The following article was published in today's Portsmouth Herald and features an interview with me and a mention of our upcoming data privacy seminar on February 1st.
Local expert says compliance will be difficult; his company offers seminar
news@seacoastonline.com
PORTSMOUTH — New and sweeping data privacy regulations in Massachusetts could have an impact on New Hampshire and Maine businesses.
The new law, which goes into effect on March 1 and touches all types of businesses that have even one Massachusetts customer, will be the focus of a free seminar for business professionals on Feb. 1 at the Sheraton Harborside Hotel in Portsmouth.
“Any business in New Hampshire and Maine that deals with or handles any private information of Massachusetts customers has to comply with this law,” said technology expert MJ Shoer, one of the co-hosts of the seminar. “Even a doctor in Hampton with one patient from Amesbury (Mass.) will have to be in compliance.”
Shoer, president of Jenaly Technology Group in Portsmouth, will be joined by Warren Mackensen of Mackensen & Company in Hampton. Mackenson created a compliance software package called ProTracker Software in anticipation of stricter data privacy regulations.
Shoer said he will share his insight from oral and written testimony he delivered last year to the U.S. House of Representatives — and to the Massachusetts Office of Consumer Affairs and Business Regulation, which Shoer said affected the final form of this new law.
“In its early form, it was almost impossible to comply with the law,” Shoer said. “The potential regulations would be a massive hurdle for small business. I said in my testimony that it's got to be relevant and understandable and not such a burden.”
Shoer said the Massachusetts regulation came about in the aftermath of data breaches at TJX Corp. (the parent company of TJ Maxx and Marshalls) discovered in 2007 and at Hannaford Brothers in 2007 and 2008. TJX is based in Massachusetts and over an 18-month period beginning in 2005 information from more 45 million debit and credit cards was systemically stolen. In 2009, TJX agreed to a $9.75 million settlement to 41 states covered in the breach, including Maine, Massachusetts and New Hampshire.
Shoer said that he agrees in principle with the spirit of the law because the goal “is to prevent identity theft.” But with states writing their own data protection laws, the potential for having “30 different sets of regulations from 30 different states” can be a business expense burden.
“This is a touchy subject,” said Shoer, who is a technology columnist with the Herald. In the worst-case scenario, companies could find themselves going out of business or take the risk of skirting or ignoring regulations altogether, he said. The Massachusetts law “is the most stringent in the country,” Shoer said, and has already been copied by Nevada. A single case of data breach that leads to the loss of customer information has a fine of $5,000.
“What it means is that if you do have a data breach and they find out you didn't take reasonable steps to safeguard your data, it will be a whole lot of trouble,” Shoer said. “No one is really surprised (by the regulations). We have been educating our clients for more than a year that this is coming and we have been driving the point home. The most important step is to show your organization takes it seriously.” Businesses are required to have a written information security policy, along with several other safeguards, to ensure compliance. Shoer said he will hand out a lengthy list of guidelines for the Massachusetts law.
“My personal belief is that most businesses are aware and are already mostly in compliance,” Shoer said. “Unlike the Y2K scare, this won't cost companies tens of thousands of dollars to be in compliance.” One of thoe tools that will be presented at the seminar, Shoer said, is the recently launched Information Security Program from ProTracker Software, which claims to be an affordable, user-friendly tool to address compliance with the new regulatory requirements.
Shoer said the goal of the seminar is to educate and “help strengthen the business community” and he wouldn't mind making connections with potential clients.
“The cost of no compliance is potentially massive,” Shoer said. “But this is not just a technology problem — it's a human problem as well if we forget to educate people on the basics of data protection.”
Sometimes low-tech common sense can go a long way. Shoer said a client of his firm was good at protecting electronic data but had a major and obvious security problem — rows of unlocked file cabinets with confidential customer information that happened to be near a sometimes unguarded front door.
