I was at a doctor’s office last week. The X-ray technician came out and asked for me by first name. I followed her through the door and she checked my last name. She told me that they are not allowed to say a person’s first and last name in front of other patients. Why did this happen? It is all part of the current effort to prevent identity theft.
A couple of years ago Massachusetts passed a very tough data security law. The law imposes strict security procedures on any business that collects personal information? The law has had several implementation dates that have been postponed. Currently the drop-dead date is March 1, 2010. The general consensus is that the date will not be postponed again.
What is interesting is that your first and last names as well as your address are not considered personal information. Thus, the law does not cover the basic demographic information kept in your contact manager. However, if you combine your client’s first name or initial and last name with a list of other information then you become subject to the law. The other information covered by the data security law are: Social Security Number, Drivers License Number, State Issued ID Card Number, Credit Card Number, Debit Card Number, or Financial Account Number. The last one is interesting because checks have first and last name and the financial account number. So every time you send a check to someone you are risking identity theft.
Whom does this law cover? Any business that collects personal information from its customers must comply. If you sell a product to a customer and they pay you any way other than cash, you have to follow the law. That pretty much covers all companies. How many businesses accept only cash? Practically none. So the only folks who are not covered by the law are drug dealers and other illegitimate businesses. (Wouldn’t it be interesting if such businesses could not be caught for their more dangerous activities but did get caught by the Data Security Breach Law)?
What does this law cover? Any physical or electronic files that contain the covered information are subject to the law. So if you have names in one file and credit card numbers in another file and no method for connecting the two files you would not come under the jurisdiction of the law. Not many businesses would do this—it would make your business difficult to manage.
The law requires four things:
1. Assess your files and systems to indentify Personal Information.
2. Adopt policies and procedures to protect the information.
3. Destroy the information on a regular basis as required by law.
4. Report any unauthorized use or acquisition of the information.
Your policies and procedures must be in writing.
My next blog will cover HOW you protect your data and any physical records you have.
Monday, September 28, 2009
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment