number of existing clients have called and said, ‘we need to set up a meeting for early next year,’” she explained. “Now, it’s finally setting in with people that they need to have a plan in place and that there’s a lot to this.”

Indeed, for business owners and non-profit managers, the new law represents a challenge and an expense (a few thousand dollars for most small businesses), both significant enough to warrant the state to push back the deadline for compliance several times. But there is no indication that there will be another delay, which means that any business that handles personal information — and there is a working definition of that phrase in the statute — has a choice to make, said Christianson.

They can either put themselves in compliance, or they can roll the dice and save themselves time and money by not doing so. But those who gamble and lose could pay a steep price, he continued, noting some heavy fines that are attached to the legislation.

With the deadline for compliance looming, BusinessWest takes an indepth look at the state’s personal-information security measure (said to be the toughest in the country), what it means for consumers, as well as affected businesses, and what responsible companies need to have done by March 1.

Data with Destiny

They’re calling it the Massachusetts Information Security Summit, or MassISS for short.

That’s the name affixed to a nearly day-long seminar scheduled for Jan. 27 at the Sheraton in downtown Springfield. Chrstianson and others from Peritus will be among a group of speakers who will address specific aspects of the new law, and there are many of them (visit www.massiss.org for more information).

The event is the latest, and by far the biggest, in a host of informational gatherings on 201 CMR 17 that have been staged by IT companies, law firms, chambers of commerce, the Associated Industries of Mass., or any combination of the above. Royal says she’s been involved with many, and that they have been fairly well-attended by business owners who typically have a lot of questions.

Still, there are many business owners and managers and non-profit directors who don’t know about this measure, or as much as they should about what it will take to be in compliance, said Royal — this despite intensive media coverage of the legislation and a barrage of electronic invitations to those aforementioned informational seminars.

Christianson agreed, and speculated that perhaps only 10% to 20% of the state’s businesses, government agencies, and nonprofits are in compliance. “It’s still a pretty well-kept secret — people were not really paying attention ’til this past fall,” he said.

Larger companies tend to be better-informed, and, in general, there is more awareness in the eastern part of the state, Christianson continued, adding that his firm has invested considerable time, energy, and marketing dollars trying to spread the word (and expand the client list) in the 413 area code.

In essence, the new Bay State measure — passed in 2007 in response to the massive data breach at TJX Co. in 2006 that led to the theft of more than 45 million customer credit- and debit-card numbers — states that Massachusetts businesses and nonprofits have a duty to protect personal information.

And that means virtually every business, given the definition of personal information contained in the new law: “a Massachusetts resident’s first name and last name or first initial and last name in combination with any or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license or state-issued identification card number; or (c) financial account number, or credit- or debit-card number.”

“That’s just about everyone,” said Christianson, noting that to be exempt from the new law, a business would need to be a sole proprietorship with no employees that deals only in cash.

There aren’t many, if any, of those, he continued, adding quickly that, while most companies are aware of the law and the March 1 deadline, many are still not attacking the matter with a great deal of diligence. Months ago, there were doubts that the law would even take effect, he said, noting that the bigger obstacle now is general resistance to new controls on how people do business.

“People are just regulation-wary in general,” Christianson explained. “Regulations get peoples’ hackles up. The important thing for business owners who might be upset about this is to step back from that role of business owners and look at this from the perspective of the consumer, with yourself being the consumer; greater than 10% of the state’s population has already had their identity compromised.”

For the record, here’s what the law states: that “every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information-security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope, and type of business of the person obligated to safeguard the personal information under such a comprehensive information security program; (b) the amount of resources available to such a person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information.”

The law goes on to say that each comprehensive information-security program shall designate one or more employees to maintain the program, and that companies must identify and assess “reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper, or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks.”

Other provisions include:

  • Developing security policies for employees relating to the storage, access, and transportation of records containing personal information outside of business premises;

  • Imposing disciplinary measures for violations of the information-security program rules;

  • Preventing terminated employees from accessing records containing personal information; and

  • Overseeing service providers by, among other things, “taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations.”

That’s a Lock

Roughly translated, this all boils down to establishing new policies and procedures, and considerable amounts of training, said Pat Guenette, vice president of Human Resources for the early-education provider Square One, that agency’s point person for the new law, and one of many working to get both hands around the compliance issues.

Guenette told BusinessWest that there has been a significant learning curve involved with the new law, which she says she’s negotiated, in large part, by asking a number of hard questions at informational workshops and training sessions she has attended. There have been many, and they’ve been hosted by a wide range of organizations, from the Employers Association of the NorthEast and AIM to Whalley Computer Associates and Human Resource Management Assoc. of Western New England.

Her work started several months ago, she said, noting that Square One understands the importance of the law, and not only wants to be in compliance but needs to in compliance if it is to properly serve a number of constituencies.

“Our organization is concerned not only about protecting employee information, but information on the clients that we work with and the families that we work with,” she explained. “It’s imperative that, as an organization, we are up on this and ensure complete compliance.”

Square One isn’t quite there yet, Guenette continued, but it’s close. Work toward finalizing a WISP is ongoing, she said, adding that she and others are working with legal counsel to review operations and complete what amounts to an assessment and audit.

“They’ll review our policies, procedures, and operations to make sure, with all of the information we have, whether it’s maintained on paper or electronically, that we have procedures in place to make sure that it’s properly stored and that it’s kept confidential.

“When you look closely at the law, you can see that’s long, the regulations are pretty in-depth, and there are a number of challenges for businesses,” she continued. “And I think that’s why it’s been delayed so many times, because there are so many requirements that are difficult for businesses, such as your carriers and vendors and your service-provider agreements — all of these things have to be considered very carefully.”

A team approach has helped Square One get to this point and to where it should be in compliance by the deadline, Guenette continued, adding that work with an IT provider and the organization’s law firm has also been a key element in clearing the many hurdles posed by 201 CMR 17.

When asked to describe her work with regard to the new law, Royal said much of it comes down to training clients’ employees, but also training the trainers.

“We’re essentially giving HR administrators and upper-level managers the tools they’ll need to be able to train their employees in these policies that they’re going to have in place by March 1,” she said. “There’s a lot they need to know.”

There are several components to the identify-theft law, she explained, noting that, in addition to the drafting of a WISP, an internal document for dealing with personal information, companies must have in place policies regarding how the WISP is to be implemented.

“These would spell out for employees what their duties and obligations are surrounding the protection of information and the storage of information,” she said, noting that few small and medium-sized companies have such policies, and are essentially starting from scratch.

Christianson stressed the importance of training, but also the simple awareness of the importance of protecting personal information, a seemingly missing ingredient at some companies.

“Most of the breaches that have happened were not malicious in nature,” he said, noting that there are exceptions. “Most of the time it’s carelessness — a guy or woman wants to make a good impression and takes work home at night. They take a thumb drive and put a spreadsheet on it, and it’s got all this personal information; they go to Dunkin Donuts to get their big coffee so they can stay up all night, and they drop the thumb drive in the parking lot.”

Putting policies in place to at least reduce the chances of such a calamity, and those others outlined in the Identity Theft Resource Center report, is what the new legislation is all about.

Into the Breach

Christianson noted that most businesses will not be in compliance with the new law by March 1, and for a number of different reasons, but mostly because they started too late. But he believes the state is hoping that, by then, business owners and others will at least be moving in that direction.

There may indeed by a large degree of regulation-wariness on the part of business owners, he continued, but the bottom line is that businesses, sooner or later, will find themselves in the same boat as Square One — wanting to be in compliance, but needing to be in compliance.

George O’Brien can be reached at

obrien@businesswest.com