Kevin T. White, CPA
A law passed in Massachusetts placed stringent new regulations on companies and organizations that are in possession of customers’ personal financial information. These data security measures also included harsh penalties for companies found not to be in full compliance by March 1, 2010, subjecting businesses who fail to adequately protect credit card, debit card, bank account or other financial information to potential fines of more than $100,000.
Compliance with this law is essential, not only for the protection of customers’ personal financial information, but for the protection of these companies and organizations from these damaging fines.
The problem is while many companies may be aware of these new requirements, there does not seem to be an across-the-board sense of urgency to comply with them. A recent article in The Boston Globe serves as a cautionary tale for the dangers of noncompliance – the newspaper reported that a certain restaurant chain reached a $110,000 settlement with the Massachusetts Attorney General's Office for inadequate controls that led to customers' credit and debit card information being hacked.
Massachusetts businesses, not-for-profits and other organizations need to take heed of this law and take steps to adhere to it, if they haven’t already. The tone must be set from the top down and made part of the daily culture; if not, it is more than likely that one day a customer's credit card information will be stolen and used in a fraudulent transaction.
Once this happens, as this one restaurant chain learned, the results are not pretty. The incident is reported to the state, which then conducts a comprehensive audit of the controls at the business, or lack thereof. After that, steep fines can be assessed for non-compliance and the company or organization will suffer as a result.
The good news is that once a plan is put in place to comply with the law, there is a series of steps that a business or organization can take to avoid any future trouble:
Update the plan annually. Companies should perform a risk assessment and determine if changes in the technology, people or process require revisions to the plan.
Make it mandatory. All new employees should be required to review the plan. Ideally, have them take a short quiz to ensure they have read and understood the plan.
- Monitor compliance. Are employees taking credit card information over the phone, keeping individual account information on their desk (including employee payroll information), storing data on a laptop or USB drive that is not encrypted, not using encrypted software for emails that include personal data? If so, violations could be occurring on a daily basis.
Good data security procedures make good business sense, and they can be implemented at minimal costs, especially when compared with the potential fines that can be levied by the Attorney General's Office. The right tone set at the top by the president, CFO or CIO can ensure that problems are avoided down the road.
Kevin T. White, CPA, is a partner with BlumShapiro, based out of the firm’s Rockland, MA office. BlumShapiro is New England’s largest regional accounting, tax and business consulting firm based in Connecticut, with offices in West Hartford, Shelton and Westport, CT and Rockland, MA. The firm serves as business advisors for today’s leading middle market companies, non-profit organizations and government entities, working to strategically tailor and consistently deliver tested solutions for unlocking an organization’s full potential. For more information about BlumShapiro, visit blumshapiro.com.