The document summarizes Massachusetts' new privacy law that establishes standards to safeguard personal information. It applies to any entity that stores personal information on Massachusetts residents. Personal information includes names plus social security numbers, driver's license numbers, or financial account information. Entities must implement plans to encrypt data, update security systems, and train employees on compliance. Non-compliance can result in fines or lawsuits.

1. 201 CMR 17.00 – New Privacy LawIrene Wachsler, CPA, MBATobolsky & Wachsler CPAs, LLC

2. Establishes minimum standards that must be met to safeguard personal information for both paper& electronic recordsApplies to “all persons that own, license, store or maintain personal information about a resident of the Commonwealth”What is the New Law?

3. Implementation has been pushed back to March 1, 2010Good News!!!!

4. Since August 2008, the Office of Consumer Affairs and Business Regulation (OCABR) has investigated 320 incidents:Threatened to compromise the personal information of 625,365 Mass. Residents60% of incidents involved theft of laptops / hard-drives40% of incidents involved employee error / poor internal handling of sensitive informationIdentity theft costs consumers & businesses $52 billion annuallyWhy????

5. Two pieces:First name & last name or first initial and last name andOne or more of the following:Social security numberDriver’s license / state-issued IDFinancial account # / credit card / debit cardWhat is Personal Information?

6. Absolutely!Tax ReturnsCopies of W-2s; bank, mutual funds stock statements, etc.Possibly your clientsDo they have employees?Maintain payroll records, I-9s, 1099s?This applies to both Paper (“stuff” in the filing cabinets) and Electronic (data stored on your computer)Does this Apply to CPAs?

7. Some things are obvious:Prevent terminated employees from access to your computer & paper records. (Immediately get the computer, keys to the office, etc.)Use a password to logon to your computer (and don’t share / write down your password)Educate and train your employees on the importance of protecting your client’s personal informationLock your paper records / file cabinetsHow Do I Comply with the New Privacy Act?

8. Some things will require a change in work habits:Employees are prohibited from keeping open files containing personal information on their desks when they are not at their desksAt the end of the day, all files containing personal information must be securedPaper and electronic records shall be disposed of in a manner that complies with M.G.L. c. 93I How Do I Comply with the New Privacy Act?

9. Some things are not so obvious:Encrypt all transmitted electronic records and filesEnsure that your computer has up-to-date:Firewall protection Operating system security patchesSystem security agent software including malware protection and virus definitionsHang out in the office when the cleaning crew arrivesDesignate a Data Security Coordinator who is responsible for implementing a plan to protect personal informationHow Do I Comply with the New Privacy Act?

10. Some things are not so obvious:Do not send a fax without confirming that the authorized recipient has exclusive access to the receiving fax machineHow Do I Comply with the New Privacy Act?

11. Implements the Plan to protect the security and confidentiality of personal informationTrains all employeesConducts regular testing of the Plan’s safeguardsEvaluates the ability of service providers to comply with new lawConducts annual training for everyone – owners, employees, independent contractors, etc. All attendees must certify their attendance & familiarity with the PlanData Security Coordinator

12. January 1, 2010Paper records must be secured (i.e. locked)Electronic records must be encryptedThird-party service providers must be capable of protecting personal informationAll other portable devices must be encrypted – memory sticks, DVDs, PDAs, etc.Required written certification from third-party service providersKey Dates

13. You must immediately notify both the Attorney General’s Office and the Office of Consumer Affairs and Business Regulations:Include the nature of the breachThe number of residents of the Commonwealth affectedAny steps taken or plans to take relating to the breachWhat Happens if My Records are Breached?

14. Must send notice to National Credit BureausMust notify all affected residents:Consumer’s right to obtain a police report

15. Instructions for requesting a freeze on a credit report

16. Access to additional information including the date of the data breach and any steps you have taken or plans to take relating to the incidentWhat Happens if My Records are Breached?

17. Paper – burned, pulverized or shredded so that personal data cannot practicably be read or reconstructedElectronic media – destroyed or erased so that personal information cannot practicably be read or reconstructedCaveat emptor – “erasing” data on a computer does not meet this requirement. It is easy to reconstruct an “erased” fileHow Do I Dispose of Records in Compliance with M.G.L. c 931?

18. DISCLAIMER: The software tools listed on this and following pages are what our firm, Tobolsky & Wachsler CPAs, LLC uses. WE DO NOT OFFICIALLY ENDORSE THESE TOOLS NOR DO WE SUPPORT THEM. These tools are mentioned for discussion purposes only.Software Tools that We Use

19. Hardware: NetGearProSafe VPN Firewall< $100 at Circuit CityWireless NetGear ModemEncrypted wireless access$30 at CompUSASoftware: Norton 360$60 for 3-user license at StaplesFirewall Protection

20. Norton 360Automatic updates of malware & virus definitionsAntispywareEmail scanning of virus / junk email$60 for 3-user license at StaplesMalware Protection & Virus Definitions

21. www.box.netSharing of filesAccess anywhere via Internet connectionPassword protect filesInvite clients to download filesFiles are encrypted prior to upload / downloadFiles backed up across multiple, geographically separated servers$49.95 per month for 15GB of online storageOnline Sharing of Files

22. CarboniteOnline backup serviceEncrypts files before they are uploaded from PCFiles remain encrypted at their data centerRequires unique login to retrieve files$49.95 per year w/ unlimited storageBackup of Data

23. ComodoTrustConnectProtects identity and keeps information privateNeed to log in to TrustConnect website$50 per yearWireless Connections from Public Wi-Fi Hotspots