Here’s an unpleasant reality that might keep you up at night: one absent-minded employee has the power to do permanent damage to your data and your business’s reputation. Understanding data protection regulations is the first step to protecting your clients and your reputation.
Here in Massachusetts, regulation 201 CMR 17.00 requires businesses to safeguard certain personal information belonging to residents of the Commonwealth. Under this regulation, personal information is considered to be any instance of a resident’s first and last name, or first initial and last name, in combination with the person’s Social Security number, driver’s license number or bank account/credit card number.
Any business that collects that information from customers or clients is required to protect unauthorized people from accessing it, which means safeguarding both digital and physical files. It’s not only shadowy hackers that pose a threat. Employees take files out of the office, lose their company-issued devices on public transportation, accidentally download phishing programs – a data breach can happen even in a company that has zero digital presence.
There’s no sweeping a breech under the rug. Massachusetts law requires businesses to report breaches to the Office of Consumer Affairs and Business Regulation (OCABR) and the Office of Attorney General. Currently there’s no searchable database that residents can use to access information about those reports, but anyone who wants to find out about a business’s breaches can submit a public records request to the OCABR.
The bigger issue, especially for customer-facing businesses, is that the law also requires that residents be notified if their information has been compromised. So if a single sheet of paper with the personal information of 50 of your Massachusetts customers is accessed by an unauthorized person, by law you’re required to contact all 50 customers. All that’s necessary for word to spread about your security lapse is one of those customers writing a negative Yelp review or widely-shared Facebook post. Overnight, your business could get a reputation for being negligent with private information.
These notification laws aren’t unique to Massachusetts. (In fact, with the passing of the Alabama Data Breach Notification Act in June 2018, all 50 states now have security breach notification laws in place.) But if your business operates in Massachusetts, or if you’ve collected personal information from even one Massachusetts resident, it’s paramount to your organization’s continued operation that all employees comply with this regulation and its reporting requirement. That’s why all businesses should have robust data security policies, which outline protections to prevent intentional data theft and accidental data loss.
Learn from the mistakes of Goldthwait Associates, a Massachusetts medical billing company. In 2010, an employee left medical records in the garbage at a transfer station, which a Boston Globe employee then discovered. The company was part of a group fined $140,000 in 2013 for violating 201 CMR 17.00.
Disposing of files improperly proved to be a costly and time-consuming error for that company, and the same could happen to you if sensitive files are discovered in a trash or recycling bin. Northeast Data Destruction can help. Using our shredding services makes it easy for your business to comply with regulations and allows you to maintain the trust of your customers. Contact Northeast Data Destruction to arrange for secure pickup or drop-off.