Data Security – What You Need to Know to Avoid Compliance Issues | Laws and Issues

Question: What do TransPromo communications, personalized direct marketing, ecommerce and traditional retail all have in common?Answer: They all use personal data in one way or another.The subject of protecting the almost limitless amount of data about people that is out there in the world’s databases has become a concern to those occupying State Houses across the country and throughout the halls of Washington, DC. Because we all deal with data on a daily basis, the topic of data security compliance requires particular attention in order to protect your customers, your business’s reputation and avoid hefty fines and penalties.Recently, apparently brought about by the challenging (read: disastrous) roll-out of Google Buzz, outgoing Federal Trade Commission (FTC) Commissioner Pamela Jones Harbour criticized technology companies for their ‘[t]hrow it up against the wall and see if it sticks” approach to data security. Of particular concern to Commissioner Harbour was a comment by Google Chief Executive Eric Schmidt, who during an interview with CNBC reportedly stated, “[I]f you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.” I can only imagine that upon learning of this comment by Mr. Schmidt, Google’s Chief Communications Officer fell out of their chair and wept openly. While Ms. Harbour made it clear her comments were her own and not that of the FTC, the fact that it was the topic of discussion at such a high level demonstrates that the powers that be are concerned.


Technological leaps in the capability to capture consumer data, the capacity to store and analyze this data and the ease with which we can manipulate and transmit this data has resulted in a reduction of the level of privacy we can expect. Consider the data that Amazon.com obtains on an individual with the sale of one book. They know the buyer’s name, address, credit card information, and some buying behavior information, all with one transaction. Now consider the information obtained when walking into your local bookstore, paying cash for the same book and walking out. The “brick and mortar” seller makes the same sale, but gets no personal information. Thus, many of these privacy issues are attributable to consumer’s online behavior. Additionally, blogs, Tweets and other social media have eroded, for better or worse, the line between information that is private and that which is public. In this context, Mr. Schmidt’s comment is valid.Of immediate concern to those of us working with data is a regulation passed by the Commonwealth of Massachusetts. This new regulation, (201 CMR 17.00, et. seq.) implemented through the State’s Consumer Protection Law (Massachusetts General Law, Chapter 93H) is generally acknowledged to be the strictest in the nation (at least so far). Copies of the laws and regulations are available for download at the White Space Resource Center. These new regulations, which went into effect on March 1, 2010, mandate that all businesses that collect, handle or own certain information on Massachusetts residents institute and make available for inspection, a comprehensive written information security program.Before you think, “Heck, my business is in not in Massachusetts, I don’t care what they say in Beantown,” hold on a minute. The law does not care where your business is. If you possess personal information on any Massachusetts residents, you are legally required to comply with the data security law. And that is not necessarily a bad thing. The better we secure our data, the more trust our customers will have in us. So this is an opportunity to help secure your data and build trust among your customers.


Now that we know that there is a growing concern among state and federal regulators regarding data security, and that we should have a comprehensive data security policy in place, we must take the next step and create a policy that is in compliance with the law. As the Massachusetts law provides a clear road map for compliance, in the next post we will examine the regulation in greater detail. Specifically, we will look at the regulation point by point and discuss creating a compliant comprehensive written information security program.Should you require any assistance in this matter, please do not hesitate to contact me. If you have any thoughts on this subject, please leave a comment. The more we share, the smarter we all become.