Meeting Compliance Regulations At The State And Federal Levels.
State, Federal and International laws are in place today requiring businesses to document the steps they are taking to ensure best-practice security measures. Without documented efforts, businesses become liable for damages in the event of a security breach. These damages could also lead to civil and criminal prosecution of the Officers of the Corporation.
Would you know if…
- An employee is using a P2P file sharing application, to download music, but is without knowledge, exposing to millions of users all customer personal information to which they have access
- An insider researches, downloads and runs an exploit that gets him access to systems on which private customer information is stored
- A departing employee uses unencrypted email to send thousands of files with private customer information to a third party.
It’s Your Business
More and more businesses are being forced to comply with strict guidelines to safeguard customer data and notify customers in the event of a breach of such information. Below are just a few of the laws that regulate today’s business and mandate specific procedures and guidelines to protect against unauthorized system access and data compromise.
- Mass Privacy Protection Law (201 CMR 17)
The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued in October 2008 a comprehensive set of final regulations establishing standards for how ALL businesses protect and store Massachusetts personal information about a resident of Massachusetts be they based in Massachusetts or not.
These regulations require, among other things, that businesses encrypt documents sent over the Internet or saved on laptops or flash drives, encrypt wirelessly transmitted data, and deploy up-to-date firewalls to create “an electronic gatekeeper” between the data and the outside world that only allows authorized users to access or transmit data.
The regulations were set to take effect on January 1, 2009; however the deadline has now been extended to May 1, 2009. Accordingly, even with the additional time that OCABR has provided, employers need to move swiftly to make the operational changes needed to comply.
A civil penalty of $5,000 may be levied for each violation of 93H. In addition, under the portion of 93H concerning data disposal, businesses can be subject to a fine of up to $50,000 for each instance of improper disposal.
- California SB 1386
On July 1, 2003, a precedent-setting bill went into effect in the State of California. California Senate Bill (SB) 1386 requires any agency, business, or person owning or licensing a computerized database of personal information on California residents to immediately notify customers if the security of their private information is compromised. This requirement is likely to be duplicated by other states and applies even if no information is stolen, and authorizes lawsuits and injunctions if breaches are not reported in a timely manner.
- Notification of Risk to Personal Data Act (NORPDA)
This law is modeled on California’s SB 1386 and requires all U.S. businesses and government agencies to notify customers in the event of a network security breach. Penalties are $5,000 per violation or up to $25,000 per day.
A pro-active approach to improving your overall security framework will prove the least costly to prevent unauthorized access to your customer data. Prevention measures in place now can save your company not only time, money, production resources, but will also provide you and your customer a level of trust and confidence rather than the embarrassment of full customer disclosure that their personal information has been compromised and could be used in a fraudulent manner.
For more information on how TBG Security can help your organization reach compliance contact our our Compliance Practice Manager or call us directly at 877.233.6651 ext 704.