March 1 was the 4th anniversary of the Massachusetts Data Protection Law which was introduced to help protect residents against identity theft and fraud. The law identifies requirements businesses must follow to secure protected information, which includes a resident's first name or initial and last name, combined with a number of specified protected information including drivers license number, bank account number, social security number, credit card numbers, etc. We've all read the headlines about the major retailers such as Target, Hannafords, and TJX who have been in the news over the years for security breaches, but many small business owners may not be fully aware that the law applies to ALL businesses, large and small.
Do you know where your WISP is? A WISP is a Written Information Security Policy. Its not enough to follow the guidelines identified in the law, you must also have a written policy. The anniversary of the law going into effect is a good time to assess your own situation with respect to compliance.
The Massachusetts Data Protection Law includes the following requirements:
- Secure User Authentication Protocols (use of strong passwords, and no passwords on post-its under your mouse pad!)
- Secure Access Control Methods (access to protected information needs to be restricted to those who need access to perform their jobs)
Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly (wireless networks must be encrypted, and NEVER send protected information via regular email).
Reasonable monitoring of systems for unauthorized use of or access to personal information (Do you have a way to identify if someone is trying to access your network?)
Encryption of all personal information stored on laptops or other portable devices (Newer laptops are encryption ready so you don't need extra software)
For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information (all those updates we talk about every "patch Tuesday" are required by law!)
Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis. (one of the key reasons we advise all clients to sign up for monitoring through managed services).
Education and training of employees on the proper use of the computer security system and the importance of personal information security (in our experience, the vast majority of problems we see are caused by users who don't fully understand security requirements and may inadvertently work around them).