By March 1, 2010, businesses and organizations that store "personal information" about a Massachusetts resident must have minimum safeguards in place or face a minimum fine of $5,000 regardless of whether or not that information is ever compromised. Enacted in the wake of major data breaches (starting with the TJX debacle a little over a year ago), the state of Massachusetts has sent clear signals that it expects all businesses (large and small) to take personal privacy and data protection seriously. Word on the street is that early enforcement will be vigorous, and examples will be set. So if you're a smaller business who thinks you'll be able to fly under the radar, you might want to re-think your position (unless you're ready to fork over $5,000 or more should you lose your "bet"). So, in the interest of helping our friends on Main Street avoid any problems, here's a quick run-down on what's involved:
what information is covered under this law?
The law and regulations are pretty far-reaching both in terms of the information to which they relate and the organizations that must comply. The personal information at stake is any non-public data (regardless of how a company obtains it) that contains:
There's a couple of things that should jump out at you. First, if you have any employees (full-time, part-time, seasonal) you're holding this data. Second, how you came into possession of this information is irrelevant to your obligation to now property safeguard it under the law.
what individuals and organizations have to comply with the law?
Everyone. It doesn't matter if you're an single individual or a company that has 2 employees or 10,000. It doesn't matter if you're for-profit or non-profit. It doesn't matter if you're located in Massachusetts or California (OK, that last one would necessitate an interesting analysis over jurisdiction, but in most cases you're probably still on the hook). Have I made it clear there are no exceptions?
OK, so what do we have to do?
It's not all bad news. Some things you may already be doing, and you just have to do a better job of spelling them out. Other things will be completely new. Here's a quick run-down:
what's at stake if we don't comply?
The regulations will be enforced by the Massachusetts Attorney General. Organizations not in compliance are subject to: (1) a lawsuit to prevent you from continuing to operate in violation of the law; (2) a fine payable to the state of up to $5,000 per "method, act or practice" the business knew or should have known violated the regulations; and (3) the imposition of costs associated with any litigation, including reasonable attorney's fees. And if your organization actually suffers a data breach? Well, the sky's the limit...
I now interrupt this article to to bring you a shameless plug. Main Street Ventures is uniquely positioned to assist your company with creating and implementing your "WISP." For years we have been working at the intersection of business, law and technology. Our expertise has allowed us to develop a very cost-effective program for Main Street businesses consisting of an audit of your operations, relationships with 3rd party providers, and technology systems. For most businesses, we should be able to create a comprehensive WISP and help you implement it for under $750. A small price to pay compared to an exposure of $5,000 or more under the law.
If you're comfortable handling this in-house, we're happy to answer any questions for you (no charge - within reason, of course). Feel free to comment below or give us a call.
Jack Speranza is an attorney, software engineer and entrepreneur. For 15 years he has helped his companies and clients strike the right balance between risk and reward by weaving good business, good technology and good law into new services and operations.
I think it was Ben Franklin who wisely advised that an ounce of prevention is worth a pound of cure. For sure, I've yet to encounter a problem whose cure was less expensive than what it would have cost to avoid it in the first place. Some organizations consciously choose not to invest in that "ounce of prevention," believing their resources are better directed elsewhere. Others neglect to invest because they are unaware of either potential problems or preventative measures. Whatever the reason, problems ultimately result, and we then have to invest in a cure.
Or do we?
One of the unique values my firm provides in serving the distinctive needs of the "main street" entrepreneur and small business owner lies with providing our clients that proverbial "ounce of prevention" across several functional areas of their operations. One of the areas to which we devote a fair amount of attention is the structuring of workflow and institutional knowledge. Where there's workflow and knowledge, technology is not far behind.
I recently read an article directed to project management professionals in the world of information technology (IT). For the uninitiated, IT folks are the guys and gals at work who get excited about technology and data. We like doing things to improve the quality of information. We like doing things to improve access to that information. We get especially excited about creating tools and processes that manipulate and analyze that information to provide useful insights.
The article mentioned above was apparently one of several the author had written on the subject of "information silos." For us geeks (and some executives), these silos represent significant obstacles to achieving the things we are passionate about (see previous paragraph). In pursuit of our raison d'etre, it's easy to lose perspective. We're not alone here. What I liked about this author's perspective, however, was her admitted transformation into adopting a more holistic approach to her particular role:
"Whether it's information integration or automation, companies too often start bulldozing to build a new solution when they should first... learn more about the existing solution... [then] they might realize that while the current approach might not be eloquent or perfect; it works – and that's no small thing."
In essence, she has recognized that what represents a monumental problem for one business role (IT) , does not equate to a monumental problem for the business as a whole. This takes real perspective, and is one flavor of how good business folks maximize impact and minimize risk.
When it comes to positioning new ventures and small businesses for success, there is little margin for error. Put simply, these organizations cease to exist if they invest time, money and energy in efforts that fail to produce swift and substantial results for their operations. If you're going to succeed, you quickly learn which problems need to be solved and which don't.
So the next time you're facing a "monumental" problem, think like an entrepreneur or small business owner. Though this problem may loom large for you, is a solution really critical to achieving the bigger picture? Yes, an ounce of prevention is worth a pound of cure. That ounce may only be of value, however, if the cure is truly necessary.