201 CMR 17.00 – New Privacy Law

Irene Wachsler, CPA, MBATobolsky & Wachsler CPAs, LLC

Establishes minimum standards that must be met to safeguard personal information for both paper & electronic records

Applies to “all persons that own, license, store or maintain personal information about a resident of the Commonwealth”

What is the New Law?

Implementation has been pushed back to March 1, 2010

Good News!!!!

Since August 2008, the Office of Consumer Affairs and Business Regulation (OCABR) has investigated 320 incidents:◦ Threatened to compromise the personal

information of 625,365 Mass. Residents◦ 60% of incidents involved theft of laptops / hard-

drives◦ 40% of incidents involved employee error / poor

internal handling of sensitive information Identity theft costs consumers & businesses

$52 billion annually

Why????

Two pieces:1. First name & last name or first initial and last

name and2. One or more of the following:

a. Social security numberb. Driver’s license / state-issued IDc. Financial account # / credit card / debit card

What is Personal Information?

Absolutely!◦ Tax Returns◦ Copies of W-2s; bank, mutual funds stock statements,

etc.

Possibly your clients◦ Do they have employees?◦ Maintain payroll records, I-9s, 1099s?

This applies to both ◦ Paper (“stuff” in the filing cabinets) and ◦ Electronic (data stored on your computer)

Does this Apply to CPAs?

Some things are obvious:◦ Prevent terminated employees from access to your

computer & paper records. (Immediately get the computer, keys to the office, etc.)

◦ Use a password to logon to your computer (and don’t share / write down your password)

◦ Educate and train your employees on the importance of protecting your client’s personal information

◦ Lock your paper records / file cabinets

How Do I Comply with the New Privacy Act?

Some things will require a change in work habits:◦ Employees are prohibited from keeping open files

containing personal information on their desks when they are not at their desks

◦ At the end of the day, all files containing personal information must be secured

◦ Paper and electronic records shall be disposed of in a manner that complies with M.G.L. c. 93I

How Do I Comply with the New Privacy Act?

Some things are not so obvious:◦ Encrypt all transmitted electronic records and files◦ Ensure that your computer has up-to-date:

Firewall protection Operating system security patches System security agent software including malware

protection and virus definitions◦ Hang out in the office when the cleaning crew

arrives◦ Designate a Data Security Coordinator who is

responsible for implementing a plan to protect personal information

How Do I Comply with the New Privacy Act?

Some things are not so obvious:◦ Do not send a fax without confirming that the

authorized recipient has exclusive access to the receiving fax machine

How Do I Comply with the New Privacy Act?

Implements the Plan to protect the security and confidentiality of personal information

Trains all employees Conducts regular testing of the Plan’s

safeguards Evaluates the ability of service providers to

comply with new law Conducts annual training for everyone –

owners, employees, independent contractors, etc. All attendees must certify their attendance & familiarity with the Plan

Data Security Coordinator

January 1, 2010◦ Paper records must be secured (i.e. locked)◦ Electronic records must be encrypted◦ Third-party service providers must be capable of

protecting personal information◦ All other portable devices must be encrypted –

memory sticks, DVDs, PDAs, etc.◦ Required written certification from third-party

service providers

Key Dates

1. You must immediately notify both the Attorney General’s Office and the Office of Consumer Affairs and Business Regulations:

◦ Include the nature of the breach◦ The number of residents of the Commonwealth

affected◦ Any steps taken or plans to take relating to the

breach

What Happens if My Records are Breached?

2. Must send notice to National Credit Bureaus

3. Must notify all affected residents:• Consumer’s right to obtain a police report• Instructions for requesting a freeze on a credit

report• Access to additional information including the

date of the data breach and any steps you have taken or plans to take relating to the incident

What Happens if My Records are Breached?

Paper – burned, pulverized or shredded so that personal data cannot practicably be read or reconstructed

Electronic media – destroyed or erased so that personal information cannot practicably be read or reconstructed◦ Caveat emptor – “erasing” data on a computer

does not meet this requirement. It is easy to reconstruct an “erased” file

How Do I Dispose of Records in Compliance with M.G.L. c 931?

DISCLAIMER: The software tools listed on this and following pages are what our firm, Tobolsky & Wachsler CPAs, LLC uses.

WE DO NOT OFFICIALLY ENDORSE THESE TOOLS NOR DO WE SUPPORT THEM. These tools are mentioned for discussion purposes only.

Software Tools that We Use

Hardware: NetGear ProSafe VPN Firewall◦ < $100 at Circuit City

Wireless NetGear Modem◦ Encrypted wireless access◦ $30 at CompUSA

Software: Norton 360◦ $60 for 3-user license at Staples

Firewall Protection

Norton 360◦ Automatic updates of malware & virus definitions◦ Antispyware◦ Email scanning of virus / junk email◦ $60 for 3-user license at Staples

Malware Protection & Virus Definitions

www.box.net◦ Sharing of files◦ Access anywhere via Internet connection◦ Password protect files◦ Invite clients to download files◦ Files are encrypted prior to upload / download◦ Files backed up across multiple, geographically

separated servers◦ $49.95 per month for 15GB of online storage

Online Sharing of Files

Carbonite◦ Online backup service◦ Encrypts files before they are uploaded from PC◦ Files remain encrypted at their data center◦ Requires unique login to retrieve files◦ $49.95 per year w/ unlimited storage

Backup of Data

Comodo TrustConnect◦ Protects identity and keeps information private◦ Need to log in to TrustConnect website◦ $50 per year

Wireless Connections from Public Wi-Fi Hotspots

TrueCrypt – encrypted directories on laptops

Microsoft encrypts data on hard drives

Data Encryption

Irene Wachsler, CPA, MBATobolsky & Wachsler CPAs, LLC

irene@milliecpa.com(781) 883-3174

To ensure compliance with the requirements imposed on us by Circular 230, we inform you that any tax advice contained in this communication (including any attachments) is not intended to and cannot be used for the purpose of (i) avoiding tax-related penalties under the Internal Revenue Code, or (ii) promoting, marketing or recommending to another party any tax-related matter(s) addressed herein.

Thank You!