According to a shocking new report from the Massachusetts Office of Consumer Affairs and Business Regulation, roughly half of Massachusetts residents (about 3.2 million) have had their personal information breached or compromised over the past four years. This staggering number is the result of nearly 1,800 acts of thievery including the theft of peoples’ credit card numbers and social security numbers. Often these criminal acts are the result of hacking personal accounts and websites, but in the case of one Massachusetts management firm, similar damage was incurred by simple negligence. After being slapped with a substantial monetary fine, this management firm reached out to NSK Inc in hopes of becoming compliant with Massachusetts data regulation, 201 CMR 17.00.
The Massachusetts Attorney General’s Office recently charged this firm (for the sake of protecting their anonymity, I’ll be referring to them as New Co.) a $25 thousand dollar penalty because one of their employees knowingly stored unencrypted data and personal information of their clients on a New Co-owned laptop in a car overnight. Storing unencrypted client data is a faulty practice in itself, unfortunately the car was subsequently broken into and the laptop was stolen. Residential housing data of over 600 Massachusetts residents was put into jeopardy.
It is important to note how New Co. specifically violated 201 CMR 17.00 and what exactly that means. This provision to Massachusetts General Law Chapter 93H, stipulates that all companies or persons who store or use personal information about Massachusetts residents must have created a written information security program (WISP) and a regularly internally audited plan to protect a Massachusetts’s residents personal information. Also any third party vendors whether in Massachusetts or elsewhere who also have the ability to see a Massachusett resident's personal information must send the company a WISP verifying that they are complying also. Basically, any company who keeps personal information about a Massachusett's resident must secure this data and establish a number of requirements that test and maintain this security. These requirements and tests usually come in the form of security audits and WISPs.
In the case of New Co—because personal information of clientele was left unsecured and unencrypted—the Massachusetts Attorney General’s Office alleged they clearly violated 201 CMR 17.00 as well as a host of other standards for data protection. As part of a settlement, New Co. is required to pay a $25 thousand dollar fine and will also be strictly complying with their WISP by making sure all New Co-owned laptops are safely kept in secure locations at all times, by not storing any personal information related to clients on laptops or portable devices longer than is necessary, by training all company members and employees of proper safety procedures and regulations, and by performing security audits compliant of their respective WISP at least once per year. They must also submit these audits to the Attorney General’s Office.
In order for NSK’s team of Boston IT consultants to secure New Co.’s data, a number of things had to take place:
- NSK Inc Encrypted every laptop owned and used by the company, by the deadline set by the Attorney General's Office. This was done by using a centrally managed encryption solution and by troubleshooting different configurations.
- NSK Inc upgraded or replaced 60 network firewalls. This was a tedious task as there was no central management system and they were located at remote sites throughout New England.
- NSK Inc set up a centrally managed system so that New Co. could easily manage their network and security throughout the network
- NSK Inc Implemented a number of rules and policies for New Co. to better comply with Massachusetts state law.
Even under the pressure of the Attorney General, NSK Inc was able to encrypt all of the laptops two days ahead of schedule as well as successfully train the New Co. staff on how to improve the security on the remaining 35 firewalls so that they were up to code.
With the help of NSK, New Co. now knows what it takes to properly secure their data and the privacy of their clients.