news / tech talk

Watch what data you store or Massachusetts could get you.

by Lee LeClair
05/14/2010
As seen in Inside Tucson Business

By now even the general public has become or is becoming aware of the term Personally Identifiable Information (PII). It refers to information that could identify sensitive information about individual people and has been entering the public conscious through headlines about identity theft and various kinds of data breaches that have exposed "customer information". As a result, there are a variety of federal but especially state laws being passed that impact any business that stores PII data on customers from any state.

First let's define PII. There are a lot of definitions out there but we will concentrate on the PII definition according to the state of Massachusetts. That's because Mass just enacted one of the most stringent laws and penalties associated with PII. According to that definition, if you store a Massachusetts resident's last name and first name AND any of the following then it is PII and the law applies: social security number, driver's license number, financial account number (e.g., credit card, debit card, bank account).

What is the law for handling PII? As I mentioned before, the awful answer is "it depends". It depends mostly on the residency of whose data you're storing. For example, if you are storing PII data on a California, Nevada, or Washington resident and that resident's data is breached then the applicable state laws requires your company (even though you are an Arizona company) to notify any individuals affected within 30 days that their data has been breached and what data was breached. If you are storing PII data on a Massachusetts resident, the impacts are far greater and include fines of up to $100 per Massachusetts individual record breached (imagine $500,000 for 5000 records). In addition, you must have protected that PII data according to a stringent set of rules that include a written security policy (registered with the state of Massachussets and identified as a WASP), encryption of PII data while in transmission and while at rest, training your company personnel, minimizing PII data retained to the minimum necessary, inventory all assets that store PII data, ensure that terminated employees do not have access to assets, etc., etc. You can see the exact text of the law at http://goo.gl/6WEv

The Massachusetts law is significant in that it is likely to lead to more like it from other states and because the fines and penalties associated with it can be enormous. Imagine that your small business Custom Paper Airplanes website receives an order from a Massachusetts resident including his name and credit card number. Do you have all the documentation, encryption of data on disk, encryption of data in backups, firewalls, intrusion detection systems, employee training, policies, incident response scenarios, etc. in place? If not, then you should not store the credit card data on your system (a good idea anyway) or risk massive penalties. The intent of laws like this are intended to assure that state residents are protected by (United States) businesses on the Internet by forcing them to provide a consistent and high level of competence and professionalism in dealing with PII data (though they do not affect overseas companies). A noble goal but one with an unintended consequence of putting small businesses and start-ups under an incredibly burdensome cost-compliance; forcing them to assume a high level of risk on initial startup or excluding business with Mass residents. But someone could sign up as a New Mexico resident and then move to Mass.

Another difficult issue is that the various states are each enacting their own laws which requires any US internet business to monitor and track legislation for each state to ensure they comply with that state's requirements. These are serious burdens for even medium sized companies to deal with and deserve thought and planning for business owners operating on the Internet. If you are already doing business on the Internet, review your policies, training, and especially the data you are storing about your customers. How well have you identified what data you store about customers and how well is your company protecting that data? Now more than ever, it pays to take stock of your companies position with regard to PII.

Lee Le Clair is the CTO at Ephibian. His Tech Talk column appears the third week of each month in Inside Tucson Business.