What's being stolen?

Client personal information is defined as a person's first name/initial and last name, combined with one or more of the following in combination with any security codes that permit access to an individual's financial account:

• Social Security number
• Driver's license number or state ID number
• Financial/credit/debit account number.

Although most companies handle this type of confidential information, professionals who commonly carry the potential data privacy breach burden are insurance companies, IT consultants, CPAs, attorneys, mortgage companies and financial advisors--including insurance agents and brokers.

(Read an article, "Red flags mean danger ahead.")

Depending on the nature of a data breach, a variety of financial damages can proliferate for an organization, including legal fees, regulatory fines, decreased stock value, higher call center volume, amplified IT expenses, lost productivity, lost customers and a ruined reputation.

According to a study conducted by Ponemon Institute, the average cost of a data breach rose from $6.65 million in 2008 to $6.75 million in 2009, amounting to $204 per compromised record. Among the incidents reported, the most expensive data breach cost nearly $31 million to resolve, and the least expensive cost $750,000.

Beyond the potentially crippling financial impact, security breaches can cause customers and employees to feel betrayed and lose trust in the organization. And the fallout of negative publicity can be tremendously damaging and long-lasting.

Data security breaches, albeit sometimes deliberate, are typically accidental, occurring through improper handling of confidential information by employees and subcontractors. My own Social Security number was inadvertently exposed by two public agencies (the Veterans Administration and the Division of Professional Licensure). In both cases these organizations incurred significant expenses notifying all of the people affected--26 million veterans, in the case of the VA.

Companies don't realize that data security breaches are quite preventable by taking precautionary steps. Some state and federal regulations only require companies to report a breach after the damage is already done, versus requiring companies to be more proactive about information security. However, this has begun to change.

(Read an article, "FTC waves red flag: Are you in compliance?")

When security compliance is the law

In response to a number of security breaches, the Commonwealth of Massachusetts developed the 201 CMR 17.00 data privacy regulation for the protection of personal information of Massachusetts' residents.

Effective March 1, 2010, this regulation requires that all companies who hold sensitive personal information on one or more Massachusetts citizens, regardless of where their company is based, to implement the following preventive steps:

• Designate an information security officer
• Develop a formal written information security plan
• Identify administrative, technical and physical risks associated with personal information security and document all possible breaches
• Secure servers, networks, laptops, flash drives and portable hard drives with passwords, firewall security, and anti-virus and anti-spyware software
• Encrypt e-mails and e-mail attachments, USB flash drives, laptop computer hard drives and PDAs containing personal information
• Manage record destruction properly (in-office or offsite shredding)
• Train employees annually on information security procedures
• Create an employee termination checklist to disable former employee access to personal information
• Develop a security breach incident response plan detailing what to do should there be a security breach

Conduct a required annual information security program review.

(Read an article, "Hacked off: Why even small businesses need data compromise protection.")

The Massachusetts data privacy regulation, the strictest of any state, will likely become the nation's standard, and these regulations will significantly affect the way businesses handle client personal information in the future.

Even if organizations don't have clients in Massachusetts, they should develop an information security plan to preclude security breaches and enable them to act quickly and responsibly in the event of a security breach.

Although professionals may think it's a headache to go through this process, the harm from a security breach is far worse. By spending a minimal amount of time and cost in the planning stage, organizations can save millions of dollars by preventing a breach rather than having to react to a crisis.

Companies cannot afford to be non-compliant. Massachusetts 201 CMR 17.00 is just the beginning of a nationwide movement that will require companies to be more proactive in avoiding security breaches. It's imperative that companies create a written information security plan, conduct a thorough review of their entire IT environment, and put the necessary security safeguards in place to ensure protection of personal information. It's just good business.

Warren Mackensen is president of Hampton, N.H.-based ProTracker Software, which delivers business solutions and technologies to solve industry issues and improve efficiencies. For more information, please visit www.protracker.com.