Information Security
Compliance with State Law
Information security is simultaneously one of the most important and one of the most difficult to understand topics facing the business world today. It spans everything from shredding sensitive documents, to removing hard drives from printers before retiring them, to protecting your customers’ information on your computer systems. There are so many different aspects to information security as well as steps that can be taken to achieve it. In Massachusetts, we are subject to state law 201 CMR 17.00. Our state led the way years ago, introducing comprehensive legislation governing the way businesses must handle certain security practices if they deal with customer information. The problem is, many small and medium sized businesses aren’t aware of the law, much less compliant with it.
The law states you MUST encrypt the hard drive of portable computers and mobile phones if they contain customer data. This can include emails.
(5) Encryption of all personal information stored on laptops or other portable devices
This heavily impacts lawyers, realtors, mortgage professionals, financial institutions, and any other business that stores customer information on their computers or mobile devices.
The law also mandates Firewall security appliances and a patching strategy for Windows/Apple/Linux installations:
(6) For files containing personal information on a system that is connected to the Internet,there must be reasonably up to date firewall protection and operating system security patches,reasonably designed to maintain the integrity of the personal information.
(3) Encryption of all transmitted records and files containing personal information that willtravel across public networks, and encryption of all data containing personal information to betransmitted wirelessly.
What is a WISP
WISP or Written Information Security Policy is mandated by Mass 201 CMR 17.00. If you think your business is too small for a WISP, consider the case of Ned Devine’s, a well known Irish pub in Boston. In 2009, malware was installed on their computers which leaked customer credit card data that was then compromised. In addition, they used default usernames and passwords on there POS terminals, and didn’t properly secure their wireless connections. As a result, they were fined $110,000 by the state of Massachusetts. Here is what Attorney General Coakley had to say:
When consumers use their credit and debit cards at Massachusetts establishments, they have an expectation that their personal information will be properly protected…In this instance, the Briar Group did not take proper protections to protect customers’ personal information. In addition to the payment [of the $110,000 fine], this agreement also works to ensure that steps have been taken to protect consumer information moving forward. Our office will continue to take action against companies that fail to implement basic security measures on their computer systems to protect the sensitive information entrusted to them by consumers.
You can read the entire release on the state website. Here are the state guidelines regarding developing a WISP for small business.
Most small businesses would not survive a fine at that level, however, it is within reach of any business to develop a Written Information Security Policy to prevent these types of vulnerabilities in their networks and procedures. Dragonfly Computers has a comprehensive checklist to help create an effective and reasonable company policy to prevent this kind of liability.
Do Cyber criminals bother with small businesses?
Increasingly, the answer is yes. Small businesses, although subject to many of the same regulations large corporations must comply with, make increasingly inviting targets. Often because staff are untrained, there are no procedures in place, and security is minimal. In the end it’s about money and the criminals don’t care where it comes from. According to PriceWaterhouseCoopers, 62% of cyber-attacks targeted SMB’s in 2015. Cyber criminals are perfecting their skills on small and medium sized businesses in order to use those attacks on larger entities in the future. In addition, bigger companies are throwing increasingly larger budgets at information security. This makes small companies increasingly attractive targets. There are typically two approaches taken to cyber security, close the doors and lock the shop after the theft has already occurred or go on offense. We recommend the latter.
What is your data worth?
Putting aside for a moment, the state rules and regulations as well as the need to protect your customers. You also need to worry about yourself. A bad virus or spyware infection can knock a machine out for a day or two. That leads to unplanned expense in addition to killing productivity. A ransomware infection can rob you of your own data by locking you out of the files on your computer. These attacks have successfully targeted many police departments; they can get you. There are active steps your business can take in advance to ward off these types of attacks but it is also crucial to have daily off-site backups in place if the unthinkable happens. That can mean more than just a ransomware infection, it can be a flood, fire, or theft. Have you ever stopped to ask yourself what your data is worth and what your business would do if it was faced with losing all its data without notice? Together, we can make sure that never happens.
Don't let Information Security be a Liability
Ensure you are complying with state privacy law, contact us to schedule a consultation