Thirty-nine states have regulations requiring companies to inform customers when their personal information has been exposed. But many small- and mid-sized enterprises do not have the budgets to figure out, let alone meet with, these regulations and the variables in them that appear state to state, then notify consumers and state authorities, send snail-mail notices, transmit a blanket e-mail, etc.
Massachusetts recently enacted a data-protection law requiring notification to residents and state authorities if consumer names and identifiers such as credit card accounts or Social Security numbers are improperly accessed or used. A second component of the law mandates destruction of hard copy and electronic data containing personal information of Massachusetts residents.
Matt Pierce, CIO of the Watertown, Mass.-based Cadmus Group – a consultancy that assists government, nonprofit and corporate clients researching environmental and energy challenges –said the state’s law is more strict than most.
In beginning a dialogue with the firm’s human resources director about the protection of personal information, Pierce looked at laws in states in which Cadmus has major offices – Massachusetts, Montana, Virginia, Maryland and Washington, D.C. – thinking employee records were the company’s only worry.
“There are a lot of companies like Cadmus that have a lot of personal records,” he said. They may not be on the order of databases like TJXs, but these companies have a wealth of personal data and vulnerabilities.
After reviewing the laws, Pierce dove into Cadmus operations to “basically get a sense of what…
Please log in or subscribe to read this article