It's Now the Law! Tough New Data Protection Law Starts in Massachusetts

It's Now the Law!

Consumer and privacy advocates heralded Massachusetts for the March passage of the nation’s strictest law yet on data security. But in the months since, many of those charged with carrying out the law – including condominiums and property management firms – have struggled with its many requirements.

Experts familiar with the law are strongly advising condominium association boards and management companies to take steps to comply with it, and understand their potential liability.

The law, known as 201 CMR 17.00,can be read in full on the Office of Consumer Affairs and Business Regulation website (http://www.mass. gov/Eoca/docs/idtheft/201CMR1700reg.pdf).

Basically, it places stringent data security obligations on any organization that collects, uses, stores, transmits, or disposes of personal information (PI) about a Massachusetts resident. The law applies to entities outside the stateas well, like a border state property management firm with Massachusetts portfolios.

PIs include a person’s full name (or last name plus first initial), and numbers such as Social Security, bank account, credit or debit card, driver’s license, PIN, or a code that would enable an unauthorized person to gain access to those accounts. (For condo associations, this information could be found on checks for condo fees or on forms that unit owners fill out for automatic withdrawal of those fees.)

Key requirements of the law includedeveloping a written security plan, designating a point person, putting in place protocols to limit the number of employees with access to PIs, and training employees. The law requires that “reasonable measures” be taken to protect information in all its forms (hardcopy or electronic) at all times (data in storage or in transit) from theft. Organizations must also pay attention to how they, or third party contractors, dispose of paper or electronic records containing PIs.

In many businesses today, sensitive electronic data is often encrypted – which means the information is unintelligible to anyone without a key to decode it. Small organizations, which don’t typically have sophisticated IT support or security, are concerned that complying with the new law will requireadditional expenses for services such as encryption.

“People in that situation tend to throw up their hands,” says attorney Michele Whitham, a partner at Foley Hoag, LLP, in Boston, and co-chair of the firm’s privacy and security practicegroup. “In the old days, you’d lock your files in a file cabinet in a locked room. Now the information is largely electronic.”

It’s estimated that 80 percent of all business information is in electronic form, and that percentage is increasing. As more people switch to automatic transfers and online transactions, the potential for data theft rises exponentially.

Where to Start

Before organizations can decide how to proceed, they need to assess the amount of personal information they handle, where it lives, and who sees it, says attorney David Cogliano of Davis Malm & D’Agostine P.C. in Boston. “Following the guidelines of the law is not as onerous as people fear it is.”

Cogliano advises organizations to “reach for the low-hanging fruit” – take simple steps first, such as not leaving sensitive paperwork out on desks, locking doors, raising awareness. “Every entity should go through the process, write out a WISP [Written Information Security Program], train their employees. There are a lot of cheap, obvious thingsto do that will go a long way toward meeting the requirements,” he says.

So far, the law is still too new to have generated litigation, but this should not cause organizations to relax their efforts. The precedent is there, says Whitham, in the cases of big IT security breaches such as TJX, which will be discussed further below.

Imagine a scenario in which a condo bookkeeper leaves eight personal checks from unit owners on her desk and steps out for a few minutes. In that time, an intruder steals the checks and uses them to access bank accounts and steal funds. A unit owner could conceivably make a case, if he or she could show evidence of negligence, against the bookkeeper or the association for violating the law. If that case was proved, the fine levied by the AttorneyGeneral is $5,000 per violation. If all eight checks were included, that’s $40,000.

That case would hinge on whether the condo association and bookkeeper could show they took “reasonable measures” to protect the personal information. These reasonable measures would be vastly different from those the AG would expect a corporate giant such as IBM to take. The law attemptsto differentiate between entities that only handle small amounts of PI and those that have the potential to drastically affect large numbers of people.

How We Got Here

California passed the nation’s first law requiring notice of security breaches in 2003, but the European Union’s statutes remain the gold standard of data security law. In the U.S., 40 statesrequire security breach notification, and enact penalties if the organization does not come forward and tell its customers that their personal information may have been compromised. Soon, all 50 states will have similar requirements, says Whitham.

In Massachusetts, high-profile data security breaches at companies such as Stop & Shop and TJX, the parent company of retailer T.J. Maxx, created an imperative for more legislation. The TJX breach, which came to light in 2007, was caused by incorrect storage of credit and debit card data, in violation of the Payment Card Industry Data Security Standard. Investigators determined that a hacker had stolen information from the Framingham, Massachusetts-based company dealing with 45 million accounts, starting in 2005 with some going as far back as 2003. A class-action lawsuit resulted in the company paying tens of millions of dollars to affected customers. The settlementwith 41 states’ attorneys general resulted in a $7.5 million payout.

Big companies capture the headlines, but smaller organizations have seen their share of data security breaches, including doctors’ offices, university health clinics, restaurants, and charity organizations. Often, the breach resultsfrom something as simple as loss or theft of a laptop containing sensitive information. And these situations are on the rise, resulting in increased costs to organizations. The Ponemon Institute, a security and privacy consulting company, gauges the cost per compromised record at $202.

Hackers recognize that smaller organizations generally don’t have the IT fortresses to protect data. Still, some small businesses make it too easy. An August survey of 10,000 small and mid-size companies around the world by PandaLabs, the research arm of software maker Panda Security, found that 31 percent of the businesses surveyed did not use anti-spam software and 23 percent did not have antispyware applications. An amazing 15 percent said they didn’t bother with an Internetcomputer firewall.

PandaLabs reported that 46 percent of small companies in the U.S. had been victimized by cyber crooks, up 2 percent from last year. (Fortune 500 CEOs said their companies experience cyber attacks hourly or daily, accordingto the Ponemon Institute.)

By not protecting systems, community associations and businesses risk getting hit with a host of computer maladies, including viruses and infectious malware, and increase the likelihood that hackers will steal personal information. In addition to the financial costs involved, these organizations also face considerable loss of credibility.

“It’s really bad to have your name out there as someone who lost data,” says Whitham.

Protection Strategies

After a condo board or management company determines how much PI comes through the office, who is authorized to see it, and where and how it is kept, the first line of defense is to talk with the person who providesIT support, says Cogliano. That individual already knows the most about a particular system. But if he or she isn’t conversant in the new law, “that should send up a red flag,” he says.

Hiring a consultant specializing in computer security will likely be a necessity for most condo association boards and management companies. The complexity of both the technology and the law requires sophisticated knowledge and resources. For example, to comply with the law fully, every device should be treated as a point of potential data breach, from small portable items such as flashdrives, PDAs and laptops to larger ones such as desktop and backup computers.

Upgrading security for computer operations does not have to be costly, but it does require research and asking questions. Most of the recognizable antivirus companies, such as McAfee, Symantec, and Norton sell packages of software with varying degrees of protection, including encryption. Other companies, such as Personal Data Compliance, are tailoring services and tools to directly address the Massa-chusetts law.

A particular challenge to condo boards is the high turnover of volunteers. The association needs to have a policy on what happens when the baton is passed, and to ensure that outgoing members turn in or erase any sensitiverecords to which they had access.

To protect trustees and condo board members who might be called in a data security suit, boards may also want to look at strengthening existing indemnity provisions, says attorney Robert J. Galvin, who is also with Boston’s Davis Malm & D’Agostine. Under standard Directors and Officers (D&O) liabilityinsurance, the policy will pay for legal defense and any damages awarded in a case that is successfully brought against an official of the trust, except in situations such as criminal wrongdoing or breach of fiduciary duty.

Office managers should be careful even when they’re donating used equipment to charities or recycling outmoded hardware. Copiers and all electronic equipment should have their memory wiped clean before leaving the premises.

By taking such steps, and especially by complying with the Massachusetts law, condo associations and management companies do their part to safeguard residents’ valuable information and avoid costly lawsuits and damage to their credibility.

April Austin is a freelance writer and a frequent contributor to New England Condominium magazine.

Related Articles

Disease & Disclosure

Disease & Disclosure

Preserving Privacy in the Pandemic

Technician installing CCTV camera for security

Q&A: The Eyes Have It

Q&A: The Eyes Have It

Q&A: Know Thy Neighbor?

Q&A: Know Thy Neighbor?

Q&A: Know Thy Neighbor?

 

Comments

  • These measures are a step in the right direction. Still, our readers should be advised; these laws mean nothing if they are not being incorporated within condominium business structures. My personal experience reflects a system whereas, the very same policies are not being enforced. E.