Data Privacy: Massachusetts Up to the Challenge?
<p>Data breaches inflict large direct and indirect costs on businesses and other organizations. In response to this increasingly costly problem, legislators and regulators have jumped into the fray, viewing the problem as a consumer-protection issue. More than 40 states now have breach notification laws on the books. They are also turning to stricter laws.<br /><br />Massachusetts is leading the way. Starting in May, the state will require businesses that collect information about residents to encrypt sensitive data stored on laptop computers and other portable devices. Michigan and Washington state are considering similar regulations.<br /><br />But are the Massachusetts law and others like it enough to protect critical personal electronic data? While helpful, these laws have serious limitations. Most significantly, they create a patchwork of regulations that can be daunting for a large organization to navigate. They are next to impossible for a small firm to live with.<br /><br />An effective data-protection plan has three pillars: education and effective internal policies, technology and federal legislation. Organizations must get serious about treating customer data as they would treat customers themselves. Every organization should have a well-known customer data policy, and every employee should be trained in how to obey it. And there should be serious consequences for breaking that policy.<br /><br />After education comes technology. As the Massachusetts law recognizes, encryption is an important part of the puzzle — so are technologies that monitor and even prevent the loss of critical data. This can help enforce customer data policies and state and national regulations, as well as assist in a forensic analysis should a breach occur.<br /><br />Finally, there is federal legislation. As the new U.S. Congress considers data privacy legislation, it should be guided by four core principles.<br /></p><ul><li><strong>Clear, uniform and comprehensive application: </strong>Federal legislation should authoritatively define “personal data,” “financial data” and “identity.” It should establish national benchmarks, and it must apply to private and public industry, as well as all levels of government.</li><li><strong>Use of current best practices: </strong>Effective federal legislation need not be cut from whole cloth. State legislators such as those in Massachusetts have been joined in the data security effort by private businesses, trade associations and advocacy groups.<br />Our nation’s public and private organizations have developed best practices that can and should be used in the development of a national standard: an expansive understanding and definition of protected data, required disclosure of a breach even if security procedures are in place, required disclosure of a breach when data is reasonably believed to have been compromised, delayed disclosure to meet the legitimate needs of law enforcement and annual risk assessment by organizations meeting certain thresholds.</li><li><strong>Vigorous enforcement and substantial penalties: </strong>Appropriate government agencies must be fully empowered and possess necessary resources to enforce the law. Given the damage caused by identity theft, there should be very stiff penalties and mandatory incarceration for intentional violations.</li><li><strong>Funded mandates:</strong> Implementing and monitoring an effective federal data protection law will be costly, especially for small businesses. The federal government should assist organizations in fulfilling a data-protection mandate. This could include tax credits or other incentives for buying technology.</li></ul><br />While data-protection laws such as Massachusetts’ are a good start, they do not fully address the magnitude of the data loss problem. Education and internal policies, technology and federal legislation are necessary. Together, they will help ensure the continued growth of e-commerce and the business formation and job creation that goes with it. <p> </p><p>- Peter George, President and CEO of Fidelis Security Systems</p>