Hard-hitting data breach law in place as of March 1: Did you notice it?
March 10, 2010 by Sam NarisiPosted in: In this week's e-newsletter, Latest News & Views, Regulations & Compliance, Security
Massachusetts has just put into effect a strict data security law — and don’t think that you can ignore it because your business is located outside the Bay State.
The law, which went into effect March 1, states that all companies that maintain personal information on Massachusetts citizens must conduct an internal security review, have a documented Information Security program (ISP), and set up clear security policies.
If your firm holds personal information (such as Social Security numbers) on any Massachusetts residents, you are required to follow its guidelines, the Boston Herald reports.
Non-compliance could result in fines and lawsuits, as well as bans from doing business with state citizens. The law requires businesses and organizations to:
- designate an information security officer
- develop plans for securing servers, hard disks and laptops
- set up procedures for safe destruction of older data, whether digital or on paper
- train personnel in data security, and
- implement methods for dealing with terminated employees, including cutoff of access to company data.
Now we suspect that this law will be challenged as being a restriction to interstate trade. But that’s hardly a sure thing. And other states are looking at similar regulations. Eventually, this may force the hand of the federal government to set up nationwide security standards.
As one expert notes, the Massachusetts law “is just the beginning of a nationwide movement towards demanding that companies be more proactive in avoiding security breaches that could be devastating to their businesses and their clients.”
DocuCrunch.com delivers the latest IT and Imaging news once a week to the inboxes of over 200,000 IT and Imaging professionals.
Click here to sign up and start your FREE subscription to DocuCrunch!
Tags: data security, law, Massachusetts, personal information
Loading ...
March 3rd, 2010 at 11:51 am
One thing we need in all of this is a clear basis in law for the principle that the person who’s data was breached is a recognized injured party when a crime is involved.
There are too many cases where somebody violates the law to get access to data about John Doe and uses that data to steal John’s identity. John’s credit is destroyed and he spends hundreds of hours trying to get out of paying for things that were bought using his identity.
The banks and other institutions decide whether to go after the criminal and often decide that doing so might expose their own negligence. They quietly reimburse John for the losses that they are directly tied to and drop the matter.
John does not get a chance to say the crook must be prosecuted or even to get any legal finding that there has been a crime. Many of the places that the crook ran up bills using John’s identity will argue for years that “John must pay because they have no way of confirming it was not John who made the purchase.”
March 3rd, 2010 at 12:56 pm
Good post… there is another take on the Mass 201 law here: http://blog.maas360.com/massLaw
… wondering if this will become a trend?
March 3rd, 2010 at 2:00 pm
I have many questions about this law, for instance how will it be enforced? What agency will be charged with monitoring compliance? How will a company show compliance? Is is as simple as filling out a questionnaire and saying yes we comply with this law? What are the audit guidelines for compliance?
March 5th, 2010 at 11:33 am
Ivan,
The law will be enforced when, in the event of a data breach, an organization will be tasked with proving compliance or facing stiff fines. Enforcement will be on the back of General Law Title XV: Regulation of Trade, chapter 93A, section 4. From the blog that Jason links to above, “Aside from class action law suites and audit costs, non-compliant organizations can also be charged up to $50,000 per incident for improper record disposal, with a maximum fine of $5,000 per violation of compliance standards.” This is the interesting part to me… depending on legal interpretation, $5,000 could be a data breach fine or a fine PER record lost… which would add up very fast.
Proving compliance will be key. The easier an organization can produce a report proving compliance, the less likely they are to accumulate audit costs in the event of a breach. Make sure you have a reporting tool in place that allows you to track your endpoints to ensure that they have AntiVirus and Firewall software installed and that its up to date. Also make sure you have good reporting on your encryption software and are monitoring these reports frequently to take action, prior to a data breach, if endpoints look to be non compliant… this will save lots of time in money in the long run.
Aside from the blog entry that Jason links to above. Here are a couple other resources for you:
Here’s a web based write up on the Mass Law with links to other good resources: http://blog.maas360.com/Mass201
Here’s some detail on a managed encryption solution that provides the reporting you need: http://blog.maas360.com/FDE
Now… if you have AntiVirus, Firewall, and Encryption solutions in place… make sure you have good reporting around all of them. Here’s a link for a trial of a Visibility Service that will let you check compliance status across all those existing investments: http://blog.maas360.com/compliance
Hope this helps…