There is a buzz in the air in Massachusetts and it has nothing to do with our local sports teams, the economy or the changes happening in Washington D.C. The buzz in Massachusetts is the direct result of regulation 201 CMR 17. What in the world is 201 CMR 17 and what does it have to do with me, a CPA in Arizona?

Regulation 201 CMR 17

The new regulation is just the latest in a series of state laws and regulations aimed at the protection of consumers’ personal information and the protection against identity theft. The buzz in Massachusetts was caused by the regulation being released at the end of September and compliance required by the end of December.

Like most other states, the requirement to comply with the Massachusetts law is not based on the location of your company but rather on the residence of your client for whom you store sensitive data. It is possible that a CPA in Arizona would be required to comply with the very strict regulation issued by Massachusetts.

This article shows CPAs how to protect the sensitive data that is entrusted to them by their clients and customers.

Background

California SB 1386 was the first legislation to address the issue of data protection. Since then, the clear majority of states have enacted legislation that requires companies to protect sensitive personal data and report any data breach. The definition of sensitive data and the requirements to protect it vary state by state.

Key Steps to Ensure Compliance

It is entirely possible that your company needs to comply with some or all of the state data protection laws. It is often a difficult task to determine which state law(s) apply to your company and the steps required to ensure compliance.

The following are some practical suggestions (not a legal opinion) to help you deal with this issue:

1. Inventory of your data. If you are a CPA firm, you are most likely storing client’s names, Social Security numbers and bank account numbers. Other companies, such as a wholesaler, might not keep sensitive data about their customers, but instead, their data may consist of part numbers, cost and selling price. Typically, this is not considered sensitive data, but don’t forget about your employees. For example, an employer with even a single employee is most likely storing sensitive data. You must determine the types of data that you store and if the state laws apply to that data.
2. Determine which of the state laws apply to your organization. Many of the state laws require that you look at the residence of your clients, customers or employees for whom you are storing sensitive data. For example, the Massachusetts regulations must be followed by “all persons that own, license, store or maintain personal information about a resident of the Commonwealth.” It is possible that your organization will have to comply with multiple state laws.
3. Determine your risk. Once you know the type of data that you store, you must identify the possible threats to that data. If you store the information in electronic format, your risks are many. These risks may include — but are not limited to — the breach of your company’s network, the loss of a laptop, a misplaced USB (Universal Serial Bus) drive, an unprotected e-mail sent across the Internet and the loss of a backup tape. You must also look at the information that is stored in paper format. Don’t forget the risks associated with paper documents that you may carry outside your office.
4. Determine the definition of compliance. You must determine what measures you should take to comply with the state law(s) that applies to your organization. Some state laws carry very specific wording about the actions that must be taken to protect sensitive data. This may include implementing encryption technologies, protecting the corporate network and implementing security software. You may be required to maintain a written security policy and provide training to your employees.
5. Think like the bad guys. It is a prudent exercise to spend some time trying to determine who might be interested in the sensitive data you store and how they might go about breaching your systems. You may also consider hiring a security expert to assist you with this process.
6. Limit access to sensitive data. We all take it for granted that only our human resources department has access to our employee records. But what about your client’s data? Does everyone really need access? The fewer people that have access to sensitive data, the better!
7. Implement the technology required to protect the data. Because of the new Massachusetts regulation, companies that offer computer security products are reaching out to companies in Massachusetts. It is not uncommon for me to receive three or four e-mails a day about the “best” solution for our business. At a minimum, you should consider the following:

1. Encrypt everything. All laptops, desktops, external hard drives, backup tapes and USB drives should be encrypted using a full disk encryption solution.
2. Implement a secure client communication system. This may include the use of a client or customer portal and/or encrypted e-mail. You should not allow anyone to send sensitive data in an unencrypted e-mail.
3. Impose strong passwords and require your users to change their passwords on a regular basis. Typically, a strong password is eight characters in length and contains a combination of uppercase letters, lowercase letters, numbers and non-alphanumeric characters.
4. Encrypt all wireless access to your networks.
5. Implement and monitor a firewall and an intrusion prevention system.
6. Require automatic locking on all PDAs. Your PDA probably contains sensitive client data, if it is used to store e-mail, contact information or data files.
7. Keep all systems fully patched.
8. Implement a system to monitor compliance with the company’s security policies and procedures.
9. Install and maintain security software (anti-virus, anti-spyware and firewall) on all computer systems.

Conclusion

The thought of keeping your company in compliance with the numerous state laws and regulations is simply overwhelming! It will take hard work and lots of research.

Most CPAs who have learned of the new Massachusetts regulation were stunned to see that they had only three months to comply. As I was writing this article, I have just learned that Massachusetts has extended the deadline until May 1, 2009. That’s good news.
 
I would encourage each of you to take a serious look at how your company approaches the issue of data protection. Our customers and clients have trusted us with all the information that an identity-thief needs! It is up to us to take our responsibility seriously.

Hopefully, you will never have to hear a client say, “You lost what?”

Barry MacQuarrie, CPA is the Director of Technology at KAF Financial Group. Barry has extensive experience working with CPA firm technologies and expertise in workflow, process improvement, disaster recovery planning, security and paperless office technologies.