State Data Protection Laws
Seven key steps financial executives and CPAs must follow to ensure compliance.
There is a buzz in the air in Massachusetts and it has nothing to do with our local sports teams, the economy or the changes happening in Washington D.C. The buzz in Massachusetts is the direct result of regulation 201 CMR 17. What in the world is 201 CMR 17 and what does it have to do with me, a CPA in Arizona?
Regulation 201 CMR 17
The new regulation is just the latest in a series of state laws and regulations aimed at the protection of consumers’ personal information and the protection against identity theft. The buzz in Massachusetts was caused by the regulation being released at the end of September and compliance required by the end of December.
Like most other states, the requirement to comply with the Massachusetts law is not based on the location of your company but rather on the residence of your client for whom you store sensitive data. It is possible that a CPA in Arizona would be required to comply with the very strict regulation issued by Massachusetts.
This article shows CPAs how to protect the sensitive data that is entrusted to them by their clients and customers.
California SB 1386 was the first legislation to address the issue of data protection. Since then, the clear majority of states have enacted legislation that requires companies to protect sensitive personal data and report any data breach. The definition of sensitive data and the requirements to protect it vary state by state.
Key Steps to Ensure Compliance
It is entirely possible that your company needs to comply with some or all of the state data protection laws. It is often a difficult task to determine which state law(s) apply to your company and the steps required to ensure compliance.
The following are some practical suggestions (not a legal opinion) to help you deal with this issue:
- Encrypt everything. All laptops, desktops, external hard drives, backup tapes and USB drives should be encrypted using a full disk encryption solution.
- Implement a secure client communication system. This may include the use of a client or customer portal and/or encrypted e-mail. You should not allow anyone to send sensitive data in an unencrypted e-mail.
- Impose strong passwords and require your users to change their passwords on a regular basis. Typically, a strong password is eight characters in length and contains a combination of uppercase letters, lowercase letters, numbers and non-alphanumeric characters.
- Encrypt all wireless access to your networks.
- Implement and monitor a firewall and an intrusion prevention system.
- Require automatic locking on all PDAs. Your PDA probably contains sensitive client data, if it is used to store e-mail, contact information or data files.
- Keep all systems fully patched.
- Implement a system to monitor compliance with the company’s security policies and procedures.
- Install and maintain security software (anti-virus, anti-spyware and firewall) on all computer systems.
The thought of keeping your company in compliance with the numerous state laws and regulations is simply overwhelming! It will take hard work and lots of research.
Most CPAs who have learned of the new Massachusetts regulation were stunned to see that they had only three months to comply. As I was writing this article, I have just learned that Massachusetts has extended the deadline until May 1, 2009. That’s good news.
I would encourage each of you to take a serious look at how your company approaches the issue of data protection. Our customers and clients have trusted us with all the information that an identity-thief needs! It is up to us to take our responsibility seriously.
Hopefully, you will never have to hear a client say, “You lost what?”
|Rate this article 5 (excellent) to 1 (poor).
Send your responses here.
Barry MacQuarrie, CPA is the Director of Technology at KAF Financial Group. Barry has extensive experience working with CPA firm technologies and expertise in workflow, process improvement, disaster recovery planning, security and paperless office technologies.