201 CMR 17.04, titled “Computer System Security Requirements,” mandates “every person that owns or licenses personal information about a resident of [Massachusetts]” and stores or transmits that data electronically, include in its comprehensive information security program the establishment and maintenance of a data security system that covers its computers, including wireless systems.  To the extent technically feasible, the comprehensive information security program must contain the following elements:

1.  Protocols for user authorization that include:

A.  Password protected access;

B.  A secure method, such as passwords or biometrics, to limit access to the protected data;

C.  Systems to protect the passwords and access maintained in such a way as to not compromise the security of the data;

D.  Limitations on the active users who have access to the protected data;

E.  A method to block access to any user who has multiple, unsuccessful login attempts.

2.  Secure access control measures that:

A.  Restrict access to protected data to only those persons who require access to perform their job functions;

B.  Assign unique user IDs and passwords, not generated by default within the particular computer system, and that are designed to maintain the integrity of the security of the protected data.

3.  Encryption of all data that is transmitted wirelessly or across public networks (like the internet).

4.  Methods of monitoring actual or attempted unauthorized use of or access to protected data.

5.  Encryption of all personal information stored on laptops or any other portable device (flash drives, discs, external hard drives, etc…).

6.  Firewall and operating system protection, designed to maintain the integrity of the system, for all systems holding protected data that are connected to the internet.  This should include regular firewall and operating system security patches.

7.  Reasonably up-to-date anti-virus and anti-malware software (what that nebulous statement means will end up before a judge, as what is reasonable to a particular business might not be reasonable to the government).  The security software must be updated regularly, including relevant security patches.

8.  Documented training programs for all employees who will access the computer system containing the protected data.  This training must emphasis the importance of protecting personal information.

Businesses must be complaint with the law examined in this series right now.  Section 5 of the regulation mandated compliance by March 1, 2010.  If your business is not complaint, it is critical that you create a comprehensive information security program.  If you need any assistance, please contact us.  We can help you develop your comprehensive information security program.  While resources, whether in-house or outsourced, must be dedicated to this effort, it necessary to protect your business from a data breach and limit your liability in the event a breach does occur.

Like insurance, we all hate spending the time and money to protect against an event we hope will never happen.  However, we all carry insurance.  We carry insurance because we know that in the event of an accident or disaster, the cost of being covered is far less than the cost of not being covered.

Please leave your thoughts and comments on this subject.  If you have any questions, please feel free to post them here or contact us directly for a no-cost, no-obligation initial consultation.  Our job is to help you make sure your business is protected and thriving and we welcome the opportunity to serve you.

DISCLAIMER:  The information presented here is general in nature, does not take your jurisdiction or actual circumstances into account and therefore may not apply to your circumstances or in your jurisdiction.  You should not rely on this general information as a substitute for legal advice from your attorney.  This is not an attorney-client communication.  You should seek individual advice from an attorney of your choosing if you require assistance in any legal or compliance matters.

Now we move on to Section 17.02, which pertains to definitions used in the regulations.  This is an important part of the regulation and any business with any data or personal information should familiarize themselves with these definitions.

Breach of Security: The regulation defines a breach of security as the unauthorized use or acquisition of data that could compromise the “security, confidentiality or integrity of personal information” that creates a substantial risk of identity theft or fraud against a resident of Massachusetts.  If the acquisition of the information is lawful and the information was acquired in good faith but not authorized, it is not a breach.  An example of this might be procuring a list from a licensed list broker who represents that the data is legal and the use authorized, but in reality, the use was not authorized.  In such a case, there is no breach.  This is a somewhat loose definition and I am predicting that this will be the subject of litigation and judicial interpretation.

Electronic:  This is a lot more straightforward.  Electronic data is data stored in an electronic medium.  That could be digital, magnetic, wireless, optical or the like.

Encrypted:  This definition pertains to transformation of data into a form that cannot be used without the corresponding encryption key.  Encrypting data, especially when transmitting it, is a good practice no matter where you are doing business.

Owns or Licenses:  This definition is wide reaching.  It pertains to any person (defined below) that receives, stores, maintains, processes or has access to personal information in connection with the provision of goods or services or in connection with employment.

Person:  A person is considered a natural person (like you or me) or a corporation, association, partnership or other legal entity (trust, LLC, etc…).  The exception here is that agencies and offices of the Commonwealth of Massachusetts appear to be immune from these regulations.

Personal Information:  This is the data that needs security and for which your written comprehensive data security policy should be aimed at protecting.  This data includes the first name or first initial and the last name of a Massachusetts resident with one or more of the following data associated with the name:

1. social security number;
2. driver’s license number or state issued ID number;
3. financial account number, including bank or credit card numbers.

Note that personal information that is public record, such as that contained in the Registry of Deeds, is not considered confidential personal information and that data is not subject to compliance so long as it is legally available to the general public.

Record or Records:  Here we have another wide reaching definition.  Records can take the form of any material on which the data in question is written, drawn spoken, imaged or otherwise recorded and preserved.  So if your CRM system is a series of index cards, or cocktail napkins for that matter, it is covered and you must provide data security to remain in compliance.

Service Provider:    A service provider is one who, through their provision of services to those covered under this law, receives, stores, maintains, possesses or has access to covered personal information.

So there we have a through review of Section 2 of the Standards For the Protection of Personal Information of Residents of the Commonwealth. Next, we will take a look at Section Three, which discusses the duty owed to protect the data and the standards for that protection.  So check back often or, even better, sign up for our RSS feed or email notifications.  That way, you know you will not miss a single bit of information that could lead to a violation of the law.

As always, if you have any questions, please feel free to contact us.  And if you have any comments of thoughts on this subject, or a subject you would like to know more about, please leave a comment.  Your input is always welcome.

You better have better data security than this!

We discussed in a previous article the growing concern among State and Federal lawmakers regarding protection of data.  More specifically, protection of consumer’s personal information.  This issue was escalated to the forefront of compliance practitioners and consultants with the implementation of a Massachusetts regulation (201 CMR 17.00), acknowledged to be the strictest rules on data security in the United States (so far).  The regulations and related laws are available for download in their entirety at no cost or obligation at the White Space Resource Center under “Privacy Laws and Regulations.”  As most businesses will have to address data security and protection of personal information, it is worth taking a closer look at the Massachusetts regulations.

The regulation, entitled Standards For the Protection of Personal Information of Residents of the Commonwealth, is divided into five sections.  This series of articles will analyze each of these sections.

Section 17.01 – Purpose and Scope

The regulation implements the provisions of the Massachusetts Consumer Protection Statute, Massachusetts General Law Chapter 93H.  The law applies to “persons who own or license personal information about a resident of the Commonwealth of Massachusetts.”  This means that no matter where your business might be located, if you own or use personal information about any resident of Massachusetts, you must comply with the law.  The law’s stated purpose is to provide a minimum standard for the protection personal data.  The law is intended to protect against the “unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.”

The most important take-away for this section is that any business that owns or licenses data related to a Massachusetts resident is required to comply with the regulation.

Answer:  They all use personal data in one way or another.

The subject of protecting the almost limitless amount of data about people that is out there in the world’s databases has become a concern to those occupying State Houses across the country and throughout the halls of Washington, DC.  Because we all deal with data on a daily basis, the topic of data security compliance requires particular attention in order to protect your customers, your business’s reputation and avoid hefty fines and penalties.

Recently, apparently brought about by the challenging (read: disastrous) roll-out of Google Buzz, outgoing Federal Trade Commission (FTC) Commissioner Pamela Jones Harbour criticized technology companies for their  ’[t]hrow it up against the wall and see if it sticks” approach to data security.  Of particular concern to Commissioner Harbour was a comment by Google Chief Executive Eric Schmidt, who during an interview with CNBC reportedly stated, “[I]f you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”  I can only imagine that upon learning of this comment by Mr. Schmidt, Google’s Chief Communications Officer fell out of their chair and wept openly.  While Ms. Harbour made it clear her comments were her own and not that of the FTC, the fact that it was the topic of discussion at such a high level demonstrates that the powers that be are concerned.

Technological leaps in the capability to capture consumer data, the capacity to store and analyze this data and the ease with which we can manipulate and transmit this data has resulted in a reduction of the level of privacy we can expect.  Consider the data that Amazon.com obtains on an individual with the sale of one book.  They know the buyer’s name, address, credit card information, and some buying behavior information, all with one transaction.  Now consider the information obtained when walking into your local bookstore, paying cash for the same book and walking out.  The “brick and mortar” seller makes the same sale, but gets no personal information.  Thus, many of these privacy issues are attributable to consumer’s online behavior.  Additionally, blogs, Tweets and other social media have eroded, for better or worse, the line between information that is private and that which is public.  In this context, Mr. Schmidt’s comment is valid.

Of immediate concern to those of us working with data is a regulation passed by the Commonwealth of Massachusetts.  This new regulation, (201 CMR 17.00, et. seq.) implemented through the State’s Consumer Protection Law (Massachusetts General Law, Chapter 93H) is generally acknowledged to be the strictest in the nation (at least so far).  Copies of the laws and regulations are available for download at the White Space Resource Center.  These new regulations, which went into effect on March 1, 2010, mandate that all businesses that collect, handle or own certain information on Massachusetts residents institute and make available for inspection, a comprehensive written information security program.

Before you think, “Heck, my business is in not in Massachusetts, I don’t care what they say in Beantown,” hold on a minute.  The law does not care where your business is.  If you possess personal information on any Massachusetts residents, you are legally required to comply with the data security law.  And that is not necessarily a bad thing.  The better we secure our data, the more trust our customers will have in us.  So this is an opportunity to help secure your data and build trust among your customers.

Now that we know that there is a growing concern among state and federal regulators regarding data security, and that we should have a comprehensive data security policy in place, we must take the next step and create a policy that is in compliance with the law.  As the Massachusetts law provides a clear road map for compliance, in the next post we will examine the regulation in greater detail.  Specifically, we will look at the regulation point by point and discuss creating a compliant comprehensive written information security program.

Should you require any assistance in this matter, please do not hesitate to contact me.  If you have any thoughts on this subject, please leave a comment.  The more we share, the smarter we all become.

On March 15, 2010, the FED posted proposed modifications to the provisions of the CARD Act that will become effective in August 2010 and want your input.  Our blog has a brief and to the point summary, but if you love reading regulatory documents, we have the relevant section of Federal Register available for download as a PDF.  Happy reading.

Penalties would have to be “reasonable.”  We lawyers love the term reasonable.  It can mean just about anything depending on your point of view.  Charging a $29 late fee for a $15 payment that is a day late might seem completely reasonable to the likes of Bernie Madoff.  It would likely be seen as less reasonable to the person whose payment was delayed a day.  Under the new regulation, the punishment would have to fit the crime.  In other words, card issuers could not impose penalties that exceed the dollar amount of the infraction.  So in the example above, the fee could not exceed $15.00.

In addition, card issuers can only charge a customer one time for one violation (sounds pretty reasonable to me). So if you are late paying your bill, the company couldn’t keep charging you a late fee for that one incident.

Paying not to pay:  Some credit card companies were going to charge you for failing to use their cards.  Under the proposed regulation, card issuers could not charge you for inactivity.  So if you keep your card in your wallet, you can still keep your money there too. 

Increasing Rates:  Under the new legislation, card companies could not arbitrarily raise your interest rate.  The issuer would have to cite specific reasons for raising your interest rate.  Further, if your rate increased after January 1, 2010, the company would have to evaluate your account from time to time.  If the reason your rate was increased were no longer an issue the company would have to reduce the rate.

Stay tuned.  I am sure we have not heard the last of the proposed changes to the CARD Act.  After all, August is still five months away.  What has been your experience with the CARD Act to date?  Let us know by leaving a comment.

All of this back and forth can cause compliance issues for businesses and uncertainty for customers.  As we know, uncertainty can cause stress, fear and anxiety.  To make matters worse, that uncertainty hinders any economic recovery.  Good, bad or indifferent, the United States economy needs confidence and credit, to grow.  The smaller the supply of either, the less opportunity there is for economic growth.  If I lose my credit card rewards program, I might not have the confidence in my financial ability to take that trip I was planning.  After all, I only budgeted for hotel and meals, but planned to use reward miles for the flight.  Because of the uncertainty caused by my credit card situation, I might call off the whole trip.  That means there is less money being pumped into the economy and the seemingly perpetual downward spiral continues.  If customers are concerned that they might have to pay higher annual fees to keep their credit cards (because banks desperately need to recover lost revenue), that is money customers will not spend.  And the spiral continues. Notice I said if “customers are concerned” that the bank is raising fees they will not spend.  The bank might not ever actually raise the fees, but the concern is enough to change spending behavior.  Therefore, the companies that want to emerge from this recession as market leaders need to factor human psychology into their marketing and communication strategy more than ever before.

How does this apply to TransPromo and customer communications?  (Yes, I do have a point.  Did you doubt me?)  Note that I referenced the fear and uncertainty as factors potentially hindering economic growth.  This has always been an issue in Keynesian economics.  Today, however, this uncertainty is far more acute as people cope with their belief  that it was the banking system and government, the very entities charged with ensuring the smooth operation of the economy, that let them down.  Today people fear for their future and their children’s future, they are uncertain about what, if anything , the government can, or should, do to help turn around the economy.  Confusion reins when it comes to health care, taxes, environmental protection, deficits and war.   It is no wonder that there has been an increase in people seeking assistance from mental health professionals to cope with lost jobs, lost homes, and lost self-esteem.  Intelligent credit card issuers must seize the opportunity to communicate with their customers consistently, honestly, personally and in a manner that builds trust and confidence.  In their book, Animal Spirits: How Human Psychology Drives the Economy, and Why It Matters for Global Capitalism, George A. Akerlof and Robert J. Shiller (here is the NY Times Book Review), the authors argue that like the Great Depression in 1929, the current economic crisis is the result of human psychology more than monetary policy.

So again, what the heck does this have to do with TransPromo?  I put it to you that smart organizations, financial institutions as well as every other company that wants customers, need to start communicating more effectively with their customers to calm them down and to keep or gain their trust.  Further, sending 12 page, static “modifications” to card holder agreements is not going to do the trick.  Sure, there were strategic reasons banks did this.  But those reasons cause further mistrust and did not help explain, in plain English, what changes are going to impact THAT PARTICULAR CUSTOMER.   That is where TransPromo comes in (you thought I would never get there, didn’t you?).  Personalized communications, with messages that help to alleviate fear and anxiety, will go a long way toward building that trust.  Earning that customer confidence will make your company the trusted one people want to deal with when things get better.  And things will get better.

Now is the time to build an integrated communication strategy.  Now is the time to plan your goals, plan how you will reach those goals, plan how to measure your progress toward those goals and plan how to improve your results. TransPromo is a means to accomplish all of this in a way that is almost guaranteed to be seen by the customer.  So put clear, personalized information on your transactional documents.  Don’t just do what is legally required and nothing more.  Go the extra mile and provide as much information as the customer can use.  Knowledge is power.  When people feel they have more power, they are more confident.  When customers and prospects feel more confident, and your company is the source of that positive emotion (even if it is subconscious), they will trust your company over your competition.  Therefore, a laser-like focus on earning your customer’s trust must be a priority for every person in your organization.

All of the new regulations and all of the changes to those regulations present an opportunity to differentiate your company, to separate your company from pack.  TransPromo is but one tool to accomplish this, but it is a powerful tool.  You will surely need other tools to complete a comprehensive strategic communication plan, and we will address those other tools in future articles.  The take-away here is that in these times of uncertainty, developing a communication strategy that builds trust and confidence will earn you rewards that dwarf the investment.

As always, if you have any questions, please contact us.  Our mission at White Space is to help our customers build communication strategies that foster trust and create good will.  If you have any thoughts or experiences you would be willing to share, please leave a comment.  We are all smarter together than any of us are alone.

In the interest of not losing every one of my readers, I will spare you the details of all of the amendments.  But there are some important (and funny) issues raised in a select number of these amendments and I wanted to share them with you so we can avoid some of the penalties for non-compliance.

As it is the first amendment offered, looking at Amendment 1 seemed as good a place to start as any.  It is also quite relevant in how payments are made and fees charged.  In addition, for those of us in the TransPromo world, this pertains to how offers, applications and contracts are printed and precisely what is contained on them.  Therefore, we really are looking at detailed issues related to document compliance.

Pay to Pay

This amendment, offered by Democrat Luis Gutierrez representing the 4^th Congressional District of Illinois was accepted on April 30, 2009.  In essence, one of the things this amendment does is allow credit card companies to charge you for paying your bill.  Well, that characterization might be a tad unfair, (nah , it’s fair).  Do you agree?  Read on, decide, and please let us know what you think.

This amendment allows credit card issuers to charge you and me, regular consumers, for making expedited payments by telephone.  Of course, card issuers cannot simply charge people whenever they want.  Under the amendment, the consumer must request such an expedited payment (apparently, they do not have to request the associated fee).

So in order to pay your bill on time and avoid a late fee, you will be charged an expedited processing fee.  No, I am not joking.  Now practices will vary among card issuers, so do your homework here.  What companies charge for late fees and expedited payments will vary greatly so read all of your mail from your card companies.  The devil is in the details.

Document Mandates – How Big is Your Font?

This amendment also requires that all credit card offers (and solicitations and contracts, etc…) notify prospective applicants that excessive credit applications can adversely affect their credit rating.  QUESTION:  if a person is making an excessive number of credit card applications, do you think they are really concerned about their credit rating?

Like much of the rest of the bill, the implementation of this is left to the Board of Governors of the Federal Reserve. This my friends, is where the wheels come off the cart.  The “suggested” guidelines have creditors supplying cardholders with information regarding the availability of legitimate and accredited credit counseling services.  Therefore, we have lenders collecting fees when they receive payments from people they know have bad credit because they have applied for a bazillion credit cards, but at least they are being offered the name of a credit counselor, in writing.  Perhaps it is even on a transactional document.  Lenders can use the effectiveness of this medium to prove they communicated with their customers in writing.

Font sizes

However, not just any writing will do.  Congress, loath to read bills themselves, requires all written information on any application, solicitation or agreement for any credit card account appear in no less than 12 point font.  Yup, the leaders of the United States of America, a country in economic turmoil dealing with massive deficits, fighting wars all around the globe, are spending their time mandating *&^#% font sizes.  And, just in case you are applying for your card in a store, the font police got your back there, too.  Businesses who are self-issue credit must display a “large, visible sign” at counters with the same information that is required to be disclosed on the application itself.

The problem: they don’t say what size font must be used on the signs.  Some lawyer’s kid will get their braces paid for with tax dollars when this oversight is litigated (and it will be litigated).  Folks, I can’t make this stuff up.  It’s nuts, but it’s the law.

Stay tuned for more, or subscribe to the feed so you don’t miss one important (or silly) compliance issue.  While we try to look at this stuff with a bit of humor, it is important to your business.  And if you are concerned that the intricacies of these laws could impact your company, it would be wise to get some professional input.

After all, if you have a small font (hey, I thought size didn’t matter!) it might be more than just the guys at the gym harassing you!

 One part of the law requires credit card issuers mail or deliver periodic statements at least 21 days before they are due.  That is a change from the prior law, which was 14 days.  Another part of the law that became effective August 2009 requires card issuers provide at least 45 days notice of any APR increase or other significant change in terms. 

Please notice that these laws are all focused on CUSTOMER COMMUNICATION. 

Massive Legislation - the cure for insomnia

 Come February 22, 2010, we will have to deal with laws that are completely reshaping the way we handle transactional documents.  The law imposes requirements that are likely add at least a half page to the average statement.  This is a great opportunity for everyone in the TransPromo and marketing field. 

 An opportunity to open a dialog with our customers.  An opportunity to use individual statements not only to comply with the law, but also to improve our communications with customers.