Businesses have long complained about complying with 46 different cybersecurity/privacy laws (plus the District of Columbia, Guam, Puerto Rico and the US Virgin Islands) and the lack of a national privacy law. Alabama, Kentucky, New Mexico and South Dakota are the only states without such laws. The states have fired back saying that a national privacy law would likely be very watered down due to political maneuvering. Both sides are right.
I came across an article this week on complying with the Massachusetts privacy law but before you check out and move on to the sports, fashion or news page, consider this: If a Massachusetts resident logs on to your web page (and you collect personal information about them) and you have not done the very specific things listed in the Massachusetts law, the state might come after you in case of a breach. The good news is that as long as you don’t suffer a breach, the fact that you are violating the law likely won’t come to their attention and you can slip under the radar.
I picked on Massachusetts because it is likely the strictest law in the country. What does it say?
- Every business MUST have a W.I.S.P. What is a W.I.S.P.? It is a WRITTEN information security program. So can I just write a few random thoughts on the back of a napkin and call it good? Nope. The law specifies what the W.I.S.P. must contain. It has 6 sections: Objective, Purpose, Scope, Data Security Coordinator and their responsibilities, Internal Risks and External Risks. The first three look pretty simple but what about the other three? You must appoint a data security coordinator (and that person has to know that they have been appointed!). This could be outsourced, but that of course does not absolve you of responsibility. The remaining two sections define the internal and external risks you are protecting against. If you make a wimpy list, the law could come back and say that you were negligent. This law is pretty detailed with very specific requirements – and we have just started.
- Effective Jan 1, 2010, all persons that own, license, store or maintain information about a Massachusetts resident, whether they have a physical presence in the state need to comply. The law goes on to say that all businesses must develop, implement, maintain and monitor a “comprehensive, written information security program” designed to ensure the security and confidentiality of any records containing personal information.
- Designate one or more employees to maintain the information security program.
- Identify and assess reasonably foreseeable internal and external risks to security – whether the risk is paper or electronic. Then you must evaluate and improve the effectiveness of the current safeguards using training, policies, detection and prevention.
- Develop policies covering employee access and transport of personal information outside of the business premises (like home or car).
- Impose discipline for violations
- For servers, secure user authentication, access control and to the extent feasible, encrypt ALL data transmitted across the Internet or stored on laptops or other portable devices (like a flash drive or CD).
- Have reasonable monitoring of computer systems for unauthorized use or access
- For systems containing personal information and connected to the Internet, have up to date firewall protection and up to date patches.
This is only a partial list of the requirements – there are a lot more.
None of these requirements are bad; it is just hard to manage all the requirements. I do think that likely if you comply with the Massachusetts rules, you are in good shape for most other states. Obviously, the rules about who you report incidents to is different for each state.
This is one reason why companies have to have compliance departments – it is complicated. And just because you think you are doing it right does not mean you won’t get in trouble.
Here are some resources that may be useful in sorting out just the Massachusetts rules: