The new Massachusetts “Standards for the Protection of Personal Information of Residents of the Commonwealth” is one of the toughest consumer protection laws in the country. While it means some extra work for businesses most will find it manageable and well worth the effort. There is still confusion out there. Some questions (and “statements”) I have heard:
2. This doesn’t apply to me, I don’t keep any important information on the computer.
First, re-read my previous post. It doesn’t matter what size, scope, location, or industry your business is in.
The first part does not ask in what form the data is stored. If you handle credit cards, checks, or social security numbers in any way you are required to comply with the law.
The only entities that do not need to comply:
- Do not accept checks
- Do not accept credit cards
- Do not have employees OR contractors
In order to comply you must have a Written Information Security Program. For a computer-free organization such a plan could consist of
- A statement that no account information may be stored on any computer at any time.
- A description of the procedures in place for handling this information on paper (credit card details may be written on scrap paper during telephone calls but must be shredded immediately upon successful charge of the customer’s bank card.)
- Description of monitoring for compliance, making sure the stated rules are followed.
- Description of disciplinary action that must be taken if an employee violates the rules.
In general I think it’s a much better path to flip the thinking:
Rather than assuming that computers have NO personal information…we should assume that ALL computers could contain PI and treat them as such.
Such a strategy offers the best protection for the customers, business, and tech support personnel assisting them. It also reduces that chance that a new employee or forward-thinking employee will step over the line and endanger customer data by placing account data onto unsecured systems.
The data security regulations aren’t as cumbersome as they sound. They were largely based on industry “best practice.” But that’s another post for another day.