news / tech talk
Watch what data you store or Massachusetts could get you.
by Lee LeClair05/14/2010
As seen in Inside Tucson Business
- Arizona Daily Star
- BizPlanIt
- Linux World Expo
- 40 under 40
- They're on the A-List
- Dotche system built by Ephibian
- AzBusiness
- Arizona Daily Star
- Arizona Daily Star
- Phoenix Business Journal
- Ranking Arizona
- The Arizona Republic
- Hostingtech.com
- American City Business Journals Inc.
- AZtechBiz
- Inside Tucson Business
- Arizona Business Gazette
- Inside Tucson Business
- Fiesta Mall
- Arizona Daily Star
- .com Success!
- Business Wire
- Buck's Woodside Menu
- CRN
- Arizona Daily Star
- LocalBusiness.com
- The Business Journal - Phoenix
- Phoenix Business Journal
- LocalBusiness.com
- Business Wire
- Inside Tucson Business
- internet.com
- AzBusiness
- AZtechBiz
- designshops.com
- AZtechBiz
- BizAZ
- Virtualized Cloud
- Collaboration and Communication
- Personally Identifiable Information
- Cyberwarfare
- iPad and E-Readers
- Trusted Platform Module
- Smartphone Data Security
- Cyber-Espionage
- DTNs
- Have a Plan
- Cloud Computing - Part 2
- Impact of Technology on Existing...
- Data Archiving
- Mobile Telephony - Part 2
- Cloud Computing
- Social Networks
- Password Management
- Netbooks
- Microtargeting
- Packet Analysis
- IP v6
- Surge Protection
- Traveling Safely
- Thin Client
- Uptime
- Mobile Telephony
- Know Thy Programs
- Voice Over IP - Part 3
- Google Apps
- Virtual Computing
- Securing Users
- Simple Desktop Management
- Service Oriented Architecture
- Light-based Communication
- Data Mining
- Small Business Architecture
- Voice Over IP - Part 2
- Business Automation
- Database Needs
- DMZs
- CPUs
- SPAM & Botnets
- Security Testing
- Customer Advocacy
- Laptop Security
- Windows Vista
- Large Scale Deployment
- Network Access Control
- Generator Use
- Uninterrupted Power Supplies
- Web Site Security
- Blu-ray vs. HD-DVD
- Dual-Core Processors
- Business Security
- AJAX
- 3G Mobile Internet
- Apple Intel Processors
- Entertainment Tech
- Cafe Wireless
- Commercial Hosting
- Gaming Consoles
- Voice Over IP
- Blogging
- Is WI-FI Secure?
- OpenDocument Format
- Allured Publishing Changes Name to...
- Computer Model Can Help Prevent War?
- Defense contractors run gamut from...
- ASU gears on-site construction...
- The Cleveland Foundation Selects...
- Global Partners Join Forces to Speed...
- Intuit Completes Acquisition of...
- Strategy unveiled on how tobacco tax...
- Gaiam's, Real Goods' revenues increase...
- LSST Awarded Time on TeraGrid
- Aldine Independent School District...
- Miraval featured in Natural Solutions...
- Ventana Medical Systems Joins TSIA to...
- UA $3 Million Bioterrorism Grant...
- Arizona Center for Integrative...
By now even the general public has become or is becoming aware of the term Personally Identifiable Information (PII). It refers to information that could identify sensitive information about individual people and has been entering the public conscious through headlines about identity theft and various kinds of data breaches that have exposed "customer information". As a result, there are a variety of federal but especially state laws being passed that impact any business that stores PII data on customers from any state.
First let's define PII. There are a lot of definitions out there but we will concentrate on the PII definition according to the state of Massachusetts. That's because Mass just enacted one of the most stringent laws and penalties associated with PII. According to that definition, if you store a Massachusetts resident's last name and first name AND any of the following then it is PII and the law applies: social security number, driver's license number, financial account number (e.g., credit card, debit card, bank account).
What is the law for handling PII? As I mentioned before, the awful answer is "it depends". It depends mostly on the residency of whose data you're storing. For example, if you are storing PII data on a California, Nevada, or Washington resident and that resident's data is breached then the applicable state laws requires your company (even though you are an Arizona company) to notify any individuals affected within 30 days that their data has been breached and what data was breached. If you are storing PII data on a Massachusetts resident, the impacts are far greater and include fines of up to $100 per Massachusetts individual record breached (imagine $500,000 for 5000 records). In addition, you must have protected that PII data according to a stringent set of rules that include a written security policy (registered with the state of Massachussets and identified as a WASP), encryption of PII data while in transmission and while at rest, training your company personnel, minimizing PII data retained to the minimum necessary, inventory all assets that store PII data, ensure that terminated employees do not have access to assets, etc., etc. You can see the exact text of the law at http://goo.gl/6WEv
The Massachusetts law is significant in that it is likely to lead to more like it from other states and because the fines and penalties associated with it can be enormous. Imagine that your small business Custom Paper Airplanes website receives an order from a Massachusetts resident including his name and credit card number. Do you have all the documentation, encryption of data on disk, encryption of data in backups, firewalls, intrusion detection systems, employee training, policies, incident response scenarios, etc. in place? If not, then you should not store the credit card data on your system (a good idea anyway) or risk massive penalties. The intent of laws like this are intended to assure that state residents are protected by (United States) businesses on the Internet by forcing them to provide a consistent and high level of competence and professionalism in dealing with PII data (though they do not affect overseas companies). A noble goal but one with an unintended consequence of putting small businesses and start-ups under an incredibly burdensome cost-compliance; forcing them to assume a high level of risk on initial startup or excluding business with Mass residents. But someone could sign up as a New Mexico resident and then move to Mass.
Another difficult issue is that the various states are each enacting their own laws which requires any US internet business to monitor and track legislation for each state to ensure they comply with that state's requirements. These are serious burdens for even medium sized companies to deal with and deserve thought and planning for business owners operating on the Internet. If you are already doing business on the Internet, review your policies, training, and especially the data you are storing about your customers. How well have you identified what data you store about customers and how well is your company protecting that data? Now more than ever, it pays to take stock of your companies position with regard to PII.
Lee Le Clair is the CTO at Ephibian. His Tech Talk column appears the third week of each month in Inside Tucson Business.
First let's define PII. There are a lot of definitions out there but we will concentrate on the PII definition according to the state of Massachusetts. That's because Mass just enacted one of the most stringent laws and penalties associated with PII. According to that definition, if you store a Massachusetts resident's last name and first name AND any of the following then it is PII and the law applies: social security number, driver's license number, financial account number (e.g., credit card, debit card, bank account).
What is the law for handling PII? As I mentioned before, the awful answer is "it depends". It depends mostly on the residency of whose data you're storing. For example, if you are storing PII data on a California, Nevada, or Washington resident and that resident's data is breached then the applicable state laws requires your company (even though you are an Arizona company) to notify any individuals affected within 30 days that their data has been breached and what data was breached. If you are storing PII data on a Massachusetts resident, the impacts are far greater and include fines of up to $100 per Massachusetts individual record breached (imagine $500,000 for 5000 records). In addition, you must have protected that PII data according to a stringent set of rules that include a written security policy (registered with the state of Massachussets and identified as a WASP), encryption of PII data while in transmission and while at rest, training your company personnel, minimizing PII data retained to the minimum necessary, inventory all assets that store PII data, ensure that terminated employees do not have access to assets, etc., etc. You can see the exact text of the law at http://goo.gl/6WEv
The Massachusetts law is significant in that it is likely to lead to more like it from other states and because the fines and penalties associated with it can be enormous. Imagine that your small business Custom Paper Airplanes website receives an order from a Massachusetts resident including his name and credit card number. Do you have all the documentation, encryption of data on disk, encryption of data in backups, firewalls, intrusion detection systems, employee training, policies, incident response scenarios, etc. in place? If not, then you should not store the credit card data on your system (a good idea anyway) or risk massive penalties. The intent of laws like this are intended to assure that state residents are protected by (United States) businesses on the Internet by forcing them to provide a consistent and high level of competence and professionalism in dealing with PII data (though they do not affect overseas companies). A noble goal but one with an unintended consequence of putting small businesses and start-ups under an incredibly burdensome cost-compliance; forcing them to assume a high level of risk on initial startup or excluding business with Mass residents. But someone could sign up as a New Mexico resident and then move to Mass.
Another difficult issue is that the various states are each enacting their own laws which requires any US internet business to monitor and track legislation for each state to ensure they comply with that state's requirements. These are serious burdens for even medium sized companies to deal with and deserve thought and planning for business owners operating on the Internet. If you are already doing business on the Internet, review your policies, training, and especially the data you are storing about your customers. How well have you identified what data you store about customers and how well is your company protecting that data? Now more than ever, it pays to take stock of your companies position with regard to PII.
Lee Le Clair is the CTO at Ephibian. His Tech Talk column appears the third week of each month in Inside Tucson Business.