If they don’t, there will be a lot of money lost. The federal government has proposed $36 billion dollars in incentives to complete the task.

The problem: The feds haven’t finished writing the rules yet.

Right now, just 10% of health care facilities use electronic health records (EHRs), ComputerWorld reports. The governments offering the stimulus funds in the hopes that the number will increase to 50% by 2014.

The money will be available starting next year for facilities that can prove they’re using EHRs in a “meaningful” way. To meet the deadline, experts recommend office begin the project now, even before the government decides what that means.

The law, which went into effect March 1, states that all companies that maintain personal information on Massachusetts citizens must conduct an internal security review, have a documented Information Security program (ISP), and set up clear security policies.

If your firm holds personal information (such as Social Security numbers) on any Massachusetts residents, you are required to follow its guidelines, the Boston Herald reports.

Non-compliance could result in fines and lawsuits, as well as bans from doing business with state citizens. The law requires businesses and organizations to:

• designate an information security officer
• develop plans for securing servers, hard disks and laptops
• set up procedures for safe destruction of older data, whether digital or on paper
• train personnel in data security, and
• implement methods for dealing with terminated employees, including cutoff of access to company data.

Now we suspect that this law will be challenged as being a restriction to interstate trade. But that’s hardly a sure thing. And other states are looking at similar regulations. Eventually, this may force the hand of the federal government to set up nationwide security standards.

As one expert notes, the Massachusetts law “is just the beginning of a nationwide movement towards demanding that companies be more proactive in avoiding security breaches that could be devastating to their businesses and their clients.”

The latest state to enact a data breach law: Massachusetts.

The law goes into effect on March 1 and will impact more than just the businesses based in the state. It covers all companies that store personal info about Massachusetts residents, regardless of where the company’s located.

Businesses must encrypt sensitive data that’s stored on portable devices or transmitted over public or wireless networks.

The rules also require companies to:

• control end-user access to sensitive data
• protect passwords that allow access to sensitive data, and
• take “reasonable steps” to make sure third-party service providers keep sensitive data secure.

Read the full text of the law here.

The law was met with considerable resistance from business and technology groups, and was delayed for more than a year as the rules were modified. As of now, the March 1 effective date still stands.

Massachusetts will join other states, such as Connecticut and Michigan, that place heavy burdens on companies for protecting employee and customer data. In addition, the federal Personal Data Privacy and Security Act has been gaining steam in Congress.

If passed, the law will penalize companies for leaving data unprotected and create new standards for notifying victims and law enforcement if data has been compromised.

Yes, there are junk fax filters, but even the best of them can be gotten around.

A Michigan company, according to the Detroit News, has decided to do more than filter. Imhoff Investment LLC has filed a federal lawsuit against Texas-based Stephen Bean & Associated and Aftermlifequote.com for sending unsolicited junk faxes. The fax in question was entitled “Affordable life insurance.”

The suit references two federal laws: the Telephone Consumer Protection Act of 2001 and the Junk Fax Prevention Act of 2005. It is illegal, by these acts, to send faxes to a party unless you already have underlying business relationship with them.

The lawsuit brief states that “Unsolicited faxes prevent fax machines from receiving authorized faxes, prevent their use for authorized outgoing faxes, cause undue wear and tear on the recipient fax machines, and require additional labor to attempt to discern the source and purpose of the unsolicited message.” It couldn’t be stated better.

The cost per violation: $400 per page received, and the judge can award triple damages if the sender is seen to be willfully violating the law. This is a case worth watching.

Text messages.

In a by now infamous 2008 case, the mayor of Detroit was convicted of lying to a grand jury about both unwarranted dismissals and a sexual affair with an underling.

The reason he got caught: His text messages were obtained (by the thousands), and they told all. By an unusual circumstance, his messages from six years before using a city-supplied device had been retained by the city’s service provider, and they had been subpoenaed by an alert prosecutor.

This has been the most spectacular example to date of the legal importance of text messages (Tiger Woods’s texting, however indiscreet, did not break any laws). And the law is now clear: Any text message is open to subpoena, and those made using a company or organization’s cell phone or messaging device get no special protection. What still hasn’t been determined is companies’ responsibilities for retaining those records, as they now retain e-mail and written communications. But the rules are on the way, according to e-discovery expert Benjamin Wright.

One solution might be to ban Internet messaging entirely for employees. But that seems unlikely –- a rapidly growing section of the workforce now uses messaging as freely as they do phone calls and e-mails. As a result, texting is starting to become crucial to operations. It’s hard to go backwards in a quickly evolving technosphere. And banning messaging will soon seem to some workers (and customers) as retrograde as forcing workers to write with quill pens on animal hides. In areas like sales and support, for example, messaging use is growing by leaps and bounds.

So far, there are no clear rules on messaging retention. But as the cases multiply and the court rulings proliferate, it’s hard to believe that the same standards for other digital communications won’t prevail. That’s an issue that management has to start thinking about and IT departments have to start planning for.

More immediately, companies have to take stock of how employees are currently using messaging, and to work on developing some guidelines for their use.

In 2007, Georgia began offering employers tax credits of up to $20,000 to cover the “planning, training, and/or raw labor costs associated with starting or expanding a telework program.”

Oregon followed with the Business Energy Tax Credit, which helps fund a number of environmentally friendly business initiatives, including telecommuting programs.

On the federal side, the Telework Tax Incentive Act has been introduced to Congress. The credit would give individuals who work from up to $1,000 a year. The money wouldn’t got directly to businesses, but it would make telecommuting a more attractive benefit to offer current and potential employees.

A major new federal data security law (Personal Data Privacy and Security Act of 2009) is gaining steam and is going to set new, more precise rules for the management and safekeeping of corporate and government data.

It may seem like Congress is unable to get anything passed these days, when inter-party wrangling and threats of filibuster seem to tie most federal legislation in knots.  But the new act has just cleared a major hurdle, the Senate Judiciary Committee, with an overwhelming bipartisan vote.

The details are likely to change as the bill progresses, but there is no doubt that new, tougher rules on handling data breaches are on the way. Among the provisions likely to be included:

1. New stiffer federal penalties for identity theft
2. The establishment of an Office of Federal Identity Protection will be established as part of the Federal Trade Commission (FTC), which will monitor data breaches and enforce identity theft laws
3. A new standard for breach notification. Companies and government entities will have to notify all individuals whose data has been compromised. In some cases, credit rating agencies and the US Secret service will also need to be notified
4. New standards for data protection including encryption and safe data storage will allow for some exemptions form the notification requirements, and
5. Executives of companies that willfully avoid indication may be subject to criminal penalties.

While the new strictures might be harsh, they will likely replace a patchwork of 45 state regulations currently on the books, allowing companies to follow one single set of procedures and safeguards nationwide.

For more info look here.

And here.

What is metadata? It’s the digital information that gets attached to any email or text document that traces who created the document and when, what (if anything) it was based on, who modified it and when, and how it was routed inside and outside the company.

Think, for example, of a lawsuit that turns on the issue of whether a certain document was reviewed by a senior manager. Consider a fired employee who can demand not only confidential personnel files, but who wrote them and when.

The issue came up in a ruling by the Arizona Supreme Court, which reversed a power court decision that ruled that metadata –- in this case included in public records — not being an intrinsic part of the document, could not be demanded by the plaintiffs along with the documents in question. The higher court stated that the hidden metadata was to be made as available as the regular data.

As one legal expert stated:

“Without knowing when something happened, or who was involved, electronic evidence is often useless –- thus, metadata is critical. Because of metadata’s critical nature, it is generally deemed to be part and parcel of the document it describes – if the document is relevant and must be divulged, then so must the metadata.”

What can and should companies do? The temptation might be to erase metadata in advance (there are tools in Microsoft Office that can). But at least one other case is pending where a company may be in hot water for doing this.

As emails including hastily written text messages become ever more interesting to plaintiffs, expect this whole area of metadata to become an ever-bigger issue. For more on metadata, you might want to check out this legally-oriented report.

When an employee’s caught looking at offensive Web sites, the person’s usually fired. But it’s not always that simple. Take this recent case, for example:

An oil field operator was fired after he was accused of downloading pornography at work. About 200 field employees shared a computer located in their break room.

Each worker was given a unique username and password, and told to sign in only under their own names and sign out when finished.

While running a virus scan, an IT staffer discovered porn sites had been accessed under the employee’s username, including “hundreds of prohibited websites” over the period of two days. The staffer notified the employee’s boss, who verified the employee had been at work on those two days.

He was fired for violating the company’s computer use policy, which strictly prohibited the downloading of any obscene content.

The employee, 57 years old at the time, sued for age discrimination after he learned his replacement was 43.

He claimed he was innocent — he got access to the company’s log of his alleged Web activity and pointed out that many of the sites were visited during times before and after his shifts or on days we wasn’t scheduled to work.

The judge didn’t buy his argument and ruled in favor of the company. Why? Two reasons:

First was the way the computer policy was written. It expressly forbid users from sharing or even writing down their passwords and said that “System Users are responsible for all transactions made using their passwords.”

Second, there was no evidence the company was discriminating. Even if they were wrong, the manager and the IT department reasonably believed the employee had been viewing pornography at work and fired him for that, not because of his age.

The lesson: When employees share computers, it can be tough to monitor improper usage. But one good way to make it easier is to write a policy prohibiting password sharing and behaviors that make them easy to steal.

Cite: Cervantez v. KMGP Services Company, Inc.

The legal liability for getting hacked is getting real, as a few recent news stories demonstrate — and Congress is working on even tougher rules.

That puts a bigger security burden than ever on your company. Just promising to do better next time may not cut it.

Take these recent news stories:

1. The Federal Trade Commission (FTC) recently made the biggest fine ever on a company whose records were stolen by a hacker. Data broker ChoicePoint was fined $275,000 for allowing two major data attacks, affecting more than 160,000 U.S. consumers. The attacks included the theft of social security numbers and other personal information.
2. A federal judge shot down a recent offer by stockbroker TDAmritrade to settle claims based on a 2007 data breach that compromised names, addresses, phone numbers and trading information of potentially all of its more than 6 million retail and institutional customers. The solution that the company had worked out (which involved having a third-party analytics firm discover if any identity theft had happened, plus an offer of free security software for customers) was rejected as “very temporary fixes.” The company will have to do far better, according to the judge.
3. In Maine, a decision is pending from the state Supreme Court on whether companies can be charged by consumers and banks for the time and money involved in resolving problems and reissuing cards compromised by stolen data. Regional supermarket chain Hannaford Brothers (no relation) had data about 4.2 million debit and credit card customers stolen.

As a Computerworld article dealing with the Maine case states:

“In most cases, courts have held that since consumers are compensated for any loss by the card-issuing bank they have little reason to seek other damages from the breached entity. They have also tended to reject the idea that consumers must be compensated for damages that they could suffer in the future as a result of a data breach.”

But that may be changing — whichever decision Maine’s high court makes is expected to influence judges in other jurisdictions. And, meanwhile, Congress is poised to pass Personal Data Privacy and Security Act, which would require notification of victims and hold companies liable for breaches (mirroring several state laws already on the books). The cost of inadequate data security may be about to get a lot higher.