Truth or Delusion? - Myths and Misunderstandings about the Massachusetts Data Security Regulation. Part II

In my previous article, I discussed the lack of guidance from the Attorney General on implementation and enforcement of the new Massachusetts data security regulation. The law is aimed at protecting residents from identity theft by requiring practically every business with employees or customers in the state to implement a written information security plan (WISP). I also began a list of common misunderstandings relating to the new regulation. Here are a few more myths.

Myth 4 – “I have no employees. All payments are processed through a third party service. I never see or handle checks or credit cards so I am not required to have a WISP.” This is probably true. For instance, you could be an Ebay seller who works from home and takes payments only through Paypal. As long as you never have access to any Personal Information (PI), you would be exempt from the regulation.

But just a slight change to this scenario requires compliance. A financial planner works from her home and has no employees. Her function is to advise her clients on investments, but clients make their purchases directly from the central office. She never takes any payments directly. But she does receive applications for new accounts when she signs up new customers. The application has the client’s social security numbers and other identifying information. So even if she sends those immediately to the home office, she still has “access” to PI and thus will need to implement a security plan.

Myth 5 – “There are so many businesses that are subject to the law and most do not yet have a WISP. The attorney general will never know if we haven’t complied.” This may be true, but are you really willing to risk it? Penalties alone are up to $5000 per violation. You will also be obligated to pay any damages suffered by victims of identity theft. And what about the harm to your reputation? I doubt that the Attorney General or a court would have any sympathy for such a callous disregard for the law that is intentional and willful. On the other hand, a business that may have a security breach, but that can show that they were making a good faith effort to meet industry best practices will probably not be subject to the most severe penalties. According to Scott Schafer Director of the Consumer Protection Division of the Massachusetts Attorney General’s Office, the attorney general will be less likely to bring enforcement actions against businesses that can show that a breach was inadvertent and that they were striving to achieve industry best practices for data protection.

Myth 6 – “Our company has implemented state-of-the-art electronic security, including firewalls, antivirus, antimalware and email encryption. Our data is locked down tight and cannot be accessed without double password authentication. Surely we have fulfilled the requirements under the regulation.” This is false. These are certainly important steps toward compliance, but the requirements of the law are much more extensive. To begin with, the regulation applies to both electronic and paper records. As well, companies are required to conduct a review of existing systems and procedures and create and implement a comprehensive written information security plan (WISP).

Hopefully this list will help you understand the scope and breadth of the new regulation. If you have not yet started your compliance plan, the place to begin is a review of the regulation and consulting with your legal and technical advisors.