In recent years, Massachusetts passed cyber security laws applicable to businesses that collect personal data from customers. Names, credit card numbers, social security numbers and bank account information all fall under the scope of private data. A wide range of businesses of all sizes depend on gathering, storing and licensing these kinds of information; as such, business owners need to comply with the regulations or face possible legal action.
The challenges of regulatory demands
Regulatory compliance is challenging for any kind of business, but small businesses in particular can find it daunting. A limited budget and a lack of in-house IT personnel make it more difficult to adapt to changing security requirements.
Also, the regulations themselves present difficulties in how they're written. Sometimes they're spelled out clearly, with specific steps that businesses should take and specific requirements to meet. Other times, the language is more vague and open to wider interpretation.
For example, Massachusetts law demands that businesses come up with "administrative, technical, and physical safeguards" for their data; the specifics of these safeguards depend on a number of factors, including the company's size, nature and resources. It's often unclear to business owners if they're acting appropriately to meet regulatory demands; each business is unique and so are its cyber security solutions. It doesn't help that the law uses expressions such as "reasonable steps" without always detailing what these steps are.
So what does compliance mean?
Ensuring compliance means carefully reviewing the law, following the relevant specifics, and doing one's best to keep in the spirit of the law when the wording becomes more vague.
A key part of the law demands that businesses write out a comprehensive data security plan, implement it and maintain it. This plan must encompass major aspects of security, including the following:
- Technological strategies and defenses against data breaches. These include the use of encryption for stored and transmitted files, firewall protection, anti-malware programs, security updates, and strong password selection. They also involve monitoring your system for unauthorized intrusions.
- Administrative controls and employee training. You should carefully determine who has administrative privileges when it comes to knowing passwords, downloading software and performing system maintenance. You should also have protocols for different situations involving employees; for example, when employees leave your company, how do you prevent them from accessing sensitive data? Furthermore, part of your data security plan should include employee training and strategies to ensure their compliance with cyber security measures.
- Physical security. Businesses need to protect their offices and other work spaces from theft. Could a criminal easily break into your office and make off with a laptop or a folder full of printed files containing sensitive information? Could someone stroll in during business hours and sneak onto a computer when no one notices? Another concern is if your employees use a mobile device that gets stolen; are you able to remotely wipe the data from it if the device goes missing?
Regardless of whether or not your business has hired in-house IT personnel, you should consult with experts who can help you bring your data security program up to regulatory standards. When you contact us, you'll receive advice and assistance in developing a comprehensive plan to protect your data and comply with the law. Beyond legal compliance, your plan will help prevent the significant financial losses and diminished customer trust that accompany a data breach.