A $5,000+ Question (If You’re Doing Business with Massachusetts Residents)

Massachusetts Data Privacy Regulations are in effect March 1, 2010By March 1, 2010, businesses and organizations that store "personal information" about a Massachusetts resident must have minimum safeguards in place or face a minimum fine of $5,000 regardless of whether or not that information is ever compromised.  Enacted in the wake of major data breaches (starting with the TJX debacle a little over a year ago), the state of Massachusetts has sent clear signals that it expects all businesses (large and small) to take personal privacy and data protection seriously.  Word on the street is that early enforcement will be vigorous, and examples will be set.  So if you're a smaller business who thinks you'll be able to fly under the radar, you might want to re-think your position (unless you're ready to fork over $5,000 or more should you lose your "bet").  So, in the interest of helping our friends on Main Street avoid any problems, here's a quick run-down on what's involved:

what information is covered under this law?

The law and regulations are pretty far-reaching both in terms of the information to which they relate and the organizations that must comply. The personal information at stake is any non-public data (regardless of how a company obtains it) that contains:

  1. A Massachusetts resident's first and last name or an initial with last name; and
  2. Either
    (a) Social Security Number;
    (b) Driver's license number/state-issued identification card number; or
    (c) financial account number/credit card number/debit card number (even if without any security code, access code, PIN or password).

There's a couple of things that should jump out at you.  First, if you have any employees (full-time, part-time, seasonal) you're holding this data.  Second, how you came into possession of this information is irrelevant to your obligation to now property safeguard it under the law.

what individuals and organizations have to comply with the law?

Everyone.  It doesn't matter if you're an single individual or a company that has 2 employees or 10,000.  It doesn't matter if you're for-profit or non-profit.  It doesn't matter if you're located in Massachusetts or California (OK, that last one would necessitate an interesting analysis over jurisdiction, but in most cases you're probably still on the hook).  Have I made it clear there are no exceptions?

OK, so what do we have to do?

It's not all bad news.  Some things you may already be doing, and you just have to do a better job of spelling them out.  Other things will be completely new.  Here's a quick run-down:

  1. No matter how many safeguards are in place, you won't be in compliance with the law unless you create and implement a written information security program (otherwise known as a "WISP").   This program must define the various safeguards you put in place (administrative, technical, and physical) to protect the personal data of employees and customers.   The technical requirements that must make their way into your WISP can get pretty detailed, so unless you're a technology whiz, this is one aspect of the program you'll probably want to outsource.
  2. Once your written program is in place, you can't stop there.  All employees need to be made aware of the written program.  At least one employee must be designated to maintain and oversee it.  Ongoing employee training (including temporary and contract employees) is a clear requirement, and you must also demonstrate ongoing enforcement of security policies for employees (including determining individual levels of access), imposing disciplinary measures for violations of the rules.  You must also assure terminated employees are prevented from gaining access to protected information.
  3. Your obligations don't stop in-house.  You must verify that any third-party service providers to whom you provide access to personal information are also applying  protective safeguards of their own.  This may involve assuring appropriate language is inserted into your written agreements or obtaining some other form of appropriate written assurance.
  4. Now here's some news that's both good and bad.  The specific measures you need to implement in order to be in compliance will vary on a case by case basis.  It all ultimately hinges upon the nature of the business and the type of data involved.  Although there are no clear guidelines or directives as to what constitutes "reasonable" measures, this is another instance where outside assistance can be a real help.  Though the regulations don't specifically provide for this, there's plenty of Massachusetts case law suggesting that reasonable reliance on outside experts will relieve you of liability that might otherwise attach.

what's at stake if we don't comply?

The regulations will be enforced by the Massachusetts Attorney General.   Organizations not in compliance are subject to: (1) a lawsuit to prevent you from continuing to operate in violation of the law; (2) a fine payable to the state of up to $5,000 per "method, act or practice" the business knew or should have known violated the regulations; and (3) the imposition of costs associated with any litigation, including reasonable attorney's fees.  And if your organization actually suffers a data breach?  Well, the sky's the limit...

I now interrupt this article to to bring you a shameless plug.   Main Street Ventures is uniquely positioned to assist your company with creating and implementing your "WISP."   For years we have been working at the intersection of business, law and technology.  Our expertise has allowed us to develop a very cost-effective program for Main Street businesses consisting of an audit of your operations, relationships with 3rd party providers, and technology systems.  For most businesses, we should be able to create a comprehensive WISP and help you implement it for under $750.  A small price to pay compared to an exposure of $5,000 or more under the law.

If you're comfortable handling this in-house, we're happy to answer any questions for you (no charge - within reason, of course).  Feel free to comment below or give us a call.

Jack Speranza is an attorney, software engineer and entrepreneur.   For 15 years he has helped his companies and clients strike the right balance between risk and reward by weaving good business, good technology and good law into new services and operations.

entrepreneurs & lawyers :: a strange but necessary marriage

Many would suggest the characteristics that make for a successful lawyer are completely opposite those that make for a successful entrepreneur.  Successful lawyers are perceived to be risk-averse, follow convention, and strive for predictability.   Successful business leaders, on the other hand, are viewed as pursuers of risk, strive to be different, and navigators of chaos.    While there are always exceptions to such sweeping generalizations, it's fair to say they are generally true in large measure.

Ironically, building a successful business requires a blending of these polar opposites.  What many entrepreneurs fail to realize is the degree to which every business decision they make can influence their ability to succeed.  It starts with making a choice of legal entity for your business, and continues through to the details you cover within the contracts your business signs.   For this reason, involving an attorney early in the process of building your business (and integrating their input into your key business decisions) is truly critical. 

Unfortunately, with most attorneys and firms still charging for their time by the hour, it is usually impractical to follow such a course.  And even if your attorney's billing practices or your financial resources allow for you to build legal insight into your daily operations, the "character" differences between entrepreneur and attorney can often wreak more havoc than it might otherwise prevent.  The key to avoiding this latter pitfall lies in both you and your attorney's ability to properly "manage" each other's roles.  

The first step to effectively managing this professional relationship lies with making an effort to understand the mindset of each role.  Starting with their first class in law school, lawyers are trained to identify, plan and prepare for worst-case scenarios.  We learn the law by studying terribly bad situations that have wound up in court (the reality, however, is less than 1% of claims, disputes and "bad results" ever make it into the courtroom).   Our training is exclusively focused on eliminating risk, and finding ways to maximize "damage control" if and when things do go wrong.

Entrepreneurs appreciate that a successful business is not built on eliminating risk.  We realize too many customers, partners, and opportunities would evaporate if we "wasted" time tweaking every potential deal to eliminate risk.  Too often, however,  the business owner will embrace unnecessary risk in the pursuit of the deal. 

So how do you successfully blend this marriage of opposites to make for a successful business?  By realizing that just like any other aspect of running your business, it's up to you to manage the relationship so can maximize the value of what you're paying for.  To this end, some key considerations:

  • The breadth of expertise a fledgling business needs to get off the ground is expansive.   Entrepreneurs and small business owners have to "do it all," and so do your lawyers.  Here is just a small sampling of the legal issues we managed for the last new venture with which we worked :: tax laws, consumer privacy regulations, electronic commerce regulations, contract law, employment law, intellectual property law, real estate law, and securities law (to name just a few).   Few small firms or solo practitioners can capably cover this entire breadth of services.   Large firms can, but their interest in working with smaller companies may be limited.  Their costs won't be limited.   An expert familiar with individual attorneys and firms in your area will pay for their weight in gold.
  • Remember, it's all about managing risk.  Your attorney will be committed to doing everything necessary to eliminate risk.  He or she can't help it -- it's practically genetic.   Don't stop in your tracks whenever your attorney fills the air with all sorts of cautionary statements.   Don't let them spend countless hours working on ways to eliminate every last potential for trouble.  Use them to evaluate where the major risks lie, and specifically direct their activities to managing those (and only those) exposures.

There's more we could say, but it all comes down to striking the right balance between managing risk and accelerating your business objectives.   Successful business leaders understand how to do this.   It's not easy for the uninitiated, but well worth the effort. 

And now for our shameless plug :: if you want help navigating this process, it's one of the many services we bring to our client companies.  Give us a shout 😉

Jack Speranza is an attorney, software engineer and entrepreneur.   For 15 years he has helped his companies and clients strike the right balance between risk and reward by weaving good business, good technology and good law into new services and operations.