First, let’s define PII better. There are a lot of definitions out there but I will concentrate on PII as defined by the Commonwealth of Massachusetts. I chose that because Massachusetts just enacted one of the nation’s most stringent laws and toughest penalties associated with PII. That state’s PII law applies to any business that stores a Massachusetts resident’s last name and first name and any of these: Social Security number, driver’s license number, or any financial account number (credit card, debit card or bank account).
The Massachusetts law is important - even for an Arizona business - because the law that applies is the one of the resident whose data is being stored. If your business in Tucson is storing PII data on someone living in California, Nevada or Washington, then it’s those states’ laws that apply. In most cases of a security breach, an affected resident must be notified within 30 days with an explanation of what data was breached.
|
|
Additionally, the business is required to have protected Massachusetts residents’ data according to a stringent set of rules that include a written security policy (registered with the state of Massachussets and identified as a Web Application Security Project, or WASP), encryption of PII data at all times, training company personnel, minimizing PII data retained, maintaining an inventory of all assets that store PII data, and ensuring that terminated employees don’t have access to assets.
And there’s more, you can see the text of the law at http://goo.gl/6WEv .
The Massachusetts law is likely to lead to similar legislation in other states, and with that will come the potential for enormous fines and penalties.
Imagine your small business, Custom Paper Airplanes, receives a website order from a Massachusetts resident that includes his or her name, address and credit card number. Do you have the documentation, encryption of data on disk, encryption of data in backups, firewalls, intrusion detection systems, employee training, policies and incident response scenarios in place? If not, then you should not store credit card data on your system - a good idea anyway - or you run the risk of massive penalties.
The intent of laws like this is to assure state residents are protected by U.S. businesses on the Internet by forcing them to provide a consistent and high-level of competence and professionalism in dealing with PII data. (The Massachusetts law does not apply to foreign companies.)
The intent is a noble goal but one with an unintended consequence of putting small businesses and start-ups under an incredibly burdensome cost-compliance. It forces them to either assume a high-level of risk on initial startup or refuse to do business with Massachusetts residents. Unfortunately, in the latter instance, a person could sign-up while living in New Mexico and then move to Massachusetts.
Another difficult issue is that states are enacting their laws individually, requiring any national Internet business to monitor and track legislation for each state to ensure it is in compliance.
These are serious burdens for even medium-sized companies and deserve careful thought and planning for business owners operating on the Internet.
If you are already doing business on the Internet, review your policies, training, and especially the data you are storing about your customers. How well have you identified what data you store about customers and how well is your company protecting that data? Now more than ever, it pays to take stock of your company’s position with regard to PII.
Contact Lee LeClair, chief technology officer of Ephibian, at www.ephibian.com or (520) 917-4747. Ephibian, provides software development, data integration and Web design services. LeClair’s Tech Talk column appears the third week of each month in Inside Tucson Business.
Comments
janice33rpm wrote on May 15, 2010 8:28 AM: