News

New Privacy Law may impact you!

[Mar 03, 2010]

A quick summary of the new sweeping privacy law in Massachusetts which had a compliance deadline of March 1st, 2010. Enacted in September 2008 to protect the personal information of Massachusetts residents, it applies to many companies which conduct business with residents of Massachusetts or have employees that reside in Massachusetts.

So now that I have your attention… here are some high-level notes to see if this may impact you:

Requirements
The Massachusetts law includes both “data at rest” and “data in transit” over a public network, such as the Internet, that contain personal information. This data must be encrypted.

Personal information is defined as a Massachusetts resident’s name in combination with one of the following:

- Social Security number
- Driver’s license number or state-issued identification card number
- Financial account number or credit/debit card number

This new legislation affects all organizations who own or license personal information of Massachusetts residents — regardless of the size or location of the business. 
This also includes:
- Businesses that track customers by account numbers (such as healthcare institutions and related vendors)
- Retailers that accept credit cards for purchases by Massachusetts customers
- Financial institutions (such as banks, insurers, or brokerages) with customers residing in Massachusetts
- Companies with branch offices located in Massachusetts

Failure to Comply
Are there consequences for non-compliance? Absolutely!

You can assume the new Massachusetts Privacy Law will increase a company’s exposure to lawsuits. The ramifications of not complying become quite real should an information breach occur.  In such a case where non-compliance is found, the Massachusetts Attorney General can file suit with the company.

In addition, civil penalties could be imposed for non-compliance with Massachusetts’ data breach notification statute (Massachusetts General Law 93H.) A civil penalty of $5,000 may be awarded for each violation of 93H. Furthermore, under the portion of 93H concerning data disposal, businesses can be subject to a fine of up to $50,000 for each instance of improper disposal.

Always remember also that here are other consequences which are not easy to calculate, such as the impact to a company’s brand or reputation.

Get Prepared
There are some reasonableness standards in the requirements that should make this easier to comply with if your company isn’t already. You still need a policy, need to inventory your stores of “personal information” and educate your employees about the importance of safeguarding personal information as a few examples.

How can I help?
I would be happy to discuss this more, please don’t hesitate to reach out. At a bare minimum I recommend you do some form of a risk assessment to see if your company is or should be compliant. This may only be a law for Massachusetts customers currently, but legislature is currently swimming in Congress to bring a national law similar to this into effect (if it would come to be passed).

Resources
The Office of Consumer Affairs and Regulation has published a useful 201 CMR 17.00 Compliance Checklist (.pdf).

You can also review the law itself contained in 201 CMR 17.00 Standards for the Protection of Personal Information (.pdf).

Governance and Risk Management – In the Eyes of a Coffee-House Barista

[Jan 21, 2010]

Often when speaking with other consultants and even clients I find that they do not grasp the concepts of Governance and Risk Management and how they relate to their business. I believe part of this may be due to the heavy use and mis-use of both of these words. In reality, these two words exist and are managed within all businesses, even by the barista at the local coffee-house. 

How does governance relate to a barista? Well let’s imagine that this barista is the owner of the coffee-house. Assuming he has hired other baristas’ and employees, he has effectively undertaken governance at some level. The level of governance is related to the amount in which the other employees assist him in the operating of his coffee-house. As the barista no longer has complete control over all the affairs of the coffee-house, she/he will look to establishing governance.

How does risk management relate to a barista? I find this topic is more commonly grasp, however sometimes the focus is only on compliance-specific requirements and not also on business activities in general. Continuing with our example… the barista has many decisions she/he makes on a daily basis in relation to risk. Which coffee bean should she/he serve his customers? How many varieties of tea should the coffee-house stock? Having too little or too much of both present risks to return or profitability of the coffee-house.

This was a simple example scenario, but one that should serve as a reminder that governance and risk management is relevant to YOUR organizations and for that matter, all organizations. It is more than likely just much more complicated. The barista has the benefit of knowing their business end-to-end; from suppliers, customers, and business processes.  The good news is that Redpoint Risk can help. I am focused on risk management and governance, with experience working with over 45+ organizations.

If you would like to talk more about IT governance or risk management within your organization, or the challenges you may be having; please let me know (we could do it over a cup of coffee). By managing both governance and risk management effectively, your organization will be more resilient and responsive to risks while maximizing growth from opportunities that arise. 

- Chad Weinman

Sources:  Barnier, Brian (2009). Driving Value From Nonrevenue-generating Activities: Myths and Misunderstandings of Governance and Risk Management. ISACA Journal, Vol. 2, 2009.

Business Contacts are like fruit

[Jan 06, 2010]

They are a priceless asset and an essential part of a healthy business lifestyle. However… if they grow stale… the taste in your mouth goes sour. Try to not let your business contacts go stale.

All one needs to do is simply: stay in touch. 

Ensure you contact them every couple of months at a minimum. You can and should ask how they are doing. Also consider sharing something you are excited about.

But with hundreds of business contacts, won’t this be daunting and tough to manage?

I believe that an essential piece to managing your business network is with an effective and flexible web-based CRM. There are dozens to choose from: Salesforce, Highrise and my favorite BatchBook.

Within BatchBook for example – I have built custom reporting (see image below for my developed report criteria), which can show me whom of my business contacts I have not communicated with during a specified timeframe (ex. over a month).
Business contacts are of priceless asset, don’t let your network dry up. If you found this helpful or would like to chat more about this topic, feel free to contact me at .(JavaScript must be enabled to view this email address)