Businesses Brace For Costs Under ID Theft Regs
After discount retailer TJX Cos. reported an enormous data breach in early 2007, the Massachusetts legislature leapt into action, passing a new law designed to thwart ID theft.
Regulations enacted under the law, spelling out the specific new steps that companies need to take to guard their data, are scheduled to go into effect in May.
Cost Of Compliance
But estimates of how much time and money it will cost to implement them vary wildly, and some say many companies may end up simply ignoring the new rules entirely.
The regulations apply to all companies that record personal information, including employee and customer data.
Among other things, companies must establish a security program to protect the records, encrypt data sent over the Internet or saved on laptops or portable drives and use firewalls to limit access to the information.
Al Cotton, spokesman for Clinton plastics manufacturer Nypro, said he thinks protecting personal information is an important goal, but it’s been difficult for the company’s staff to figure out exactly what the regulations require and how to comply.
“There’s a huge amount of work involved and time involved,” he said. “A lot of it is trial and error, working with the people who put these regulations together.”
He said Nypro employees are spending “many hundreds of hours” getting ready for the deadline.
Making The Transition
But Daniel C. Crane, undersecretary of consumer affairs and business regulation, said it should be relatively painless for most businesses to comply with the regulations. He said many already have at least some of the required components in place.
For those that don’t, Crane’s office lays out an analysis on its web site of what the total costs might be.
It says a hypothetical 10-employee firm would spend no more than $3,000 hiring a consultant to identify electronic records, installing free encryption software and teaching employees to use it. After that, assuming it had no IT support program in place already, it would spend up to another $500 a month on ongoing costs.
Crane said the cost would be less for companies where many workers don’t use computers.
But John Moynihan, managing director of Hopkinton IT security company Minuteman Governance Inc. and a former deputy commissioner at the state Department of Revenue, said that for some companies compliance could be much more expensive. For many companies, he said, the upfront cost could be $50,000 or more.
That includes inventorying data, including outdated information buried within the IT system, getting an outside assessment of the company’s risks, encrypting multiple storage devices at a cost of as much as $200 per laptop and developing new policies and training for employees.
Still, Moynihan said he thinks the law is a good one, and not just because his company can make money helping others comply.
Unlike other federal and state laws, he said, the Massachusetts regulations aren’t limited to requiring disclosure of a breach after the fact and include measures that could prevent them from happening in the first place. Just as importantly, he said, the requirements focus not just on the well-publicized danger posed by hackers but on the threat of employees misusing data, which he said is really a much greater concern.
“It’s the dirtiest secret in information security,” he said.
Deferred, Not Denied
To many companies and business advocates, though, the entire set of regulations is flawed.
After an outcry by the business community when the regulations first came out, the Office of Consumer Affairs and Business Regulation agreed to extend the compliance deadline from its original Jan. 1 deadline to May 1. Still, many are not placated. At a recent hearing, witnesses asked for as much as two more years to prepare.
Stephen J. Adams, a regional advocate with the U.S. Small Business Administration, testified at the hearing. He said later that he thinks the regulations go way beyond the intent of the legislature in passing the ID theft law, and that something mirroring federal notification rules would be a better bet.
As they stand, he said, the Massachusetts rules have too many specific requirements and don’t allow for possible technological changes that might render them obsolete.
Bradley A. MacDougall, associate vice president of the Associated Industries of Massachusetts, which has also been critical of the new regulations, said he’s worried for companies with older computers.
He said computers that are more than three years old may fail when encryption software is installed.
Crane said there should be no issues with computers made after 2000.
Knowledge Gap
Both MacDougall and Moynihan said one of their biggest concerns about the regulations is that, despite the deadline extension, some companies may simply not be prepared for them. MacDougall said AIM recently did a data security seminar in Worcester.
“It’s astonishing just how many businesses are reading about this and learning about this for the first time,” he said.
Moynihan said firms that are advised by a lawyer to look into the regulations may do so, but others may just not stop to think about them.
“I just don’t know what’s going to happen on May 1,” he said. “I think a lot of people are going to ignore it.”
If they do, it’s unclear what the consequences will be. Crane said he can’t say exactly how enforcement will work since it’s the responsibility of the Attorney General’s office. But he said one likely way noncompliant companies will be found is when they have breaches that are investigated.
WBJ Web Partners
Most Recent
Most Recent
0 Comments