Nonprofits Have Tight Timeframe to Comply with New Privacy Law
By Joyce Ripianzi
Massachusetts enacted a privacy law earlier this year designed to protect state citizens personal information. Along with for-profit businesses, the states nonprofits must rethink data access, storage, and encryption to meet full compliance by March 1, 2010.
It is a tight timeframe, especially given the breadth of organizations that will be affected by the new regulations. Any nonprofit that keeps data on file such as patient or client personal information, donor credit card information, payroll records, or direct deposit or wire transfer details will have to rethink their filing and communications environment to ensure they have the proper safeguards in place.
The regulations take a more proactive approach than past data privacy laws, which addressed what must happen in the wake of a security breach. These new Massachusetts regulations, on the other hand, are intended to keep personal information from being breached in the first place. And even the well-known HIPPA guidelines do not address the various privacy issues raised by this initiative.
Framework for Safeguards
Most organizations will find themselves working hard over the next few months to meet the compliance deadline. Under the new law, organizations must develop, implement, maintain and monitor a comprehensive Written Information Security Program (WISP) to ensure the security and confidentiality of personal information in both physical and electronic format. A WISP provides the framework for the necessary administrative, technical, and physical safeguards, which include:
- Information-handling processes. It is possible that your current processes have the capability to protect private information, but organizations must have a full understanding of how those systems work and should designate a Data Security Coordinator to ensure a smooth and complete transition to an airtight environment. That individual can then move to shore up and document loose ends, limit the amount of private data collected, and retain that information only as long as absolutely necessary.
- Personal information access. Access to private data is a primary concern, and organizations should ensure their information is kept secure. Access should be extremely limited, with protections against external threats and vigilant visitor monitoring procedures in place.
- Encryption. In addition to limiting access, organizations must encrypt all personal information stored or transported in electronic format on portable devices. That includes web sites and data that might be traveling across wireless and public networks. Policies for off-site use of personal information on portable storage devices (i.e. laptops, flash drives) also need to be established.
- Vendor management. Third-party vendors (such as payroll services) will need to be evaluated to ensure they are maintaining appropriate safeguards for personal information. Even though written certification is no longer required for this area, organizations should recognize that when it comes to data protection, the buck stops with them, not with providers.
- Employee issues. Even with a data security coordinator overseeing the protection of personal information, employees need to be trained on an ongoing basis. Organizations should document employee attendance at training sessions and impose disciplinary measures for violations. When employees are terminated, strict guidelines must be in place to limit their access to data.
A Few Subtleties to Consider
Several provisions of the new law contain subtleties that may prove challenging:
For most companies, data encryption will be the most onerous area of compliance. The scope of data encryption efforts will need to cover all personal information stored on portable devices including laptops and all other personal electronic devices, including Blackberries, CDs, memory sticks, etc. In addition, data encryption is required for all records and files containing personal information that will be sent across public networks, transmitted in outgoing emails, or transmitted wirelessly.
The new law also requires reasonable monitoring of systems for unauthorized use of or access to personal information. Whether manually or electronically, companies will need to track who, what, and when personal information is accessed.
At a minimum, make sure that all users accessing systems containing personal information have a unique user ID and that password policies are designed with best practice standards in mind.
Assurance from third-party providers.
Having abolished the requirement for written certification with third-party providers, the revised regulations merely require that an organization take reasonable steps to (1) verify that its third-party providers have the capacity to protect the personal information that you give them access to, and (2) ensure that such third- party providers are applying protective security measures that are at least as stringent as those required under the new Massachusetts regulations.
Failure to Comply
Organizations should be mindful of the consequences for non-compliance. Many facets of the new Massachusetts law increase an organizations exposure to lawsuits. The ramifications of not complying become quite real if information is breached: the organization would be audited, and if it is determined that the laws compliance requirements have not been met, criminal litigation would be initiated.
In addition, a civil penalty of $5,000 may be awarded for each violation. Under the portion of the law concerning data disposal, organizations can be subject to a fine of up to $50,000 for each instance of improper disposal.
Other softer consequences of failure to comply include damages to an organizations reputation, spending time and resources to determine the cause and extent of a breach, notifying affected individuals of a breach, and implementing corrective action to ensure a breach does not occur in the future.
Joyce Ripianzi is a Partner at MFA Moody, Famiglietti & Andronico. Call her at 978-557-5349 or email firstname.lastname@example.org.