How to Help a Small Business Comply with the 2010 Massachusetts Privacy Law

Background

In 2007, Chapter 93H was added to the General Laws of the Commonwealth of Massachusetts. The law establishes rules for preventing and reporting data security breaches, and it applies to "any person that owns or licenses personal information about a resident" of Massachusetts. (By regulation, the rules also apply to any person that “receives, stores, maintains, processes, or otherwise has access to such personal information.”) That means it applies to virtually all businesses and nonprofit corporations in the Commonwealth.

The law directs the Office of Consumer Affairs and Business Regulation to promulgate specific regulations relative to Chapter 93H. These regulations are contained in 201 CMR 17.00, which go into effect on January 1, 2010. Once effective, the regulations will be enforced by the Attorney General.

The law and regulations cover both written and electronic information. From a small business’s perspective, the key passages of 201 CMR 17.00 are as follows:

Personal information [is defined as] a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:

1. Social Security number;
2. driver’s license number or state-issued identification card number; or
3. financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that "Personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

[All businesses] shall develop, implement, and maintain a comprehensive [written] information security program (CWISP, or WISP) that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to:

1. the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program;
2. the amount of resources available to such person;
3. the amount of stored data; and
4. the need for security and confidentiality of both consumer and employee information.

The safeguards … must be consistent with the safeguards [required by similar state or federal regulations that may be applicable].

[E]very WISP shall include, but shall not be limited to:

1. Designating one or more employees to maintain the WISP;
2. Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to:
   1. ongoing employee (including temporary and contract employee) training;
   2. employee compliance with policies and procedures; and
   3. means for detecting and preventing security system failures.
3. Developing security policies for employees that take into account whether and how employees should be allowed to keep, access and transport records containing personal information outside of business premises.
4. Imposing disciplinary measures for violations of the WISP rules.
5. Preventing terminated employees from accessing records containing personal information.
6. Oversee[ing] service providers by
   1. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information …;
   2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information; provided, however, that until March 1, 2012, a contract a person has entered into with a third party service provider [before March 1, 2010] … satisfies the provisions … even if the contract does not include a [specific requirement regarding information safeguards].
7. Reasonable restrictions upon physical access to records containing personal information, and storage of such records and data in locked facilities, storage areas or containers.
8. Regular monitoring to ensure that the WISP is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks.
9. Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
10. Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.

Every [business] shall include in its written WISP the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall have the following elements:

1. Secure user authentication protocols including:
   1. control of user IDs and other identifiers;
   2. a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
   3. control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
   4. restricting access to active users and active user accounts only; and
   5. blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
2. Secure access control measures that:
   1. restrict access to records and files containing personal information to those who need such information to perform their job duties; and
   2. assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;
3. Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.
4. Reasonable monitoring of systems, for unauthorized use of or access to personal information;
5. Encryption of all personal information stored on laptops or other portable devices;
6. For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.
7. Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
8. Education and training of employees on the proper use of the computer security system and the importance of personal information security.

The IT Consultant’s Responsibility

An IT consultant cannot be solely responsible for determining whether or not a small business is in compliance with the regulations. Ultimately, that decision is up to the Attorney General and the judicial process. Therefore, all businesses should seek legal counsel when evaluating whether or not they are compliant. Nevertheless, because of the regulations’ focus on specific technical requirements and procedures, IT consultants can (and should) offer advice on how their clients can best prepare for and follow the new rules.

The Compliance Review Process

IT consultants should provide the following services to their clients:

1. Education. Ensure that the chief executive is aware of the regulations and obtain his or her approval to implement a compliance plan. It is probably a good idea to identify who will act as the business’s Information Security Manager at this point and to involve the ISM in every subsequent step of the process. It is NOT recommended that the IT consultant serve as the ISM.
2. Inventory. Identify all instances of personal information that are being used by the business in paper or electronic form. (At this stage, do not worry about whether the personal information is “received, stored, maintained, processed, or otherwise accessed” by the business.) This process should involve discussions with people responsible for multiple aspects of the business, including but not necessarily limited to:
   • Human resources / benefits
   • Payroll
   • Sales (for nonprofit organizations, this may translate to Membership)
   • Accounting
   • Operations (to see if employees’ driver’s licenses are kept on file)
   • Client or Customer Service

   The consultant may find it worthwhile to conduct a survey of all employees, providing the definition of personal information and asking whether they have come in contact with such information. It is especially critical to identify any personal information that may be stored outside the business’s office, such as on laptop computers, as there are special encryption requirements for this information. It is also critical to identify any business processes that cause personal information to be sent across wireless networks or the Internet.
   At this point, generate a list of all contractors that may use personal information on your behalf. The contracts you have with them will need to be reviewed for compliance as well.

3. Scope Assessment. After identifying the extent to which personal information is used at the business, discuss with the chief executive whether personal information is a relatively small and contained piece of the business’s information or whether personal information permeates the entire business. For example, an automobile insurance agency, a certified public accountant, or a temporary employment services agency might decide that personal information is so pervasive in the organization that all information should be handled as if it is subject to the regulations, whether or not each bit of information actually is covered.
4. WISP drafting. A draft can be prepared by either the business’s ISM or the IT consultant. Although it is possible to start the draft from scratch, most businesses will probably want to start with a template that they can adapt for their specific needs. A free template is available from the Office of Consumer Affairs and Business Regulation. It is also possible to buy plan-creation tools. For example, a Boston-area consultant is offering workshops and templates at www.201cmr17.com. Businesses would be well advised to seek reviews of these products before investing significant amounts in them. To find other commercial templates, do an Internet search for terms such as 201 CMR 17 sample policy. During the drafting of the WISP, it may become evident that some existing procedures are not compliant with the regulations. These areas should be clearly flagged in the WISP with notes such as “IS THIS OK?” or “NEED TO FIX THIS”
5. WISP review and revision. The first draft of the WISP should be reviewed by whoever did not write it (i.e., either the ISM or the IT consultant). The reviewer should seek clarification of any section of the WISP that seems confusing, incorrect, or incomplete. As in the previous step, any potential non-compliance should be flagged.
6. Checklist review. Go through the 201 CMR 17 compliance checklist to identify additional potential areas of non-compliance.
7. System changes. Using comments from the draft WISP and the 201 CMR 17 compliance checklist, identify and implement the necessary organizational changes. This will be likely be the most technically challenging stage in the process.
8. WISP completion. Once the WISP is final, obtain a sign-off from the chief executive.
9. Implement and train. Because employee training is a necessary component of the WISP, implementing the WISP will not be complete after step 7 above. The training should be led by the ISM, with assistance from the IT consultant as necessary.
10. Schedule review. The WISP should be reviewed annually. Ensure that this review is placed on the company calendar for the following year.

I am a “fan” of Microsoft’s Office Live page on Facebook. Today they posted an update that appeared on my wall:

We all could use a little guidance from a consultant about now. But, for most of us, the cost of hiring a business consultant is far beyond our reach. However, help may be available for small-business owners from an under-utilized resource: college students.

What’s that, Microsoft? You’re saying I can be replaced by college students!?!?!?!

In fairness, the blog that the Facebook entry links to is not terribly inflammatory. It doesn’t suggest that a college student can do what I do. It merely suggests that students can be brought in for short-term, closely defined projects. Businesses of all sizes have been doing this sort of thing for years. I do wish, though, that the lead-in paragraph had been worded a little more carefully.

No, it’s not britney spears. It’s computer consulting.

Now let’s take a look at the same trend line with another search term superimposed:

What’s the second search term? No, it’s not amy winehouse. It’s cloud computing.

I’ve known for a while that the times they are a-changin’ but as they say, a picture is worth a kiloword.

I hope at some point to import some of the old Schragazine articles back into this blog. Maybe starting next winter, on the 9th anniversary of the Schragazine launch ….

Potential conflicts of interest. In situations where Company is receiving any compensation (money or otherwise) from a Customer for providing pre-sales support, or where Company has a fiduciary relationship with a Customer, Company has a potential conflict of interest. In these cases, or when Company is otherwise required to do so by applicable law, Company must not act in a manner that puts its interest in the Fee [for selling Microsoft services] ahead of the Customer’s interests so as to be unfair to the Customer.

I was glad to see that, because it’s consistent with what I said about consultants, contractors, and vendors. (Speaking of which, I just noticed that although comments are requested on that page, you can’t actually make any. That must be new since I switched templates. I’ll see if I can do something about that.)

The sucker is huge and consumes a lot of desk space all by itself, but its big pockets and Lazy Susan design have allowed me to keep everything that used to be stacked in front of me within arm’s reach and yet out of the way. I’ve labeled three of the four sides: “To Do,” “To Read,” and “To Write.” The fourth side currently holds blank paper for jotting down phone numbers and other notes that will later go into the “To Do” slot.

This is of course not the first desk organizer I’ve tried, but so far it’s the only one that’s actually accomplished its mission for more than a few days.

I’m not under the illusion that putting ads on my blog is going to let me quit my day job. I did it more as an experiment. And if I can make enough money to pay for an extra night at the movies every couple of months, why not?

If you want to follow in my footsteps and “monetize” your own blog, here’s what you have to do:

1. Create a blog (or other web site) with plenty of content. You’ll have a hard time getting ads on a site that’s under construction.
2. Sign up for an account at Google AdSense. There are other ways to place ads on your site, but AdSense is a pretty good way to get started.
3. If you’re a blogger, find an AdSense-ready theme. There are dozens available for WordPress. I chose Ad Flex Blog, which was the first one mentioned on this list of AdSense Ready WordPress themes. As of this writing (August 9, 2008) I’m using mostly default settings, so my blog looks pretty generic. As I have time, I’ll fiddle with the 100+ options in the theme settings to personalize it.
4. Figure out where in the theme you  have to insert the code that’s generated for the ad blocks you create in AdSense. (You don’t tell AdSense what ads to put on your site. You provide the equivalent of an empty billboard, and you let AdSense know that your space is available for rent.) For example, in the Ad Flex Blog settings within the WordPress admin console, there’s a field called “Ad Banner Link Unit Code.” That’s where I pasted the javascript code for my 728 x 15 pixel billboard. That’s the thin strip that says “Ads by Google” right above “The Schlog.” At the moment I have two other billboards, at the top and bottom of each page.

That’s pretty much it. After that, you just log into AdSense now and then to see how much money you’ve made. In the first week, I’ve made a whopping $5.67 from a total of 4 clicks on ads I’ve displayed. Like I said, I’m not quitting my day job.

Despite Google’s product name, some of the ads make no sense at all. For example, there are a lot of references in my blog to my own name, David Schrag. As a result, I’m seeing ads in the link for “David Hasselhoff,” “David Beckham Pictures,” and “David Bay” (whoever he is). And now that I’ve mentioned their names again, I’ll probably see even more ads. But I’m also seen an ad for a company that will be offering SharePoint training in Boston, and that’s something my readers might actually be interested in.

So what do you think? Are you impressed? Aghast? Dismayed but resigned to the creeping commercialization of the web? Have no problem with the ads but think the new theme is butt-ugly? Remember, feedback no longer requires registration, so let’s hear it.

Microsoft seems to be trying to channel the Pepsi Challenge with its new plug for Windows Vista: the Mojave Experiment. They’ve rounded up a bunch of Vista haters (or at least Vista skeptics) and they’ve led them through a sham market research study. Subjects were told that Microsoft, in response to criticism of Vista, had developed a new operating system called Mojave. They wanted to get some early feedback. Turns out that the Vista haters really liked Mojave … and it turns out that Mojave was really Vista. See? All you have to do is try Vista, and you’ll like it better.

Of course, not everyone has read Blink, and I wonder if that that includes the folks at Microsoft market research, and perhaps some of the bloggers who’ve been impressed with the Mojave Experiment (this means you and you and you and you, among others). Because here’s the thing about the Pepsi Challenge. Although the results were accurate, they were also very misleading.

It turns out that people really do prefer Pepsi over Coke … when they’re drinking them both one sip at a time! But give those same people the opportunity to drink full cans of both sodas in a natural environment, and it turns out they’d rather drink Coke. How do we know this? Because Coke responded to the results of the Pepsi Challenge by creating New Coke, which was engineered to taste more like Pepsi. And New Coke turned out to be one of the biggest marketing debacles in history. After returning to the old formula, which supposedly tastes worse, according to the Pepsi Challenge, Coke re-established its market dominance.

Microsoft seems to be suggesting that the Mojave Experiment is evidence that people would really like Vista if they only gave it a try. That assertion may be true, but it’s not what the Mojave Experiment shows. What Mojave shows is that Microsoft can design a short, controlled demonstration that makes Vista exceed expectations. That’s really not that hard to do. I wouldn’t be surprised if someone could replicate the results by doing a demo of Windows 98 instead.

Some questions NOT answered by the Mojave Experiment:

• What would Vista skeptics think of Vista if Vista suddenly got installed on their own computers and they had to work with it for a week or a month?
• Which operating system would Vista skeptics choose if they were given side-by-side demonstrations of Vista, XP, Mac OS, and Linux?
• How much would the new fans of Vista be willing to pay to upgrade from what they have now to Vista? Would they be willing to upgrade their hardware as well if that were necessary to get Vista’s benefits?

I’m not anti-Vista. But I’m not pro-Vista, either. And a cheesy marketing gimmick like Mojave won’t change my mind.

I’m not sure how well these responses work for people whose first language is not English, but I definitely appreciated the effort.

Some choice quotes:

One of the sacrifices that anybody makes who is determined to have more money than their neighbor is time…. And it’s not only them that’s doing the sacrificing…. Your spouse is going to sacrifice, your children are going to sacrifice, and so are your friends. That’s one of the downsides of this insane quest.

I don’t know anybody that’s made a hell of a lot of money from a standing start that doesn’t go through this madness [of spending too much money on unwise purchases].

If you want to be rich, you absolutely cannot do it unless you’re a jerk…. You really have to be pretty unpleasant.

I can show you how to get rich … but I can’t show you how to be happy…. I know a hell of a lot of people who are insanely rich, and I don’t know one of them who hasn’t had problems with their family…. They spend so much of their time making money, and it becomes a drug. It isn’t the money that’s the drug. It’s the making of the money.

There’s only so much pie to go around. There can only be so many rich people in any community of humans. If there’s only so much pie to go around and you’re going to take a lot more of it than anyone else, then you’re going to have to take that pie away from people. That’s effectively what you’re doing. You never read this in any of these new-age self-improvement books. They don’t want to mess with these kind of topics. But the truth is that you’re taking it away from someone else. It’s all right going on about how you’re manufacturing wealth — well in a way, you are. But you’re also stealing it from other people. To be like that, that means you have to be a pretty selfish person. You have to be driven…. Just a desire to be rich … is useless…. It has to be absolute compulsion…. If you’re a driven person, you’re often not very nice to be around.

Team spirit is the glue that binds losers together.

Admittedly, Dennis defines “rich” as having a net worth of over $30 million. He does allow that it’s possible “to end up with a few million bucks and still be a decent human being.” But the idea of an inverse relationship between net worth and niceness rings true to me.

Toward the end of the interview, Rosabeth Moss Kanter presents a somewhat more optimistic counterpoint, and she and Dennis engage in a rather heated debate.

If you have any thoughts of becoming a gazillionaire, you must give this a listen.