As cyber-thief extraordinaire Alex Gonzalez is sentenced to twenty years in prison, I find it ironic that his brilliance is outweighed by his stupidity. Gonzalez pleaded guilty to the massive theft of credit card numbers by hacking into TJX, BJ’s and many other payment servers. Certainly some amount of talent was required to perform these acts. And yet he was caught because he couldn’t keep his mouth shut. He apparently left quite a trail of breadcrumbs on the Internet when he bragged about his conquests to friends on line.

While the new data security regulation in Massachusetts is designed to curtail this sort of sensational crime, the problem we face in trying to stop identity theft is lacking focus where perhaps it is needed most. Small businesses are considered significantly more vulnerable than any other segment. And to me this makes sense. I don’t imagine that the local hardware store, pizza shop or hair salon has too much security built around their employee records that are probably stuffed into an unlocked file cabinet in the back room. And their credit card processing and email are only as good as the bargain basement companies that have sold them the services.

Certainly the regulation is aimed at, and applies to, even these small businesses. It is a sweeping and comprehensive piece of legislation that will clamp down on all but the most determined of thieves—but only if it is followed. The problem lies in the difficulty of obtaining compliance. I’m guessing that most small business owners are not even aware of the regulation (at least those with whom I have spoken are not). And those that are aware of it will not likely take the time and spend the money needed to prepare and implement a WISP (written information security plan). I analogize this problem to the modesty panels in the public restroom – they cover up most of what might be seen, but there is a big gap at the bottom. Someone who wants to peek in certainly could. While it should not be necessary to hire a lawyer skilled in compliance issues to prepare and educate the store owner on their WISP, the reality is different.

I have some ideas on improvements that will help small businesses. Look for these in future articles.