 (1).png)
Lisa Hartman, Albert Risk Management Consultants
Personal information is defined as a first name or initial with a last name, in combination with any one or more of the following:
* Social Security Number
* Driver's license number or state-issued id
* Financial account number or credit or debit card number (with or without a security code, access code, personal id number or password)
Although many people know of the law, most are not familiar with its details because others, such as IT staff, are tasked with addressing it. Here are a few salient points that may be of interest:
* It not only applies to businesses that have Massachusetts employees, it also applies to those with Massachusetts customers or suppliers; therefore, its reach is global.
* It requires implementation of a Written Information Security Plan (WISP).
* Possessing even small amounts of sensitive data (such as employee W-4s) requires compliance with the law.
* Fines and penalties for non-compliance can be severe.
As with most risks, prevention is the best place to start. To further protect your interests, there are insurance products that cover privacy injury or regulatory liability; notification, credit monitoring, and/or crisis management expenses. Since terms and conditions vary widely among insurers, these forms must be carefully reviewed.
It is best that you consult with your attorneys and network security experts to implement a good WISP that both complies with the law and protects you from liability and reputational injury. However, from a risk management and insurance standpoint, you should be aware of the potential ramifications of this law. Aside from steep fines and penalties, this law clearly outlines a standard of care and failing to adhere to this standard will likely result in larger liability awards.
Lisa Hartman, ARM is the director of claims and loss management at Albert Risk Management Consultants, Needham, Mass.