I recently had breakfast with my good friend, Cherie Hafford, and we talked about the Massachusetts Data Security Regulation and how much of a burden it creates, especially for small businesses (more on the Regulation here and here). The Regulation is supposed to be scalable – that is, the degree of compliance should be proportionate to the size of the business and its resources. But for small businesses, even the most stripped-down, basic plan will still require considerable time and money—time and money that most business owners simply do not have or will not spend.
The Regulation likely affects millions of businesses around the country and perhaps the world. Read literally, the law is not confined only to Massachusetts businesses; it applies to any business wherever located that has customers or employees in Massachusetts. So if a small crafts shop in Santa Fe accepts a check from a customer in Cambridge, the shop must implement a written information security policy, or WISP. And a gas station in Orlando that accepts a credit card from a tourist who lives in Quincy would have to comply with the Regulation even if they had no idea where the customer lived.
Did the state go too far? Setting aside the constitutional and enforcement challenges, was there perhaps a simpler way to achieve the goals that would not impose such a burden on small businesses that are already struggling?
Here are six ideas on how to fine tune the law to make compliance easier and achieve the same objectives:
1) Many businesses that accept credit cards never store the account numbers. They simply swipe them in a POS device and hand the card back to the customer. Why not make that activity compliant with the Regulation without the need for any written plan?
2) Same thing with checks. Most businesses that accept checks want to get the money into their accounts as quickly as possible. How about a rule that says businesses are compliant if they deposit checks within two business days and keep the un-deposited checks under lock and key until they are deposited?
3) Focus the regulations on the banks, credit card companies and the businesses that provide the POS devices and connections. Require that the data be locked down tightly and impose substantial penalties for a breach. The standards already exist – i.e. PCI (Payment Card Industry) standards.
4) Businesses that have employees need to have their social security numbers on file for payroll, benefits and other purposes. Just as with checks, if they are kept under reasonable security and only employees with a need to know or see the information are permitted access, then this should be deemed to be in compliance without the need for any further written plan. The Regulation could set forth a simple plan that if adopted and followed will be deemed to be compliance.
5) Work within the parameters of the Fair Credit Reporting Act to reinforce the rights of victims of identity theft. There are far fewer victims than there are businesses who need to protect the information from possible misuse.
6) Do more to educate businesses about the various practices that reduce the risks of identity theft. For years, we have seen signs in restaurants telling employees to wash their hands before going back to work. Maybe there should be similar signs in the human resources and finance departments advocating safe practices with sensitive financial information?
Of course no matter what is done, there will still be dishonest people who will take advantage of a situation and cause harm to others. This is not to excuse careless or negligent business practices –enforcement should still require a reasonable degree of caution and vigilance. But the new Regulation ignores the practical reality of small business and imposes too many requirements that may be unnecessary.
Please share your own ideas on the Regulation by posting a comment below.
