No Breach January
Three Steps to Improving Your Cybersecurity Posture in 2022
By Lauren C. Ostberg
Along with the widely reported cyberat- tacks on behemoths like LinkedIn and Facebook, 2021 also saw cyberattacks
on local governments, small businesses, school systems, nonprofit organizations, and other smaller, more vulnerable targets. For more than a decade, Massachusetts has enumerated a set
personal information in connection with the provi- sion of goods and services or with employment — have been required by law to put such safeguards in place.
Whether a genuine desire to comply with 201 CMR 17 or the breaches of 2021 motivates you, the new year is the perfect time to strengthen your cybersecurity position with three simple steps.
risks apparent — do you have Social Security num- bers in your e-mail inbox, in an unlocked filing cabinet, or stored on the desktops of employees’ unencrypted laptops? In the event you experience a ransomware attack or another cybersecurity inci- dent, knowing where personal information was stored can help you quickly determine whether the potentially compromised data contained ‘personal information’ and, thus, whether you have experi- enced a ‘breach’ reportable to regulators.
If you already have a well-developed written information security program (WISP) and feel confident in your cybersecurity posture, this step still applies to you. Reviewing and updating this inventory can (and should) be part of your annual review of that WISP’s scope and effectiveness.
Learn to Encrypt Personal Information
Massachusetts regulators require that personal information (when held by a person other than the consumer) be encrypted ‘in transit’ and ‘at rest.’ In transit refers to information when it is transmitted across networks — say, from one e-mail account to another. At rest refers to storage, on a flash drive,
Cybersecurity
Continued on page 40
 “This personal information is what you are obliged to safe- guard; access, use, or compro- mise of this personal informa- tion by an unauthorized person
Inventory the Personal
Information You Possess
Under applicable Massachusetts law, ‘personal information’ is a Mas- sachusetts resident’s first and last name or first initial and last name combined with a Social Security number, driver’s license or state ID number, financial-account num- ber, or credit- or debit-card num- ber. This personal information is what you are obliged to safeguard; access, use, or compromise of this
    constitutes a reportable breach.”
of administrative, physical, and technological
safeguards designed to protect consumer’s per- sonal information.
For more than a decade, you — a natural per- son, corporation, association, partnership, or other legal entity who uses, stores, or otherwise accesses
personal information by an unauthorized person constitutes a reportable breach. A useful first step in developing, or improving, your cybersecurity position, then, is compiling a list of every location where you keep this personal information.
Creating this list should make some security
     LAW
JANUARY 10, 2022 37
BusinessWest