Seems like it’s in the news every couple of weeks... some company fesses up to having "lost" or compromised a mind-boggling amount of personal information about individuals ...sadly, most often its customers. Usually what follows some time later is news of a class-action settlement running well into the millions of dollars. You see these stories and think, “Boy, am I glad we’re not in banking or retail or any of those industries that have to collect personal information.
- And now for the bad news: other than a matter of scale, you are in one of those industries ...as long as you have employees. Why? Because personal information (PI) is defined as an individual’s name, in combination with any of the following:
- social security number
- state-issued ID number (such as a driver’s license number)
- financial account number
- credit/debit card number
You’re required to collect and maintain several of those items for tax and other reasons; and if you offer payroll direct deposit, then you have bank-account information as well.
Making matters worse... if you employ Massachusetts residents, you now have more to worry about than a class-action lawsuit from your employees. A new Massachusetts law aimed at combating identity theft requires strict protection of personal information for residents of MA. The law especially targets electronic information, but covers paper documents as well. If your business holds, licenses, stores or maintains PI on any MA resident, it is covered under the law. For HR, this includes I-9s and W-4s, plus insurance, retirement plan and direct deposit information.
Unlike many business regulations, this law has teeth! Both civil and criminal penalties are provided for. Civil penalties may include $5,000 per violation, and up to $50,000 for improper disposal of PI (old hard drives or paper documents).
What you need to do
The law’s compliance deadline was recently pushed back two months to March 1, 2010 ...but that will be upon us before we know it. Here are the steps you need to take:
- Develop and maintain a Written Information Security Plan (WISP).
- Train employees; define consequences for employees who do not adhere to the plan.
- Don't share passwords, and don't make them simplistic.
- Encrypt any portable devices that contain personal information (laptops, PDAs, external hard drives, backup tapes, etc).
- Don't transmit or receive data via unprotected email, websites or wireless.
- Limit access to PI to people within your company with a genuine need to know. Keep written PI in locked file cabinets.
The WISP referenced in the first bullet above must address...
- the measures adopted to safeguard information;
- designation of at least one person to manage the security program;
- disciplinary measures imposed for violations of the program;
- how it will prevent terminated employees from accessing information;
- monitoring of electronic records for unauthorized access and security risks;
- documentation of incidents involving breach and resulting corrective actions;
- use of user ID / password protocols for electronic PI documents;
- access restriction to electronically stored information; and
- upgraded safeguards and protection (firewalls, encryption software) as needed.
If 3rd parties that you do business with have access to your PI, "the new regulations require companies to take reasonable steps to ensure that their third-party service providers are capable of maintaining appropriate security measures," according to Management Moxie, a newsletter from Foley & Foley, PC.
Even if your company doesn’t employ Massachusetts residents, it’s probably a good idea to get out ahead of the curve on this issue; because it’s fairly likely that your state(s) will implement similar regulations in the relatively near future.