Data Security: The new Massachusetts law you can't ignore (3/17/10)

In December 2006, thieves broke into TJX Companies' computers and electronically stole over 45 million transactions involving credit cards, debit cards, and checks. TJX (based in Framingham, Mass.) operates over 2,000 retails stores including TJ Maxx, Marshall's, HomeGoods, Bob's Stores, and A.J. Wright.

How did this happen? There were 3 key parts:

The initial break-in was at a store using an older type of wireless security known as WEP (Wired Equivalent Privacy). Instructions (and free software) for breaking into any WEP network in less than 30 minutes have been widely circulated since 2001.
The data stored at TJX headquarters (which the thieves broke into next) probably contained much more information on each transaction than industry standards allowed.
This data either wasn't encrypted (mathematically scrambled to thwart theft) or the thieves found the encryption key.

The new Massachusetts data security law
In response to massive identity thefts like this and others, the Massachusetts legislature has passed Chapter 93H: "Security Breaches." The Office of Consumer Affairs and Business Regulation has implemented it with the regulation 201 CMR 17.00: "Standards for the Protection of Personal Information of Residents of the Commonwealth." This is one of the strongest data security laws in the country. It went into effect March 1, 2010.

This law applies to every person, business, or organization that provides any goods, services, or employment to residents of (or organizations located in) Massachusetts. It requires those providers to protect any "personal information" about those residents, whether stored on paper or in electronic form.

This law mandates a fundamental change in how all organizations handle personal information. However, I think it's merely catching up with a harsh modern reality. Over the past 10-15 years, the problems of identity theft and invasion of privacy have exploded. 25 years ago the first personal computers were expensive and isolated devices that only a few could use well; security just wasn't an issue. Today they are inexpensive and essential tools in practically every home and office, and they're connected through a worldwide network rich in information, resources, and security threats. Our taking responsibility for protecting our paper and electronic information from being misused or stolen is long overdue. Using state-of-the-art security methods to combat sophisticated modern thieves only makes sense.

Caveat: I am neither an attorney nor an expert on this law, and my understanding of its meaning and implications is ongoing and evolving. I'm writing about this to make you aware of some of these issues, and hope that you will seek detailed technical and legal advice specific to your situation.

Also, this is far too large a topic to cover thoroughly in any single newsletter, so this is the first in a series of newsletters I plan to write about these issues.

What "personal information" does this law cover?
The law defines "personal information" as a combination of two elements:

1. A Massachusetts resident's name, or the name of a company or organization located in Massachusetts

In combination with:

2. Any of the following corresponding pieces of information:

Social Security number, Taxpayer Identification Number (TIN), or Employer Identification Number (EIN), or
Driver's license number or state-issued identification card number, or
Bank account number, credit or debit card number, or any other financial account number

What does this law require?
This law requires you to take state-of-the-art actions (within reason) to protect the safety and security of personal information at a level that is probably much stricter than you're doing now, or face stiff fines--$5,000 for each Social Security number or other personal number breached, plus similar fines for failing to follow any of the individual regulations.

The requirements (and their implications) are complicated, and address how you store this information, how you handle it, and how you share it with others, and cover both paper and electronic methods. Complying with this law will likely change a number of aspects of how you do business, and will probably cost you some time and money.

On the one hand, this is really serious, both the fundamental nature of the problem and the need for everyone to comply with this law. On the other hand, there is a reasonable and finite process you can implement that will get you compliant with this law, and you (and your customers) will benefit from the result. In addition, the law's enforcement standard is based on what's reasonable for the size of your business and technically feasible for the type and amount of information you handle.

Don't put this off any longer. Get started now.

Why am I just hearing about this now?
While this law has been in the works for a while, not only has the state adjusted its scope and postponed it a number of times, but they've also not made much effort to publicize it. I only heard about it last fall from some colleagues, and it took me a while to get started on this for my own business.

In the past few weeks, almost no one to whom I've mentioned this law has heard anything about it. My unscientific impression is that most businesses and organizations are behind schedule in getting compliant.

Does this law apply to me?
As far as I can tell, apart from government agencies (which are exempt because they're already held to a higher security standard) the only type of organization providing goods and services to residents of Massachusetts that this law does not apply to would have to:

Only take payment in cash,
Be run by the owner (or volunteers), with no employees or contractors, and
Never collect, store, or share any personal information on any Massachusetts residents.

However, such a business would still find it prudent to write up a detailed security plan outlining how the law doesn't apply to it, in case it ever came to the attention of the state.

Certain types of businesses are clearly affected by this law, for example:

Retail stores and other businesses that accept credit card payments from customers
Insurance agents, who handle clients' Social Security or driver's license numbers
Accountants, bookkeepers, and payroll services, who handle clients' Social Security and financial account numbers
Computer consultants and IT (Information Technology) service providers, who may handle customer passwords, which in turn give them access to personal information that may be stored on those customers' computers

But even if you don't intentionally collect this type of information, think carefully about all aspects of your operation before you conclude that you're not subject to this law. You'll probably find that:

If your customers pay you by personal or corporate check, then you're already handling names and bank account numbers, at least until you deposit them into your bank. If you also keep photocopies of those checks, or if you have online access to images of deposited checks (a feature I've seen only on Bank of America's web site to date), then you're storing that information for a longer period of time.
If you have any employees or contractors, then you're handling names and Social Security numbers in your payroll and 1099 records, plus names and bank account numbers in your direct deposit and retirement benefit records. You also send that information to your payroll service, and they probably send it back to you in your payroll reports.

Also:

You don't have to be located in Massachusetts. If your business is in Ohio and you've got any customers, employees, or contractors in Massachusetts, then this law applies to you.
Your organization doesn't have to be a for-profit business. If, say, your nonprofit theatre group or volunteer-run community garden collects any payments from a Massachusetts resident by check, then this law applies to you.

Can't I just do the minimum required by this law?
You can certainly implement a plan that complies with the letter of this law and nothing more. However, I think that's a short-sighted approach. This law is a wake-up call. This issue is not going away, and it's only going to grow. It's understandable to view this as an unwelcome external intrusion into your operation, but given the value and sensitivity of the information you're probably handling (your customer's as well as your own), I recommend taking this as a great opportunity to address this deep security problem and resolve it in a modern and productive way.

At first, as you implement the changes to your operation required by this law (e.g., putting certain paper records under lock and key, learning how to encrypt your computer data and your backup, choosing better and different passwords, writing your detailed security plan), you'll probably have your hands full. However, once you're underway, I think you'll find that it's less work to, for example, protect personal information on all of your customers, not just the ones who live in Massachusetts, and not just their bank account or Social Security numbers, but all of their information (home address, birthday, notes on work you're performed for them, etc.).

Doing more than strictly required by this law may also go a long way to convince any state investigator that you're not a likely source of leaks, since you'll have done a more-than-thorough job of complying.

It's also likely that other states will be passing similar laws regarding information you may be handling on their residents. You'll be subject to their laws as well, whose details may be somewhat different than this Massachusetts law.

And as you protect your customers' information, I suggest that you also make the (probably small, incremental) effort to protect your own information.

This is ridiculous! I'm already very busy! Why should I have to do any of this?
Identity theft is a serious problem. How would you feel if your local hardware store let your credit card number get stolen, or if your employer left your payroll records out for someone to steal, or if your insurance agent sent your Social Security number to her company via regular (insecure) email?

Here are a number of additional reasons to implement good data security:

It's time, in fact it's long overdue for all of us to make a reasonable effort to safeguard this information, and to learn what technology is secure and what isn't.
This is part of taking good care of your clients.
Information is valuable. Unsecured paper information can be stolen by someone with physical access. All the unsecured information on your computer can be stolen by someone with either physical or electronic access.
Your biggest customer may ask you if you're compliant with this law. If you're not, they may have to drop you in favor of another vendor that is compliant.
Becoming compliant may give you an advantage over your competitors who aren't.
Becoming compliant should give you (and your customers) additional peace of mind.
You'll be much less vulnerable to embezzlement and insider theft.
You can start to educate your customers about these issues, making yourself an even more valuable resource to them.

Can't I just hire someone to do all this for me (or my organization)?
While you can (and probably should) find knowledgeable outside people to help with this process, the law specifically requires that someone within your organization be responsible for your data security. Since there are a lot of decisions to make and changes to your habits and procedures you'll probably have to implement, you need to be involved.

How can I get started?
I will be walking you through this process in my upcoming newsletters and sharing with you the things I'm doing within my own business to comply with this law.

In the meantime, here is an outline to help you get started, with the goal of not only strictly complying with the law but also reasonably going beyond its requirements to achieve a good degree of overall data security:

Set up a reliable, scheduled, encrypted backup to external hard drives that you regularly rotate off-site.
Develop, implement, and maintain a comprehensive Written Information Security Plan (WISP) and policies that specify how you will safeguard that information against internal and external security risks that any reasonable person could anticipate. See http://www.mass.gov/Eoca/docs/idtheft/sec_plan_smallbiz_guide.pdf for a state-supplied template.
Assign the responsibility for maintaining this plan to one or more specific people within your organization.
Protect that information from unauthorized physical access, e.g., limit access only to appropriate people, use locked storage and safeguard the keys and lock combinations.
Protect that information from unauthorized electronic access, e.g., limit access only to appropriate people, and use encryption, strong passwords stored securely, and up-to-date protection by firewall, antivirus, and antispyware technology, upgrade wireless security from WEP to WPA or WPA2 or stop using wireless entirely.
Protect that information from insecure handling and transmission, e.g., encrypt laptops and portable devices, use encrypted email and secure fax.
Protect that information in other ways, e.g., remove access for former employees, securely destroy information you no longer need, ensure destruction of data when disposing of old computers.
Train your employees or staff in your security methods and policies.
Take reasonable steps to ensure that any vendors with whom you share information are also compliant with this law.
Review your security procedures at least annually and update them as appropriate.
If a security breach occurs, you should document what was taken, how you responded, and any changes you made to improve your security as a result.

To get started, I suggest that you:

Start learning about this law and its requirements.
Talk to your computer support people and your attorney.
Talk to your colleagues about what they're doing, and support each other in this process.
Look into classes, workshops, and other educational resources.
Contact me if you'd like my advice on your specific situation.

See the next section below for links to resources I've found helpful.

I've also found the following types of tools useful:

Hardware: Multiple external backup hard drives, locked file cabinets, secure storage for keys and lock combinations, crosscut paper shredder
Software: Backup software, encryption software, tools to wipe your hard disk's free space (because simply deleting files is not enough), software to organize your passwords and store them securely

Here are the key themes to focus on (which TJX failed to do):

Scope: Can I reduce the type or amount of sensitive information I'm storing or handling and reduce my overall risk?
Security: How can I reasonably prevent an unauthorized person from getting access to this information, both paper and electronic?
Encryption: How can I make it impossible for someone who does get access to this information from ever using it?

Where to go from here
As I learn more about this, I will share with you what I've learned and what changes I've made in my business. In the meantime, here are some resources I've found helpful:

The law and regulations:

http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm: The text of the law, Chapter 93H: "Security Breaches"
http://www.lawlib.state.ma.us/source/mass/cmr/201cmr.html: Click "201 CMR 17" to read the text of the regulations implementing the law

Workshops:

http://www.MassDataSafety.com: My colleague Adam Frost's 3-hour workshop on the new law, which I've taken and highly recommend, both for its group discussion format and for its step-by-step materials that get you organized and moving toward compliance

Informative web sites:

http://www.mass.gov/?pageID=ocatopic&L=3&L0=Home&L1=Business&L2=Identity+Theft&sid=Eoca: Massachusetts Office of Consumer Affairs web page on Identity Theft
http://www.mass.gov/Eoca/docs/idtheft/sec_plan_smallbiz_guide.pdf: State-supplied guide for writing a Written Information Security Plan
http://nengroup.com/2009/10/ma-201-cmr-17-compliance-nengroup-message-about-preparing-for-the-massachusetts-data-privacy-act: A good overview of the issues, ending with a short marketing message from this IT support company
http://itknowledgeexchange.techtarget.com/it-compliance/201-cmr-17-faq-updates-to-massachusetts-data-protection-law: A very good FAQ about the law
http://www.networkworld.com/news/2009/111809-the-mass-201-cmr-17.html: A collection of articles about the new law
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1379916,00.html: Recent comments about enforcement
http://www.nysscpa.org/cpajournal/2008/808/essentials/p34.htm: "Analyzing the TJ Maxx Data Security Fiasco"

If you know someone who might find this helpful, please feel free to forward it.
If you have any comments about this article, send me a reply!
If you have a topic that you'd like me to write about, I'd love to hear about it!