In Massachusetts, this 10 year old law (201 CMR 17: Standards for the protection of personal information of residents of the Commonwealth) requires companies that posses PII of a resident to protect that information. If you have even one employee, you probably have their name and social security number. If so, you are subject to this law.
Defines personally identifiable information (PII) as a resident’s first name and last name or first initial and last name in combination with any 1 or more:–Social security number–Driver’s license number or state issued ID number–Financial account number (debit, credit, bank, brokerage, etc.)
When breached, if you fail to show you had adequate controls in place to protect the information, may result in loss reputation, potential litigation, enforcement action from State’s Attorney General, and worse, statistics show 60% of small to medium business fail within six months of a major breach.
As a business owner, you have the duty to protect the personal information:
- Control user accounts, setting passwords
- Restrict Access
- Encrypt data
- Monitor systems
- Update to dat versions of security software
- Education and training of employees