On October 30, 2009 the Massachusetts Office of Consumer Affairs and Business Regulation filed its final amended regulation for 201 CMR 17.00 (aka "The Massachusetts Data Security Regulation"). The regulation requires persons (including out of state persons) who "own or license personal information about a resident of the Commonwealth" to comply with strict requirements to safeguard such personal information. Information includes:
• social security numbers
• drivers license or state-issued identification numbers
• financial account numbers, credit or debit card numbers, (with or without any security code that would permit access to a resident's financial account).
The regulation does not discriminate between a small business and a large business but must be implemented by all who store, transmit or have access to the aforementioned personal information. The regulation was required to be implemented in 2010.
In anticipation of the proposed regulation we at Pavento, Ratcliffe, Renzi & Co., LLC completed our implementation in 2009 and continue to refine the process. In my opinion regardless if you meet the criteria it is a good business practice to implement some of the key areas of the regulation, if for no other reason than to allow you to sleep better at night. There is not a week that goes by that you do not hear about another data security breach.
So for the small business what does the regulation entail? The first step in the process is to look at the data you maintain both in paper and electronic form to determine if are required to implement the data security regulation. Once you have identified the data, you must design procedures to ensure that data is secure. Most businesses have both paper and electronic records. Here are some areas that I feel are key areas to review:
1) Paper file storage and data destruction policies
2) Paper files in employee possession both inside and outside of the office
3) E-mail policies
4) Network password policies
5) Network security policies
6) Network firewall and related policies
7) Electronic file transmission policies
8) Electronic data storage and achieving policies
9) Laptop and Desktop security policies (passwords and encryption)
10) Smart phone data and e-mail policies
Next you begin the process of implementing a plan. Address the areas of highest risk first. As an example, if you allow remote access to your network and have an outdated firewall appliance, consider upgrading that first.
Then look at what types of data are being transmitted via e-mail. Data transmission is an area that everyone in our firm is very cautious about as tax returns include social security numbers. We have two ways that we transmit files 1) we utilize an email encryption service which is used for any transmission of files that meet the criteria that we have set forth as sensitive data; 2) we maintain a client portal with multi-layer security to allow for a secure exchange of data. Our clients seem to prefer the portal over the e-mail encryption as the portal does not slow their e-mail down with large file transmissions.
As you go through the process of implementing a solution for each area that impacts your business, document the process. Once you have all areas documented, write a formal data security plan and update it frequently as your situation changes.
Finally, the most important step in any plan is to monitor and test the policies you have implemented. As an auditor I cannot stress enough the importance of this step.
Whatever you decide to do is a personal business decision. Doing something is better than doing nothing and may very well prevent you from being the next company in the news! Pavento, Ratcliffe, Renzi & Co., LLC is available for guidance in the development of your data security plan.
No comments:
Post a Comment