Podcast - Massachusetts Data Security Regulations

We all know how to eat an elephant. One bite at a time at a time, of course. Implementing a comprehensive data security program is no different – for many it’s a monumental task. It can only be accomplished by setting out a manageable, step-by-step plan. Easier said than done? Probably, but that doesn’t mean a process that is impossibly difficult. The new Massachusetts data security regulation goes into effect on Monday, March 1. If you have not yet begun to plan for the deadline, then likely either you are unaware of the requirements, or you are feeling overwhelmed by them. And who would blame you in light of the seemingly endless list of tasks: Develop a written information security plan (WISP); Identify all foreseeable risks in your organization by examining every nook and cranny where data enters, leaves or is stored; Implement security policies and procedures and train your employees Secure all paper and electronic records; provide encryption Obtain written assurances from all vendors that they are compliant  Regularly monitor and review to insure compliance You know that it is vitally important, both because it’s legally required and because it’s the right thing to do to protect your customers. But where to begin? Do you need professional assistance – a lawyer or specialized IT firm to accomplish this task? That really depends on the size and nature of your business, the data that requires protection and how much time and energy you are willing to devote to the process. Many businesses are probably capable of accomplishing a lot on their own. For the most part, the regulation is a straightforward recitation of the tasks needed to comply. But is that the best use of your time? Noted author and business consultant Andy Birol would caution business owners to judge very carefully those tasks that they choose to do by themselves and those that are properly delegated. Consider the learning curve required to become proficient in an area that is not a part of your core business. While security is an ongoing and continuous process, monitoring and maintaining a plan is far less cumbersome and time consuming than creating it in the first place. Most businesses will prefer the comfort and efficiency of working with outside professional assistance at least to get the plan created and implemented. Even if you hire professionals, you will still need to be involved in the process. They cannot do it without your participation and that of your senior management and department leaders. And responsibility will not stop there; security needs to be an integral part of your corporate culture from top to bottom, which means it must become the responsibility of everyone in the organization. So pull out the regulation, review it, create an action plan and start in on the list. Otherwise, hire the professionals. Either way, the time is now.

When do I have to vacate my apartment? Can I leave in the middle of my lease? Can I stay few days longer if I need time before my new space is ready? My landlord says I have to get out before noon on the 31st because he needs time to clean the apartment for the new tenants - can he do that? I am a landlord - can I start showing the apartment before my tenant’s lease is up? Do I have to give notice? Whether you are a landlord or tenant, it is important to know your rights and responsibilities when it comes to ending your lease or occupancy agreement. Under a written lease, the tenant is entitled to occupy the premises until midnight on the last day of the lease; likewise, the tenant is obligated to pay rent through that date. Setting aside various special circumstances (such as active military duty, breach of the lease or other violations by the landlord, or you are a victim of domestic violence) there is no right to leave early unless it was negotiated as part of the written lease. And there is no right to stay longer, just because it might be more convenient. If you are a month-to-month tenant at will, things are little bit different. Either the landlord or tenant can terminate the tenancy, but typically that needs to be done at least a full month in advance. Thus, notice on March 7 would not terminate the tenancy until April 30. And as with the lease, the tenant is entitled to stay until midnight on the final day of the occupancy. Generally speaking, a landlord has the right to enter an apartment to inspect, make repairs and to show prospective tenants. Except in cases of emergency, such as a water leak or fire, this should only be done during normal business hours. Also, as a matter of best practices, it is a good idea for the landlord to contact the tenant and arrange for a mutually convenient time to enter. Tenants do not like surprise visits. But tenants should also understand that there are many circumstances where a landlord cannot easily arrange a visit in advance. The best situation for both landlords and tenants is to do your best to speak with one another and coordinate the end of lease together, in advance. The landlord will want to know as soon as possible when the tenant will be out so that he can get the apartment ready for the next occupant. And tenants want to know that the landlord will not be bothering them needlessly. There is also value in having a brief walk through ahead of time to know if there is damage (even if not caused by the tenant, the landlord wants to know so that he can fix anything before the next tenancy begins), make arrangements for cleaning, trash disposal, and so forth. Of course, as with most legal issues, there are always exceptions to the general rules. For instance, all of this assumes that there are no significant problems—the rent was paid on time, the apartment was in good condition and the parties left each other alone as much as possible.

As of this past Monday, the nation’s “most comprehensive data protection law” went into effect, yet many questions remain as to how the regulation will be interpreted and enforced. The law was promulgated by the Office of Consumer Affairs and Business Regulation. While OCABR put it together, the Massachusetts Attorney General is charged with enforcement. As of this writing, I found nothing posted on the AG’s web site that addresses interpretation or enforcement. So business owners and their legal and technical advisors are left to their own best guess. More surprising, many business owners are not even aware of the new law or mistakenly believe that it does not apply to them. For instance, here are several myths surrounding the new law: Myth 1 – “Businesses located out of state do not need to comply.” This is false. The regulation applies to any business wherever located that has access to “Personal Information.” Personal Information, or PI, is a Massachusetts resident’s name in combination with certain identity or financial data, such as a social security number, driver’s license, bank or credit card account number, etc. The regulation does not distinguish between an in-state or out-of-state business. Myth 2 – “The regulation only applies to bigger businesses with several employees and volumes of Personal Information. It doesn’t apply to small Mom and Pop businesses.” This is false. The regulation applies even if you have just one employee or customer as long as you have access to Personal Information. Myth 3 – “I am in a health care or financial services business that is already regulated under federal privacy laws (i.e. HIPAA or GLBA), so we are already covered.” This is false. The federal laws are extensive but they do not perfectly overlap with the Massachusetts regulation. For instance, those laws are geared toward patients and customers, but Massachusetts also includes employees. And the requirements for the written information security plan (WISP) are not identical. That said, there are similarities in the requirements, so an organization that is already comfortable with HIPAA or GLBA probably will not have to do very much to achieve compliance in Massachusetts. In my next article I will explore additional myths.

In my previous article, I discussed the lack of guidance from the Attorney General on implementation and enforcement of the new Massachusetts data security regulation. The law is aimed at protecting residents from identity theft by requiring practically every business with employees or customers in the state to implement a written information security plan (WISP). I also began a list of common misunderstandings relating to the new regulation. Here are a few more myths. Myth 4 – “I have no employees. All payments are processed through a third party service. I never see or handle checks or credit cards so I am not required to have a WISP.” This is probably true. For instance, you could be an Ebay seller who works from home and takes payments only through Paypal. As long as you never have access to any Personal Information (PI), you would be exempt from the regulation. But just a slight change to this scenario requires compliance. A financial planner works from her home and has no employees. Her function is to advise her clients on investments, but clients make their purchases directly from the central office. She never takes any payments directly. But she does receive applications for new accounts when she signs up new customers. The application has the client’s social security numbers and other identifying information. So even if she sends those immediately to the home office, she still has “access” to PI and thus will need to implement a security plan. Myth 5 – “There are so many businesses that are subject to the law and most do not yet have a WISP. The attorney general will never know if we haven’t complied.” This may be true, but are you really willing to risk it? Penalties alone are up to $5000 per violation. You will also be obligated to pay any damages suffered by victims of identity theft. And what about the harm to your reputation? I doubt that the Attorney General or a court would have any sympathy for such a callous disregard for the law that is intentional and willful. On the other hand, a business that may have a security breach, but that can show that they were making a good faith effort to meet industry best practices will probably not be subject to the most severe penalties. According to Scott Schafer Director of the Consumer Protection Division of the Massachusetts Attorney General’s Office, the attorney general will be less likely to bring enforcement actions against businesses that can show that a breach was inadvertent and that they were striving to achieve industry best practices for data protection. Myth 6 – “Our company has implemented state-of-the-art electronic security, including firewalls, antivirus, antimalware and email encryption. Our data is locked down tight and cannot be accessed without double password authentication. Surely we have fulfilled the requirements under the regulation.” This is false. These are certainly important steps toward compliance, but the requirements of the law are much more extensive. To begin with, the regulation applies to both electronic and paper records. As well, companies are required to conduct a review of existing systems and procedures and create and implement a comprehensive written information security plan (WISP). Hopefully this list will help you understand the scope and breadth of the new regulation. If you have not yet started your compliance plan, the place to begin is a review of the regulation and consulting with your legal and technical advisors.

I’d like to think that it’s common knowledge that credit card receipts can be a prime opportunity for identity theft. However, too many of us simply crumple the receipts and throw them in the trash without a care. If the receipt shows your full credit card number and expiration date, this is an invitation for a criminal to go on a shopping spree at your expense. Federal law is intended to help protect against this problem. A few years ago, congress amended the Fair Credit Reporting Act 15 U.S.C. 1681 to require all merchants to truncate credit card numbers on the receipts that they give you at the register. This means that the receipt you receive should not show more than the last 5 digits of the card number. The remaining digits and the expiration date should be unreadable. Even if you threw out this receipt, it would be impossible for an identity thief to use the information. Although this law went into effect in 2006, I occasionally receive receipts that are not in compliance. These are usually the two-part variety – white on top and yellow below, but it can happen even on the type that print out two separate receipts at the time of purchase (one that you sign and return and the other you keep). Earlier this month, I had the pleasure of taking my eldest son on the big college tour – 10 schools in five days. Visiting the schools and the time with my son were terrific; the lengthy drives and staying at a different hotel each night not so much. What was interesting was the receipt I received from one of the major hotel chains where we stayed outside of Washington, DC. To my surprise, this nationally recognized chain provided me with an illegal credit card receipt, showing my full card number and expiration date. Needless to say, I did not toss that one in the trash, but kept it until I got home and could shred it. But imagine how many patrons think nothing of it or simply tell the clerk to just throw it out? I came to learn hotels are apparently the biggest offenders when it comes to data security. Being a maven of sorts on the topic, I happened to see in the March 18 Wall Street Journal that data breaches are heaviest at hotels. According to their sources, 38% of breach investigations in 2009 involved hotels, twice as high as the next highest category. The culprit is typically the point of sale software used to accept payment, much of which is not compliant with Payment Card Industry (PCI) standards. I have sent a complaint to the hotel chain. They are currently investigating my concern. Let’s see what happens.

As cyber-thief extraordinaire Alex Gonzalez is sentenced to twenty years in prison, I find it ironic that his brilliance is outweighed by his stupidity. Gonzalez pleaded guilty to the massive theft of credit card numbers by hacking into TJX, BJ’s and many other payment servers. Certainly some amount of talent was required to perform these acts. And yet he was caught because he couldn’t keep his mouth shut. He apparently left quite a trail of breadcrumbs on the Internet when he bragged about his conquests to friends on line. While the new data security regulation in Massachusetts is designed to curtail this sort of sensational crime, the problem we face in trying to stop identity theft is lacking focus where perhaps it is needed most. Small businesses are considered significantly more vulnerable than any other segment. And to me this makes sense. I don’t imagine that the local hardware store, pizza shop or hair salon has too much security built around their employee records that are probably stuffed into an unlocked file cabinet in the back room. And their credit card processing and email are only as good as the bargain basement companies that have sold them the services. Certainly the regulation is aimed at, and applies to, even these small businesses. It is a sweeping and comprehensive piece of legislation that will clamp down on all but the most determined of thieves—but only if it is followed. The problem lies in the difficulty of obtaining compliance. I’m guessing that most small business owners are not even aware of the regulation (at least those with whom I have spoken are not). And those that are aware of it will not likely take the time and spend the money needed to prepare and implement a WISP (written information security plan). I analogize this problem to the modesty panels in the public restroom – they cover up most of what might be seen, but there is a big gap at the bottom. Someone who wants to peek in certainly could. While it should not be necessary to hire a lawyer skilled in compliance issues to prepare and educate the store owner on their WISP, the reality is different. I have some ideas on improvements that will help small businesses. Look for these in future articles.

This year, Earth Day heralds a surprise for home owners who live in housing built before 1978. On April 22, the Renovation, Repair and Painting Law (RRP) takes full effect, imposing new compliance burdens for any contractors who work in older homes, and higher costs for the owners. Any project that disturbs painted surfaces must be performed by a certified contractor following rigid procedures aimed at minimizing contamination from lead found in older paint. Lead paint presents serious health hazards particularly for young children and infants. Small amounts of lead that are ingested or inhaled can impair brain development and cause other serious nervous system and other disorders. Use of lead paint in residential dwellings was banned in 1978, but homes built earlier are at risk of containing lead paint. Contractors who may disturb painted surfaces on older homes must be certified by the EPA in the safe handling of dust and debris that is generated by the work. The regulations require that the areas affected by the work be completely sealed off and contained so that any dust or debris that may contain lead will not contaminate soil or spread through the air. After the work is completed, the worksite must be thoroughly cleaned and the waste generated must be properly stored and then removed from the site. This is no small task. Anyone who has lived through any renovations at their home knows how much dust is created and how difficult it can be to contain. The new law is very comprehensive, although numerous challenges remain. One of them is insuring that contractors are aware of, and comply with, the new law. As of March 6, less than 2% of licensed contractors in Massachusetts had received the necessary certification to be in compliance. Another is forcing homeowners to absorb the substantial added costs of work area containment. But perhaps topping the list is determining how exactly the EPA plans to carry out enforcement –with many recent regulations, there simply is not the necessary manpower or budget to insure that the law will be followed. What are your thoughts about the new law? How will the new EPA rule affect you? Please share by leaving your comments.

As I mentioned in my previous post, the new Renovation, Repair and Painting regulation (RRP) went into effect last week on Earth Day, April 22. The regulation is intended to help reduce the risk of lead poisoning by requiring special precautions when performing work on homes built before 1978. Property owners must hire EPA-certified contractors who have to completely seal off the areas where the work is performed (both interior and exterior), carefully remove all dust and debris, provide special handling and disposal of construction waste materials and take other steps to reduce the spread of lead-based materials that may be ingested or inhaled. For most homeowners, the requirements are likely to be both burdensome and costly. The number of certified contractors is very small. While many more are seeking certification, classes are limited in size and scheduling. Contractors who obtain the certification will be in higher demand and will have a competitive advantage which will likely be reflected in higher prices when working on older properties. As well, even a simple project will require hundreds of dollars in added materials, training, disposal and time charges in order to assure compliance.  In an effort to ameliorate some of the challenges imposed by the regulation, the EPA had established an “opt-out” that would allow certain homeowners to be exempt from the regulation. Specifically, if there were no pregnant women or children under 6 years of age living at the premises, then the owners could sign a waiver that would permit them to opt-out of the new rules.

I recently had breakfast with my good friend, Cherie Hafford, and we talked about the Massachusetts Data Security Regulation and how much of a burden it creates, especially for small businesses (more on the Regulation here and here). The Regulation is supposed to be scalable – that is, the degree of compliance should be proportionate to the size of the business and its resources. But for small businesses, even the most stripped-down, basic plan will still require considerable time and money—time and money that most business owners simply do not have or will not spend. The Regulation likely affects millions of businesses around the country and perhaps the world. Read literally, the law is not confined only to Massachusetts businesses; it applies to any business wherever located that has customers or employees in Massachusetts. So if a small crafts shop in Santa Fe accepts a check from a customer in Cambridge, the shop must implement a written information security policy, or WISP. And a gas station in Orlando that accepts a credit card from a tourist who lives in Quincy would have to comply with the Regulation even if they had no idea where the customer lived. Did the state go too far? Setting aside the constitutional and enforcement challenges, was there perhaps a simpler way to achieve the goals that would not impose such a burden on small businesses that are already struggling? Here are six ideas on how to fine tune the law to make compliance easier and achieve the same objectives: Many businesses that accept credit cards never store the account numbers. They simply swipe them in a POS device and hand the card back to the customer. Why not make that activity compliant with the Regulation without the need for any written plan? Same thing with checks. Most businesses that accept checks want to get the money into their accounts as quickly as possible. How about a rule that says businesses are compliant if they deposit checks within two business days and keep the un-deposited checks under lock and key until they are deposited?3) Focus the regulations on the banks, credit card companies and the businesses that provide the POS devices and connections. Require that the data be locked down tightly and impose substantial penalties for a breach. The standards already exist – i.e. PCI (Payment Card Industry) standards. Businesses that have employees need to have their social security numbers on file for payroll, benefits and other purposes. Just as with checks, if they are kept under reasonable security and only employees with a need to know or see the information are permitted access, then this should be deemed to be in compliance without the need for any further written plan. The Regulation could set forth a simple plan that if adopted and followed will be deemed to be compliance. Work within the parameters of the Fair Credit Reporting Act to reinforce the rights of victims of identity theft. There are far fewer victims than there are businesses who need to protect the information from possible misuse. Do more to educate businesses about the various practices that reduce the risks of identity theft. For years, we have seen signs in restaurants telling employees to wash their hands before going back to work. Maybe there should be similar signs in the human resources and finance departments advocating safe practices with sensitive financial information? Of course no matter what is done, there will still be dishonest people who will take advantage of a situation and cause harm to others. This is not to excuse careless or negligent business practices –enforcement should still require a reasonable degree of caution and vigilance. But the new Regulation ignores the practical reality of small business and imposes too many requirements that may be unnecessary. Please share your own ideas on the Regulation by posting a comment below.