A $5,000+ Question (If You’re Doing Business with Massachusetts Residents)

Massachusetts Data Privacy Regulations are in effect March 1, 2010By March 1, 2010, businesses and organizations that store "personal information" about a Massachusetts resident must have minimum safeguards in place or face a minimum fine of $5,000 regardless of whether or not that information is ever compromised.  Enacted in the wake of major data breaches (starting with the TJX debacle a little over a year ago), the state of Massachusetts has sent clear signals that it expects all businesses (large and small) to take personal privacy and data protection seriously.  Word on the street is that early enforcement will be vigorous, and examples will be set.  So if you're a smaller business who thinks you'll be able to fly under the radar, you might want to re-think your position (unless you're ready to fork over $5,000 or more should you lose your "bet").  So, in the interest of helping our friends on Main Street avoid any problems, here's a quick run-down on what's involved:

what information is covered under this law?

The law and regulations are pretty far-reaching both in terms of the information to which they relate and the organizations that must comply. The personal information at stake is any non-public data (regardless of how a company obtains it) that contains:

  1. A Massachusetts resident's first and last name or an initial with last name; and
  2. Either
    (a) Social Security Number;
    (b) Driver's license number/state-issued identification card number; or
    (c) financial account number/credit card number/debit card number (even if without any security code, access code, PIN or password).

There's a couple of things that should jump out at you.  First, if you have any employees (full-time, part-time, seasonal) you're holding this data.  Second, how you came into possession of this information is irrelevant to your obligation to now property safeguard it under the law.

what individuals and organizations have to comply with the law?

Everyone.  It doesn't matter if you're an single individual or a company that has 2 employees or 10,000.  It doesn't matter if you're for-profit or non-profit.  It doesn't matter if you're located in Massachusetts or California (OK, that last one would necessitate an interesting analysis over jurisdiction, but in most cases you're probably still on the hook).  Have I made it clear there are no exceptions?

OK, so what do we have to do?

It's not all bad news.  Some things you may already be doing, and you just have to do a better job of spelling them out.  Other things will be completely new.  Here's a quick run-down:

  1. No matter how many safeguards are in place, you won't be in compliance with the law unless you create and implement a written information security program (otherwise known as a "WISP").   This program must define the various safeguards you put in place (administrative, technical, and physical) to protect the personal data of employees and customers.   The technical requirements that must make their way into your WISP can get pretty detailed, so unless you're a technology whiz, this is one aspect of the program you'll probably want to outsource.
  2. Once your written program is in place, you can't stop there.  All employees need to be made aware of the written program.  At least one employee must be designated to maintain and oversee it.  Ongoing employee training (including temporary and contract employees) is a clear requirement, and you must also demonstrate ongoing enforcement of security policies for employees (including determining individual levels of access), imposing disciplinary measures for violations of the rules.  You must also assure terminated employees are prevented from gaining access to protected information.
  3. Your obligations don't stop in-house.  You must verify that any third-party service providers to whom you provide access to personal information are also applying  protective safeguards of their own.  This may involve assuring appropriate language is inserted into your written agreements or obtaining some other form of appropriate written assurance.
  4. Now here's some news that's both good and bad.  The specific measures you need to implement in order to be in compliance will vary on a case by case basis.  It all ultimately hinges upon the nature of the business and the type of data involved.  Although there are no clear guidelines or directives as to what constitutes "reasonable" measures, this is another instance where outside assistance can be a real help.  Though the regulations don't specifically provide for this, there's plenty of Massachusetts case law suggesting that reasonable reliance on outside experts will relieve you of liability that might otherwise attach.

what's at stake if we don't comply?

The regulations will be enforced by the Massachusetts Attorney General.   Organizations not in compliance are subject to: (1) a lawsuit to prevent you from continuing to operate in violation of the law; (2) a fine payable to the state of up to $5,000 per "method, act or practice" the business knew or should have known violated the regulations; and (3) the imposition of costs associated with any litigation, including reasonable attorney's fees.  And if your organization actually suffers a data breach?  Well, the sky's the limit...

I now interrupt this article to to bring you a shameless plug.   Main Street Ventures is uniquely positioned to assist your company with creating and implementing your "WISP."   For years we have been working at the intersection of business, law and technology.  Our expertise has allowed us to develop a very cost-effective program for Main Street businesses consisting of an audit of your operations, relationships with 3rd party providers, and technology systems.  For most businesses, we should be able to create a comprehensive WISP and help you implement it for under $750.  A small price to pay compared to an exposure of $5,000 or more under the law.

If you're comfortable handling this in-house, we're happy to answer any questions for you (no charge - within reason, of course).  Feel free to comment below or give us a call.

Jack Speranza is an attorney, software engineer and entrepreneur.   For 15 years he has helped his companies and clients strike the right balance between risk and reward by weaving good business, good technology and good law into new services and operations.

Four Common Business Mistakes to Fix Now

Fitting together the pieces of your business puzzleWhy is it the arrival of an arbitrary point on the calendar prompts most of humanity to reflect on their past and resolve (for a short time anyway) to change their ways?  Though I'd like to believe personal and professional resolve should not be limited to such a narrow window of time, I'd be swimming against the tide on this one.  So, in the spirit of "if you can't beat them, join them,"  it seems a particularly appropriate time to share some relevant observations about our clients (and even ourselves) more than a few of you will recognize and potentially resolve (there's that word again) to do something about.

Most businesses have reacted to our economic downturn by hunkering down and cutting costs.  While cost-cutting is certainly critical during times such as these, it's equally important for companies to seize the strategic opportunities such troubled times put in our laps.  In particular, the opportunity to strengthen core products and services in order to emerge from this morass ahead of the competition.

Having worked in both large corporate and small business environments, one universal truth we've encountered (regardless of the company's size or "sophistication") is that every organization stands to derive substantial value from making better use of its own, untapped operational and "institutional" knowledge.   Helping companies change this reality is one of the major values our firm brings to its customers.  Only by obtaining a better handle on your own data can you truly leverage information into better decisions.  And better decisions ultimately leads to improved sustainability, scalability and profitability for your business.

So, hoping we might inspire you to make better use of your own assets, here are 4 common "business intelligence" mistakes we see businesses making on a regular basis.  Are you one of them?

1.  Failing to Recognize and Correct Problems

In today’s economic climate, no organization can afford to let internal business problems linger.   In order to correct problems, however, you must first be able to identify them.  Once identified you then have to prioritize -- only then can you focus precious time and energy on resolving those which are most crucial.

It is probably easiest to see this issue in the context of project delivery or new product development.  Is your business more reactive than proactive in these scenarios (such as failing to take action until a project or product is drastically behind schedule or significantly over budget)?   A common source of this problem can be traced to the manual tracking of project or program status.  This not only wastes  time and money on an ineffective approach, but hampers your ability to identify and correct problems before they arise.

Good business processes will serve as "early warning" systems, helping to identify issues that fall outside the norm and signal potential problems.  For example, take a company that is experiencing an increased Time to Revenue (the time between the date you close a new customer deal and the date you actually begin receiving revenue).   If this company is making good use of its own business intelligence, it should be able to pinpoint whether the cause is a one-time delivery issue, a pervasive problem in service delivery, or a simple administrative glitch (such as a wrong address on an invoice).   Once the source of the problem is identified, it's fairly easy to take some kind of corrective action.

If your problems are never recognized, you run the risk of repeating them time and again.  Don't let this happen.  Resolve to undertake a real examination of your operations.  Find ways to monitor and track meaningful benchmarks.  Make sure you are alerted to recurring problems (such as when a process or action falls outside the scope of acceptable ranges).  Technology can help here, but only if it is driven by a solid understanding of what moves your business.

2. Perpetuating Poor Workflows and Operations

In order to control the cost of delivering your goods and services, it's essential to find ways to eliminate inefficiencies and waste.   The longer poor operations persist, the greater the pressure placed on your gross margins.

Large public companies that consistently maintain high market values share a common trait -- they tend to generate a 10% EBDITA margin or better (that's "Earnings-Before-Interest-Taxes-and-Depreciation").  By containing their expenses to deliver a cash flow–positive business through all sorts of market cycles, these companies flourish in good times and bad.

There's a lesson for companies large and small here.  Maximize your business's value by finding ways to collect and evaluate key information flowing within your own 4 walls.  Then make sure you put this timely "intelligence" into the hands of key decision-makers so you can act on it.  Even if you're a one-person show, the sooner you have a process for capturing your "business intelligence" in a meaningful way, the better off you will be.

3. Taking your Existing Customers for Granted

Compared to the cost of acquiring a new customer, the expense associated with cross-selling or up-selling products and services to existing customers is almost non-existent.  Why is it, then, that so many of us neglect our existing customer base and the information it contains?

Over time we gain a better understanding of our customer's needs and behaviors.  The more proactive we can be about staying in tune with our customers and their needs, the greater our ability to increase both loyalty and sales.

Do you have a simple and effective way for identifying your top customers based on profitability, size, or potential?   Are you communicating with your past and existing customers, if only to remind them about the products and services you provide?

If your customer and sales data is located across different software applications, it's probably difficult for you to access relevant information and create an overall picture needed for valuable insight into their behaviors.  Thankfully, there are a variety of data integration and cleansing tools available to bring all this information together, and you don't necessarily have to spend a lot of money (or time) setting things up (or learning how to use and maintain them).  "Dashboards" and other visualization tools will help make your data more accessible and understandable, visualizing trends or other factors you might otherwise have missed.  You can then act on this information and target your communications effectively, benefiting both you and your customers.

4. Failing to Capitalize on Opportunities

During tough economic times the most successful businesses remain focused on the future -- there are always short and long-term opportunities to identify and evaluate.  In order to seize potential opportunities with confidence, you simply need a process that will give you the facts and analysis you need to make an informed decision.

Now here's where the previous 3 "mistakes" come into play.  If you no longer suffer from these problems, then you already have most of what you need to act with insight.  By utilizing measurable knowledge points from your own operations, you can now generate "what-if" analyses that model the operational and financial impacts on revenue, costs and cash flows.  Based upon the range of potential outcomes for the opportunities you evaluate, you can select and prioritize the most promising scenarios with confidence.

Epilogue

Instead of simply reacting to economic challenges, position yourself for competitive advantage by building an efficient, performance-based organization that knows how to make the most of its own "knowledge."   How you use the technology you have (and select new technology going forward) can play a large part in your success here.  The good news is you don't have to be the size of Proctor & Gamble or IBM to benefit from this, nor do you necessarily have to invest a lot of time or money in the process.  You simply need to make a commitment to yourself and to your business.  Now that's not so hard a resolution to make, is it?

Jack Speranza is a principal of Main Street Ventures and has been helping businesses small and large harness the power good operations & technology for over 15 years.  If your organization would like to do more with less, we're ready to help.

s2Member®