Data Protection Law - Compliance is Mandatory

by | June 9, 2014

Attorney General Martha Coakley recently signaled that the Commonwealth will hold accountable those who fail to protect the personal information of Massachusetts residents. On May 24, the Attorney General announced a $750,000 fine for an organization's failure to implement appropriate safeguards, policies and procedures to protect consumer information, failure to properly train its workforce and failure to execute confidentiality agreements with a third-party vendor.

You may be interested to learn that this precedent fine was imposed on a nonprofit.

Given that all non-profits collect personal information from their employees, donors and members, it is essential that your organization comply with Massachusetts' landmark data protection regulation, 201 CMR 17. The regulation, which became effective on March 1, 2010 and is widely considered the most comprehensive of any existing privacy law, requires that organizations adopt specific administrative, technical and physical security controls to protect personal information. The regulation defines "personal information" as a Massachusetts resident's first and last name, used with one, or more, of the following numerical identifiers;

1. Social security number

2. Credit or debit card number

3. Drivers license number

4. Financial account number

5. Passport number

During a recent NE/SAE workshop, I provided an overview of 201 CMR 17 and stressed the need to address the following core requirements:

1. Locate electronic and paper "records" meeting the definition of personal information

2. Assess and document internal and external risk presence

3. Develop acceptable-use policies

4. Create and deploy a data protection training program for employees

5. Ensure that all third-parties attest, by contract, their compliance

Unfortunately, many organizations continue to focus solely on technological controls, such as firewalls, anti-virus and encryption. While basic technical controls are necessary, pursuing a technology based approach is myopic, misguided and the recipe for a regulatory violation. Although I referenced the basis for this action in the opening paragraph, it bears repeating that the fine was imposed due to the non-profit's failure to implement acceptable-use policies, an employee training program and obtain third-party (vendor) compliance statements.

The following situation demonstrates how easily an organization can become entangled in the broad reach of 201 CMR 17.

It's Friday afternoon and an employee of a non-profit decides to work on a project over the weekend. The well meaning employee departs for home, laptop in tow. The unencrypted laptop contains the personal information of one hundred (100) of the organization's donors. The employee stops at the supermarket to buy groceries, leaving the laptop in the car. Upon return, the employee discovers that the computer has been stolen. Unfortunately, the non-profit had not implemented a clear policy on the protection of mobile devices or informed employees that maintaining personal information on an unencrypted mobile device was prohibited. The non-profit also failed to provide data protection training to its workforce and did not deploy encryption technology on devices used remotely.

This incident constitutes a violation of the law and allows the Commonwealth to impose a $500,000 fine against the organization ($5,000 x 100 records exposed). The basis for the fine is not that the computer was stolen, but rather for the failure to implement an appropriate acceptable-use policy, failure to train employees on the protection of personal information and failure to deploy laptop encryption. This example underscores the ease by which data breaches occur and the resulting regulatory exposure to a non-compliant organization.

While this case underscores the need to implement controls to guard against mobile device breaches, it does not reflect the regulation's entire scope. The regulation also mandates that specific controls be adopted for email, passwords, portable storage devices, records disposition, unauthorized access of personal information, third-party oversight, telecommuting, system back-up, virus protection, patch management, restricting physical access, securing technology infrastructure and incident response.

This is not an "IT law", therefore your CIO (or similar function) is incapable of delivering compliance. Organizations must involve stakeholders from human resources, legal, procurement, facilities management, payroll and finance to ensure that all areas of exposure are identified and resolved.

The implementation date for 201 CMR 17 has past and it's now clear that the Commonwealth will enforce the law. If your compliance inertia was the result of ambiguity regarding whether non-profits have exposure, the referenced fine should resolve any remaining doubt. Having assisted several Massachusetts non-profits with their compliance efforts, I can attest to the fact that this sector has unique and extensive exposure to the regulation. Those who fail to implement the necessary administrative, technological and physical security controls are placing their employees, donors, members and themselves at significant risk.