Develop a WISP that helps you be compliant with Massachusetts’s data security regulations
At Compliance+ Security, we help small businesses safeguard their customers', employees', and contractors' Personal Identifiable data. The most helpful safeguard is to comply with the law and to protect data by developing a Written Information Security Program (WISP). A WISP is a document that details an organization’s security controls, processes, and policies, and must be tailor-made to fit business’s needs and to comply with the law.
You value your data, and so does a hacker
A common misconception that my clients have is that breaches only happen to big businesses. There are notable examples from Equifax, Yahoo!, LinkedIn, Facebook, and others where a single data breach compromised millions of individual’s data at once. But the data reveal a different story. The data show[2] that the vast majority of data breaches affect smaller population of 1-10 individuals at a time. Every business, large and small, is a target for hackers and malicious actors to acquire personal data. Even though attention is paid to the big breaches, there are hundreds of little breaches that happen every day.
Reality of numbers
In 2021 so far,* there have been 2,188 reported data breaches in Massachusetts, affecting over 1 million residents. At this rate, by the end of the year, there could be as many as 1.5 million Massachusetts residents that have had their information compromised, just in this year alone.
Massachusetts’s data security regulations have teeth
Massachusetts has made significant efforts to protect residents from data breaches. These efforts include passing Chapter 93H and pursuant regulations published by the Office of Consumer Affairs and Business Regulation (OCABR)[4]. These regulations apply "to all persons that own or license personal information about a resident of the Commonwealth." Personal information includes: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number [5]
Chapter 93H authorizes the Attorney General to bring action which can include Court-ordered relief such as injunctions, consumer restitution, and civil penalties.[6] Civil penalties can be up to $5,000 for each violation, plus the cost of investigation and litigation. In some cases, the damages could be trebled.
The landmark case of Commonwealth v. Equifax, Inc., No. 1784CV03009BLS2, 2018 WL 3013918 (Mass. Super. Apr. 3, 2018) demonstrates just how deep the teeth can be in this law. In that case, the Attorney General alleged that Equifax "knew or should have known about the data breach by July 29, 2017; and that Equifax waited to provide the required notice until September 7, 2017"[7]. After their motion to dismiss was denied, Equifax settled with the Attorney General for $18.2 million[8].
Don’t be the next Equifax. Equifax could have avoided the whole litigation if they implemented safeguards for their data, reported the breach and followed the rules set forth in Chapter 93H. The good news is that Chapter 93H and supporting rules allow companies to implement safeguards that are appropriate to the size, scope, and type of business, and the amount of resources available. The bad news is that businesses of all sizes need to provide 18 months of credit monitoring to all residents affected by a breach. Assuming a cost of approximately $15 to $25 per affected resident, providing credit monitoring alone adds up quickly for a small business.
Reach out to us to learn more. We offer free consultations to help you develop a WISP that is tailored to your business needs, be compliant with the law, and safeguard your customer’s data.
FOOTNOTES:
*As of September 8, 2021, Data Breach Notification Report
[2] https://www.mass.gov/lists/data-breach-notification-reports
[4] MA Data Security Regulations - 201 CMR 17.0
[5] 201 CMR 17.02.
[6] MGL c. 93H, Section 6; MGL c. 93A, Section 4
[7] Commonwealth v. Equifax, Inc., No. 1784CV03009BLS2, 2018 WL 3013918, at *3 (Mass. Super. Apr. 3, 2018)
The publication contains information about regulations, laws, enforcement, penalties, court cases pertaining to data security regulations, data breach notification laws, and data destruction laws. The information is not legal advice, and should not be treated as such. This publication, which may be considered advertising under the ethical rules of certain jurisdictions, should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This newsletter is intended for general information purposes only, and you should consult an attorney concerning any specific legal questions you may have.