Saturday, April 24, 2010

State Steals Citizens IDs

"The new rules don’t apply to state government agencies"

So they are ABOVE the LAW?

You know what that is, don't you, AmeriKa?

"Theft-proofing your identity; Tough rules to protect consumers’ personal information go into effect Monday. Will the region’s companies be ready?" by Hiawatha Bray, Globe Staff | February 26, 2010

On Monday, tough new regulations to protect personal information collected from consumers will take effect in Massachusetts, and companies throughout the US are scrambling to get ready.

“We get requests almost daily from New Jersey, Texas, California, pretty much everywhere in the country,’’ said John McDonald, security evangelist for RSA, a division of Hopkinton data storage giant EMC Corp. that makes products used by businesses and governments to protect sensitive data.

Related: SEC Gets Inside EMC

Who is going to protect us from them?

The new rules are meant to protect the loss or theft of confidential information about consumers, such as Social Security and credit card numbers. They were set to take effect in January, but implementation was delayed to give businesses more time to get ready.

In recent years, confidential information regarding one out of six Massachusetts residents was compromised in data breaches that included hacker attacks on banks and companies that compile consumer data, such as retailer TJX Cos., headquartered in Framingham, and supermarket chain Hannaford Bros. Co., based in Scarborough, Maine.

Under the rules that take effect Monday, any institution that holds personal data about residents of Massachusetts must create a written policy for protecting the data, and must train employees to follow the rules. In addition, organizations must encrypt any personal information - scrambling files to conceal their content - when it is transmitted over the Internet or a wireless data network. Data must also be encrypted when it’s stored on portable devices like laptops or thumb drives, to protect against identity theft if the devices are lost or stolen.

A preexisting law, enacted in 2007, requires institutions to inform state regulators if they suffer a loss of data that could result in identity theft. Organizations that fail to comply with the new regulations, and which suffer such a data breach, can be fined up to $5,000 for each violation.

Many small companies may be unprepared to comply with the new rules. Frank Vincentelli, chief technology officer of Integrated IT Solutions Inc. in Waltham, helps small and midsize businesses upgrade their computer systems to comply with the law. Vincentelli said that the cost of compliance can vary greatly, depending on the number of employees and customers a company has. It cost one client just $1,000 to get ready, while another had to spend $35,000.

“I know there are companies that have unmet requirements, and there’s no practical way they’re going to have these requirements met by the deadline,’’ Vincentelli said.

Bob Baker, president of the Smaller Business Association of New England, said many of his group’s members haven’t focused on the issue.

“I think people are still anesthetized by it,’’ Baker said. “I don’t think there’s been a call to action, even though there’s been big data breaches and plenty of publicity.’’ He predicted that many of the state’s small businesses will not be in compliance on Monday.

Barbara Anthony, the Commonwealth’s undersecretary of consumer affairs and business regulation, was more optimistic.

“I think most companies are ready,’’ said Anthony, although she admitted that many small businesses may still be out of compliance. Anthony said that there’s no provision in the law for conducting audits of local companies to confirm they’re obeying the law.

Some major companies that have been victimized by identity thieves say they are ready to comply with the new law.

“With much of the work already completed, TJX intends to be in compliance with the new Massachusetts data security law when it takes effect,’’ spokeswoman Sherry Lang said in an e-mailed statement. Miami hacker Albert Gonzalez pleaded guilty last year to aiding the theft of more than 40 million credit card numbers from TJX.

Related: The Gonzalez Garbage Dump

Another company allegedly victimized by Gonzalez, the supermarket chain Hannaford Bros., also says it’s prepared.

“We have reviewed the requirements of the Massachusetts data privacy law, and we are confident that we are compliant with those requirements,’’ said spokesman Michael Norton in an e-mailed statement.

The new rules don’t apply to state government agencies, which hold vast amounts of personal data....

The cost and complexity of meeting the new standards may be offset by avoiding the high cost of a data breach. The Ponemon Institute, a privacy and information management research firm in Traverse City, Mich., surveyed 51 companies that had suffered security breaches. The affected businesses lost $204 for every customer record that was compromised. Repairing the damage cost the least-affected company $750,000, while one firm’s identity theft cost it $31 million.


Still doesn't work

"New reports of data breaches; Thousands are left at risk in Mass." by Gal Tziperman Lotan and Todd Wallack, Globe Correspondent | Globe Staff | March 13, 2010

A number of companies, including Boston insurance giant John Hancock Financial Services, have in recent months reported stolen laptops and other breaches of data security, potentially exposing personal information about thousands of Massachusetts residents....


Another state-inspired waste of time and money, 'eh?