5 Common Misconceptions about Mass Privacy Law 201 CMR 17.00 : Part 2/5. Not Me, really!

The new Massachusetts “Standards for the Protection of Personal Information of Residents of the Commonwealth” is one of the toughest consumer protection laws in the country. While it means some extra work for businesses most will find it manageable and well worth the effort. There is still confusion out there. Some questions (and “statements”) I have heard:

2. This doesn’t apply to me, I don’t keep any important information on the computer.

First, re-read my previous post. It doesn’t matter what size, scope, location, or industry your business is in.

The first part does not ask in what form the data is stored. If you handle credit cards, checks, or social security numbers in any way you are required to comply with the law.

The only entities that do not need to comply:

  • Do not accept checks
  • Do not accept credit cards
  • Do not have employees OR contractors

In order to comply you must have a Written Information Security Program. For a computer-free organization such a plan could consist of

  • A statement that no account information may be stored on any computer at any time.
  • A description of the procedures in place for handling this information on paper (credit card details may be written on scrap paper during telephone calls but must be shredded immediately upon successful charge of the customer’s bank card.)
  • Description of monitoring for compliance, making sure the stated rules are followed.
  • Description of disciplinary action that must be taken if an employee violates the rules.

In general I think it’s a much better path to flip the thinking:

Rather than assuming that computers have NO personal information…we should assume that ALL computers could contain PI and treat them as such.

Such a strategy offers the best protection for the customers, business, and tech support personnel assisting them. It also reduces that chance that a new employee or forward-thinking employee will step over the line and endanger customer data by placing account data onto unsecured systems.

The data security regulations aren’t as cumbersome as they sound. They were largely based on industry “best practice.” But that’s another post for another day.

Post a comment or leave a trackback: Trackback URL.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: