We hear it every day. Criminals prefer the low hanging fruit - the easy mark that is not likely to detect the invasion and where the damage done is too small to justify a major investigation. Identity thieves are no different. Most are not willing or able to target a major corporation with multiple layers of security, particularly where the news of the event and magnitude of the losses will assure the attention of law enforcement.
So it should be no surprise that these crooks are far more likely to exploit the easiest targets, and sadly, we give them the opportunities. The Better Business Bureau and Visa report that small businesses account for some 85 percent of all identity theft incidents. Think of the unlocked file drawer filled with employees’ social security numbers. Or the road warrior who leaves his unsecured laptop visible in the back seat of his car when he stops for a cup of coffee. What about the papers in the trash that would be cherished by a dumpster diver. And then there is the unsecured wireless network where, with just a little bit of electronic sophistication and some simple tools anyone could penetrate an unencrypted computer system. Electronic records vulnerability is particularly troublesome given the shift away from paper.
The Massachusetts data security regulation is an extensive set of rules aimed at changing how we think and act about data security, whether it’s on paper or stored in a hard drive. It is designed to make it harder for these criminals to get access to personal information. Yet many business owners are resistant to the new law, fearing that it will be a costly nuisance that does nothing for their bottom line other than make it smaller. Rather than resisting implementation, businesses should instead embrace the needs of their customers. Consumers have choices when it comes to spending their money. If they do not feel that you are adequately protecting them, they will likely find someone else who will. When your customer feels secure doing business with you, she will be more likely to spend more money, and that is obviously a good thing for your bottom line.
There are many details in the new law, but a lot of security challenges can be easily fixed with little or no expenditure. Extensive does not mean expensive. For starters, if you don’t collect it, you won’t need to protect it. Collect only the minimum information necessary. Lock file cabinets. Keep desktops clear. Do not write down credit card numbers or photocopy checks. Use a shredder. Activate firewalls. Install antivirus and anti-mal-ware software keep them up to date.
Changing behavior is one of the least expensive and most effect means to achieving security. Adopt a corporate culture of security. Train employees to be sensitive to privacy issues. Provide incentives to remain vigilant to security risks by rewarding employees for spotting issues. Discipline those who violate policy and put your customers (and in the process, your business) at risk.
This is by no means a complete task list for the new law – for that you should consult with your legal advisor. But some simple steps and common sense will do a lot to bring you closer to compliance.
If you would like more information on this topic, please call me at 781-707-3883 or use the “Contact Me” page listed above.