Spring 2010 Speaking Events
Mass. Data Protection Law
John Moynihan will discuss the Massachusetts Data Protection Law and offer practical compliance suggestions. To learn more about joining us at any of these events, please call 617-645-4422.
Tuesday, April 20 - Boston Marriott Newton - Massachusetts' Data Protection Law: A Proactive Approach (
Learn More)
Monday, May 3 - Cambridge Chamber of Commerce, held at the Residence Inn Cambridge by Marriott - Data Protection Compliance for Real Estate Professionals ( Learn More)
DECEMBER 6, 2009
Gear up to protect personal info
Boston Herald, By Jennifer Heldt-Powell: Starting in March, Massachusetts will have what is arguably the nation’s strictest regulations protecting personal information such as Social Security numbers. That’s great news for those of us who don’t want to have our identity stolen, but it’s a burden for small business owners who will have to protect the information of their employees and consumers. READ MORE
JANUARY 15, 2009
Businesses Look to Restart Data Security Rule Process
A coalition featuring some of the biggest businesses in the
nation called on the Patrick administration
Thursday to again delay implementation of regulations to protect against
identity theft, saying the pending rules are unworkable and will hurt job
creation. READ MORE
JANUARY 21, 2009
Data Breach May Have Exposed 100 Million Credit Cards
FoxNews.com - A New Jersey credit-card processor disclosed a data breach that analysts said may rank among the biggest ever reported. READ MORE
A New Law That Protects Consumer Data
By John Moynihan
“Data breach” has become a commonly used term in recent years. Although this phrase may be interpreted in a variety of different ways, it evokes a common reaction: Fear. Individuals whose personal information is compromised by these events often fall victim to identity theft and spend years attempting to reclaim their reputations. Companies compromised by a breach are forever associated with these incidents and suffer incalculable damage.
On January 1, 2010, Massachusetts will implement a data protection law that requires businesses to deploy measures designed to prevent breaches and protect the Commonwealth’s citizens from identity theft. The law, MGL Ch. 93H, is considered to be the most far reaching of any existing data protection regulation and requires companies to adopt controls to safeguard employee and customer information, rather than merely notifying the victims of a breach months after it has occurred. This preventative focus contrasts sharply with the majority of states whose data protection laws are mainly reactive.
The Massachusetts approach is also unique due to its focus upon employee misuse of personal information. The “insider threat” has evolved into one of the greatest risks to ever confront organizations maintaining confidential data. The law attempts to address this risk by requiring businesses to develop data protection policies, employee awareness training, internal risk assessments, ongoing compliance monitoring and disciplinary standards for willful privacy violations. Regrettably, many small businesses have not implemented the law’s requirements and will therefore not be compliant by January. This “compliance inertia” is due, in part, to the lack of a full time information security presence within many of the state’s smaller businesses. Although the law requires all businesses that collect employee and customer information to adopt specific controls, many have not done so.
This situation is unsettling on several levels. From a consumer perspective, a company’s failure to comply, places customer and employee information at risk of unauthorized access. From a business perspective, companies that violate the law face severe penalties, including a $5,000 fine for each record exposed as the result of a breach.
Consider the following situation:
It’s Friday afternoon and an employee at a small company decides to work on a project over the weekend. The well-meaning employee departs for home, laptop computer in tow. The unencrypted laptop contains the personal information of one hundred of the company’s customers. (The law defines “personal information” as a name, used with a corresponding identifier, such as a bank account number, SSN or credit card number.) The employee stops at the supermarket to buy groceries, leaving the laptop in her car. Upon her return, she discovers that the computer has been stolen.
This constitutes a violation of the law and allows the Commonwealth to impose a $500,000 fine against the company ($5,000 x 100 records exposed). The basis for the fine is not that the computer was stolen, but that the company maintained personal information on an “unencrypted mobile device.” In addition to the financial penalty, the violation would have triggered the law’s notification requirement.
Any loss or theft of an unencrypted mobile device containing personal information must be reported to four (4) separate state agencies and to each individual whose data was stored on the device.
Had the company complied with the law by outfitting the laptop with the necessary encryption software, this event would not have represented a violation of the law. Accordingly, no penalty would have been imposed and the notification of state regulators, and potential victims, would not have been required.
This type of event occurs throughout Massachusetts on a daily basis and demonstrates how small businesses routinely fall victim to data theft. Had this scenario occurred on January 2, 2010, the non-compliant business would be exposed to significant penalties, unfavorable media attention and an erosion of customer confidence.
The implementation date for this law is approaching. Given that virtually all Massachusetts companies will be subject to the law’s requirements and penalties, it is critical that they immediately move toward complying. Those that choose not to implement the necessary administrative, technological and physical controls are placing their customers, employees and themselves at significant risk.