Identity Theft | What every small business has to know about new state laws governing private information
The state’s new identity theft regulations known more formally as “Standards for the Protection of Personal Information of Residents of the Commonwealth” went into effect on March 1 after many revisions.
One thing that is clear from a review of the regulations is that any business that fails to take action consistent with the regulations will find itself at risk of liability in the event of a data security breach.
In fact, companies that violate the regulations face penalties including civil fines of up to $5,000 per violation, three times actual damages for individuals affected by identity theft, and the reasonable costs of the investigation and litigation, including attorneys’ fees. Costs of the investigation alone can be in the millions of dollars.
Wholly apart from an enforcement action by the Attorney General’s office, a company could find itself facing liability for identity theft based on a claim by affected Massachusetts’ residents that the company was negligent in properly safeguarding personal information in the company’s possession.
Take Action
Against this backdrop, the obvious question for small businesses becomes: What should I do to avoid these risks and to ensure compliance with the regulations?
The first step is to identify whether your company owns, licenses, receives, maintains, processes or otherwise has access to “personal information” in connection with the provision of goods or services or in connection with employment. If so, your company must develop a comprehensive written information security program (WISP) designed to (a) ensure the security and confidentiality of “personal information” of residents of Massachusetts; (b) protect against anticipated threats or hazards to the security of the information; and (c) protect against unauthorized access to or use of such information.
Personal information is defined as a Massachusetts resident’s first and last name or first initial and last name in combination with one or more of the following: (a) social security number; (b) driver’s license number or state-issued ID card number; or (c) financial account number, credit or debit card number, with or without passwords or PINs. For most small businesses such personal information is readily found in employee personnel files and 401(k) forms and sometimes customer files.
The WISP must set forth administrative, technical and physical safeguards. Administrative measures must include designation of one or more employees to maintain the WISP, procedures for disciplining employees who violate the WISP, training, and development of policies related to the storage, access, and transportation of records containing personal information. Technical measures include: password control, mandatory encryption of laptops and portable devices containing personal information or when transmitting information over wireless networks, and monitoring efforts to ensure compliance.
The WISP must also provide for taking steps to ensure that third-party service providers or vendors are capable of appropriate security measures. Specifically, all third-party service provider contracts entered into after March 1 must specify that the provider will maintain appropriate security measures at least as stringent as those required by the regulations. For pre-existing contracts, a grace period exists until March 1, 2012 during which time the contract will be deemed to be in compliance.
Due to the breadth of the regulations, companies are advised to seek technical and legal assistance to ensure compliance.
Kilroy is a partner at Mirick O’Connell, which has offices in Worcester, Westborough and Boston. He can be reached at rkilroy@mirickoconnell.com.
WBJ Web Partners
Most Recent
Most Recent
0 Comments