Don’t forget about the paper!
There’s been a tremendous amount written lately about how to prepare for the upcoming March 1 deadline for compliance with Massachusetts 201 CMR 17.00.
Almost everything I’ve read has focused on the electronic aspect of the regulation with little or no attention paid to how an organization will change the way they handle paper containing personal information. Just as a reminder, the intent of 201 CMR 17.00 is to establish minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records.
While a great number of postings have focused on encryption products or secure data storage technology with scary facts to support their implementation, relatively few address the internal paper processes inherent in any organization. For example, do you know what happens to job applications that contain personal information for those candidates that are not hired into your organization? Typically they’re disposed of rather than being stored somewhere in the organization. If you’re simply throwing these applications into the trash bin in your cubicle then you’ve overlooked the fact that identity thieves and cybercriminals commonly collect information from garbage containers and use information they find to steal money and access confidential information. In Massachusetts, if your organization was found negligent in the proper disposal of personal information which violates the provisions of M.G.L. 93I shall be subject to a civil fine of up to $50,000 for each instance of improper disposal.
One of the first steps in determining what policies make sense for your organization is to find out how you currently handle personal information. This is of course after you’ve appointed a designated person to maintain and monitor your Comprehensive Information Security Program (CISP). The person you designate to maintain your CISP will be an integral part of the team you put together to map out the company’s current practices and policies. The assessment exercise should identify how the company collects, handles, accesses, stores and disposes of sensitive and valuable information. This typically requires the involvement of every department within the organization. Unfortunately most organizations see the process of implementing security policies and procedures as an IT function. Yet with laws as comprehensive as M.G.L. 93H, 93I it and the 201 CMR 17.00 regulations, it requires an organizational conscience and cultural change to be successful at implementing the policies and procedures required to protect your organization from a serious data breach.
Where Do We Start?
By reviewing the employment process from the initial contact of a prospective employee straight thru termination you will determine where Personal Information resides within the organization in both paper and electronic form. A good starting point for assessing where personal information, stored in paper form, is stored within the organization is to create a process flow for job applicants. Typically you’ll collect at least the candidate’s social security number on the application. Now track the flow from the point at which the candidate submits the written job application through the hiring flow as well as the not hired flow. As you go through this exercise, ask the following questions:
What personal information is collected from an applicant and at what point in the process is it necessary? You may find that you can eliminate the information from the form until such time as you actually need that info to proceed to the next step in the hiring process.
- Is there a difference between the hourly employees hiring process versus the salaried employees?
- Where does a candidate submit an application:
- Career Fairs
- Job Boards
- Group Hiring
- On Site
- At a Kiosk
- What happens to the applications of those candidates not hired?
- What happens to applications of candidates that get hired?
- Who has access to the job applications?
- How are the applications stored?
- How are the applications disposed of?
- Are any applications are stored offsite?
- Who is your offsite storage provider?
- Do you know if they meet the requirements of 201 CMR 17.00?
- What is the organizations retention policy?
- What’s the disposal process?
- Who determines what is retained or what is destroyed and when?
As you can see this will not be an insignificant amount of work for the team assessing your current processes. It will also require input from various departments to insure success so I’d suggest that this process be an inclusive one. The more people involved, the more likely it is that you’ll uncover exceptions within the process that could result in your organization exposing personal information.
Above, we started to look at the process of submitting a job application. But that’s just the beginning of the process. To be successful you’ll need to track that application from cradle (the point at which it enters the organization) to grave (the point at which it exits the organization or is destroyed) identifying all the points at which a candidates personal information could be subject to theft.
The job application is just one piece of paper containing personal information for a candidate or employee. You’ve also got to consider W4 forms, I9’s, benefit forms, and the plethora of forms any employee may receive in their “New Hire Package”. You should track each of these forms throughout the organization to insure that the proper safeguards are in place to insure the protection of personal information for your employees as well as potential employees.
In going through this process, it is extremely important to collect and review any existing policies and procedures that could impact personal information security. Prior policies will give an organization a jump start in drafting its CISP while they also help identify any threats and security measures previously identified. As part of the review, be sure to identify where current business practices, policies and public statements have diverged over time.
In closing, we advise our clients to assess their information security practices broadly and to assess how intellectual property and any other valuable information asset are handled whether it be personal information or not. In keeping an organizations intellectual property in view during the assessment process it will help not only frame policies but also determine what level of security access is appropriate. A company that completes an all-inclusive review of its existing information security practices and policies will be in the best possible position to address the requirements of new laws and regulations.