March 1, 2011 marked the one-year anniversary of the effective date for the Massachusetts data privacy laws and regulations. We’ve offered consistent coverage of issues surrounding Massachusetts data privacy at the LOMAP Blog–at this root post, and linking back therefrom. In marking (somewhat belatedly) the one-year anniversary of the effective date of the data privacy laws and regulations, we are very lucky to have been given permission to reproduce here the following post. The below take on the one-year anniversary of the effective date of the laws and regulations is brought to us by C. Max Perlman of Hirsch Roberts Weinstein LLP. Max is a member of HRW’s Data Security Team, and is a frequent author and speaker on issues related to Massachusetts data privacy. Max has previously published to HRW’s BLEG Blog on the topic of the FTC’s Red Flag Rules.
. . .
Earlier this month, the business community celebrated the one-year anniversary of the Massachusetts Data Security Regulations. And, by “celebrated,” I mean lamented, cursed, bemoaned and otherwise maligned. After all, the Massachusetts regulations, which are the strictest, most comprehensive set of regulations of their kind in the nation, have caused a number of businesses to spend massive amounts of time and money in their attempts to comply. Many other businesses, though, have disregarded the burdensome regulations, and now live under the cloud of fear of the potential consequences.
So, while the occasion of the one-year anniversary of the regulations might not be one to actually celebrate, it does serves as an excuse to renew a discussion of the law’s basic requirements, and of the stakes of non-compliance. Amidst considerable uncertainty regarding precisely how the regulations will be enforced, here are three maxims that HRW’s data security team has discovered:
(1) A company/law firm that has failed to adopt a WISP is taking a serious risk. The state Attorney General’s Office can and will commence enforcement actions against companies that fail to adopt a Written Information Security Program (WISP), seeking fines, multiple damages and fees. A year ago, it seemed that enforcement actions would stem mostly from data security breaches. It now appears that the AG’s office will pursue tips from dime-dropping employees. For this reason, any company that has not adopted a WISP is at the mercy of each and every one of its employees; the pains and penalties of an enforcement action are only one disgruntled phone call away.
(2) Going through the motions is not adequate. There are sample WISPs available generally on the Internet; but, the ones that I have seen are inadequate for all but the most rudimentary of businesses. It is unwise, then, for a company to use one of these samples without actually assessing its own specific needs for protection of personal information. The AG’s office might not give any credit to a company that does little more than add its name to a boilerplate template without serious consideration as to whether it fits. If you are getting your WISP the same way a school boy gets his first suit–off the rack–you could have a problem.
(3) Failing to follow a WISP can get a company in trouble, too. These regulations do not work like a Ronco rotisserie oven; they don’t allow businesses to ‘set-it-and-forget-it’. A company cannot simply adopt a WISP, file it away and hope for the best. Companies are required to make sure that they adhere to their WISPs; and, the AG’s office will pursue a company that has a data security breach due to a failure to follow its WISP. Further, the regulations require an annual review of the WISP, as well as disciplinary measures for employees who fail to follow the WISP.
In the year since the regulations went into effect, I have been encouraged by the great strides that the business community has taken in protecting personal information, and in becoming aware of the perils of identity theft. There will, however, be fallout for companies that ignore the requirements of the regulations, or that are too casual about their efforts to comply.