Data Breaches and Knowledge Management

One of the features of the new Massachusetts Data Privacy Law is that it forces some knowledge management on companies in the context of data breaches.

Since the law required compliance on or before March 1, 2010, I assume you already have the policy and safeguards in place. That is, if you have social security numbers or financial account information for any Massachusetts resident in your computer systems or files. Yes, the reaches beyond the borders of Massachusetts and is not limited to Massachusetts companies.

201 CMR 17.03(h) and (i) require regular monitoring of your program and a periodic  review of its scope.

201 CMR 17.03(j) goes on to require that you document any responsive actions, have a post-incident review and document any changes to your program after the review. That sounds a lot like knowledge management to me.

The Office of Consumer Affairs and Regulation has published a handy 201 CMR 17.00 Compliance Checklist (.pdf). You should also review and be familiar with the law itself contained in 201 CMR 17.00 Standards for the Protection of Personal Information (.pdf).

Image is by Darwinek in Wikimedia Commons: Flag Map of Massachusetts

Today is the Deadline for the Massachusetts Data Privacy Law

March 1 is the compliance deadline for the Massachusetts Data Privacy Law. 201 CMR 17.00 requires you to be in full compliance on or before January 1, 2009 January 1, 2010 March 1, 2010.

If your company receives, stores, maintains, processes or otherwise has access to “personal information” acquired in connection with employment or with the provision of goods or services to a Massachusetts resident you are subject to the requirements of .

If you have employees or customers in the Commonwealth of Massachusetts, then you are subject to this law. The law is not restricted to companies located in Massachusetts. But if you are located in Massachusetts then you have Massachusetts employees and their personal information, making you subject to the requirements of the law.

The law is a bit watered down since its initial form, but you still need to pay attention to it. There are some reasonableness standards in the requirements that make it easier to comply. You still need a policy, need to inventory your stores of “personal information” and educate your employees about the importance of safeguarding personal information.

The Office of Consumer Affairs and Regulation has published a handy 201 CMR 17.00 Compliance Checklist (.pdf).

You should also review and be familiar with the law itself contained in 201 CMR 17.00 Standards for the Protection of Personal Information (.pdf).

Since today is March 1, you still have a few hours to get things in place to be compliant with the law. If you haven’t done taken the proper steps, stop reading and go do it.

Previous Posts:

New Massachusetts Lobbying Law is now in Effect

massachusetts-quarter

In mid-2009, the Massachusetts Legislature was rocked by the highly public federal indictments of a state senator and speaker of the Massachusetts House. In response, the legislature passed a sweeping overhaul of its campaign finance, lobbying and government ethics laws.

There are new rules in the Commonwealth that went effective on January 1. (Massachusetts is a commonwealth, not a state, which of course is longer but has no legal meaning.)

Last week, “lobbying” was limited to direct contact with elected officials or other government employees. With the new law in place, “executive lobbying” and “legislative lobbying” have much broader definitions.

“Executive lobbying,” any act to promote, oppose, influence, or attempt to influence the decision of any officer or employee of the executive branch or an authority, including but not limited to, statewide constitutional officers and employees thereof, where such decision concerns legislation or the adoption, defeat or postponement of a standard, rate, rule or regulation promulgated pursuant to any general or special law, or any act to communicate directly with a covered executive official to influence a decision concerning policy or procurement; provided further, that executive lobbying shall include acts to influence or attempt to influence the decision of any officer or employee of a city or town when those acts are intended to carry out a common purpose with executive lobbying at the state level; and provided further, that executive lobbying shall include strategizing, planning, and research if performed in connection with, or for use in, an actual communication with a government employee; and provided, further, that “executive lobbying” shall not include providing information in writing in response to a written request from an officer or employee of the executive branch or an authority for technical advice or factual information regarding a standard, rate, rule or regulation, policy or procurement for the purposes of this chapter.

You have to register if you are an “executive agent” or “legislative agent.” There are four parts of those definition:

  • engage in executive or legislative lobbying (defined by the statute)
  • receive compensation for lobbying in excess of $2,500 in a six-month reporting period as regular salary or payments for lobbying
  • spend 25 hours or more engaged in lobbying activities in the 6 month reporting period
  • personally make at least one direct lobbying communication with a government employee.

Having trouble following along? The Secretary of Commonwealth put together this flow chartpdf-2.

References:

Data Accountability and Trust Act Passed by House

I'm just a bill from Schoolhouse Rock

The Data Accountability and Trust Act (H.R. 2221) was passed by the House on Tuesday. This act would requires the Federal Trade Commission to promulgate regulations requiring each person engaged in interstate commerce that owns or possesses electronic data containing personal information to establish security policies and procedures.

This bill would preempt any state laws in the area, wiping out the Massachusetts Data Privacy Law [Massachusetts Amends Its Strict Data Privacy Law (Yet, Again)].

I thinks its a good thing to have a national standard in this area. The transient nature of personal data makes it hard to associate with a particular state. That means the most restrictive of the various state laws ends up becoming the national standard.

The downside is that we would have to wait for the FTC to draft the rules, go through the comment period and wait for implementation.

Of course, the Data Accountability and Trust Act is not the law yet. As I learned in School House Rock, H.R. 2221 is singing:

I’m just a bill.
Yes, I’m only a bill.
And I’m sitting here on Capitol Hill.
Well, it’s a long, long journey
To the capital city.
It’s a long, long wait
While I’m sitting in committee,
But I know I’ll be a law someday
At least I hope and pray that I will,
But today I am still just a bill.

Massachusetts Amends Its Strict Data Privacy Law (Yet, Again)

Massachusetts-State-House

Massachusetts has revised its data privacy regulations one more time. The revised regulations are less demanding that the original version released over a year ago. But this law is the strictest in the country and will be the de facto law of the land for many companies.

Office of Consumer Affairs and Business Regulation released a press release announcing that revised regulations have been filed with the Secretary of State and published on the OCABR website.

Fortunately, Gabriel M. Helmer of Foley Hoag’s Security & Privacy practice produced a redline showing the changes.

There are very few changes to the regulations that were released in August:

  • The Massachusetts Data Privacy regulations apply to anyone who “stores” personal information, in addition to those who receive, maintain, process, or otherwise have access to personal information.
  • Service Providers include anyone who “stores” personal information through their provision of services to anyone is subject to the regulations, in addition to those who receive, maintain, process, or otherwise are permitted access to personal information.
  • The U.S. Postal Service is no longer expressly excluded from the definition of “Service Providers.”
  • Service Provider agreements entered into before March 1, 2010 do not have to be amended to comply with these regulations until March 1, 2012.

The effective date is still March 1, 2010.

The regulations apply to personal information of Massachusetts residents. The reach of the regulations is not limited to businesses in Massachusetts.

References:

No Bribe, Just a Thanks

fly fishing

The Commonwealth of Massachusetts Ethics Commission fined Norfolk property developer Jack Scott for violating section 3 of M.G.L. c. 268A, the conflict of interest law, by offering an illegal gift to a municipal employee. Scott offered a free week’s stay at his fly-fishing cabin in Pennsylvania to the chairman of the Norfolk Conservation Commission at a time when Scott had matters pending before the Commission.

My favorite part is this statement from Scott to the Chairman in an email:

Lastly when you step down from the commission so no one in this dame [sic] town can say anything about anything my cabin is yours for a week with your family… the best trout fishing in the east and great for the kids. Jeff no bribe just a thanks for being on the up and up with us regardless of how this all plays out. [my emphasis]

Just saying something is not a bribe does not work. If you offer something of value to a public official when you have a matter in front of the public official, it’s going to be considered a bribe.

Press release: Norfolk Property Developer Jack Scott Fined $2,000

Decision and Order in Mass. Ethics Comm. In the Matter of John F. Scott – hosted on JD Supra

Image is by koliver

Massachusetts Amends Strict Data Privacy Law (Again)

Massachusetts-State-House

UPDATE: Another revision was published on November 5, 2009. See: Massachusetts Amends Its Strict Data Privacy Law (Yet, Again)

The Massachusetts’ Office of Consumer Affairs and Business Regulation has decided to amend the strict data privacy law and extend the deadline for compliance. This is yet another amendment to the regulations. The last amendment had extended the compliance deadline to January 1, 2010.

In keeping with Governor Deval Patrick’s commitment to balancing consumer protection with the needs of small business owners, the adjustments to Massachusetts’ identity theft regulations allow some flexibility in compliance by small businesses. The regulations now have a risk-based approach that may make it easier on small businesses that may not handle a lot of personal information about customers. Under a risk-based approach, a business, in developing a written security program, can take into account its size, nature of its business, the kinds of records it maintains, and the risk of identity theft posed by its operations.

Key amendments to 201 CMR 17.00 include:

Section 17.01 (1) Purpose of the regulation was amended to include language from M.G.L. 93H.

Section 17.01 (2) Scope of the regulations was revised to cover “persons who own or license personal information”. Section removes previous regulatory language related to those that “store or maintain personal information”.

Section 17.02 Encryption definition was amended to be technology neutral. A definition for the term “owns and licenses” was added to focus the protection of personal information in “connection with the provision of goods or services or in connection with employment”. A new definition for the term “service provider” was added.

Section 17.03 (1) Duty to protect rules look to address size and scope of a firm within the development and implementation of a written information security plan. (2) Amends and removes some requirements for the written information security plan. (f) Amends third party vendor rules and provides a two year window relative to contracts and requirements for compliance.

Section 17.04 Amends computer requirements for persons that own or license personal information to develop a written information security plan “that at a minimum, and to extent technologically feasible, shall have the following elements”.

Section 17.05 Amends the effective date of the regulations to March 1, 2010.

There will be a hearing on the revised regulations commencing at 10:00 a.m. on Tuesday September 22, 2009, in Room No. 5-6, Second Floor of the Transportation Building, Ten Park Plaza Boston, Massachusetts 02116. Interested parties will be afforded a reasonable opportunity at the hearing to present oral or written testimony. Written comments will be accepted up to the close of business on September 25, 2009. Such written comments may be mailed to: Office of Consumer Affairs and Business Regulation, 10 Park Plaza, Suite 5170, Boston, MA 02116, Attention: Jason Egan, Deputy General Counsel, or e-mailed to [email protected].

References:

Webinar Materials for: Preparing for the strictest privacy law in the nation

INSIGHT_headerforweb3

As a follow up to Wednesday’s lunchtime webinar sponsored by Knowledge Management Associates, I wanted to post some materials for those of you that missed it and for those looking for notes and details.

The slidedeck:

 

Massachusetts General Laws Chapter 93H
http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm

201 CMR 17.00

Click to access 201CMR17amended.pdf

Compliance Building Posts on Mass. Data Privacy
https://www.compliancebuilding.com/tag/mass-data-privacy-law/

New Massachusetts Campaign Finance, Ethics and Lobbying Law

Massachusetts-State-House

After the well-publicized scandals with Salvatore DiMasi and Dianne Wilkerson, the lawmakers on Beacon Hill passed ethics legislation yesterday banning politicians from accepting gifts and upping the consequences for ethical violations.

The Governor had threatened to veto a sales tax increase unless this act was passed, along with reforms in the pension system and the the transportation network.

Here are some of the highlights of the new ethics law:

Gift Ban

  • Prohibits public officials from accepting gifts of “substantial value” for or because of their position.
  • Bans lobbyists from giving gifts.

Tougher Penalties

  • Increases the maximum punishment for bribery to $100,000 and 10 years imprisonment.
  • Increases the maximum penalties for conflict of interest law violations involving gifts and gratuities, revolving door violations and other abuses to $10,000 and 5 years imprisonment.
  • Increases penalties for a civil violation of the conflict of interest laws from up to $2,000 per violation to up to $10,000 per violation. For bribery, the civil penalty would increase to $25,000.
  • Increases the civil penalty for a violation of the financial disclosure law from $2,000 per violation to $10,000 per violation.
  • Increases the criminal penalty for violating registration-related lobbying rules to up to $10,000 and 5 years imprisonment.

Stronger Lobbying Laws

  • Defines lobbying to include background work, strategizing, research and planning.
  • Expands the revolving door provision to apply to members of the executive branch.
  • Reduces the amount of allowable incidental lobbying from 50 hours in each 6-month reporting period to 25 hours in each 6-month reporting period.

Expanded Enforcement Authority

  • Makes compliance with the Ethics Commission’s summons mandatory.
  • Grants the Secretary of State authority to impose fines and to have the same civil enforcement authority over lobbying violations as the Ethics Commission has over ethics violations.
  • Gives the Attorney General concurrent jurisdiction with the Ethics Commission to enforce civil violations of the conflict of interest laws.

Enhanced Campaign Finance Laws

  • Eliminates arrangements between state political parties and elected officials.
  • Bars individuals from making committee checks to themselves.
  • Requires disclosure of expenditures and sources of funding for any anonymous third-party campaign mailings or ads that support or criticize a candidate or campaign.
  • Increases penalties for late-filed campaign finance reports.

Open Meetings

  • Expands and better defines the requirements of the open meeting law

References:

You’re a Victim of a Ponzi Scheme, But What About Your State Taxes?

IRS_Logo

You missed the warning signs and got suckered into a Ponzi scheme. The IRS offered some tax relief for long-term Ponzi scheme investors (like some of the Madoff victims) who have paid taxes on gains from the investment. The IRS clarified the federal tax law governing the treatment of losses in Ponzi schemes. They also set out a safe harbor method for computing and reporting the losses.

The revenue ruling (2009-9) addresses the difficulty in determining the amount and timing of losses from Ponzi schemes and the prospect of recovering the lost money. The revenue procedure (2009-20) simplifies compliance for taxpayers by providing a safe-harbor for determining the year in which the loss is deemed to occur and a simplified means of calculating the amount of the loss.

But what about state taxes?

California: On March 25, 2009, the California Franchise Tax Board announced that the federal guidance (Revenue Ruling 2009-9 and Revenue Procedure 2009-20) regarding the treatment of Madoff-related or other Ponzi scheme losses would be generally applicable for California purposes.

Connecticut: On April 9, 2009, the Connecticut Department of Revenue Services released Connecticut Announcement No. 2009(7), which describes the effect for Connecticut income tax purposes of the reporting of Madoff-related or other Ponzi scheme losses under the Revenue Procedure 2009-20 safe harbor and under Revenue Ruling 2009-9. In general, Connecticut does not allow federal itemized deductions for Connecticut income tax purposes. Thus, any theft loss deduction claimed by a taxpayer under the Revenue Procedure 2009-20 safe harbor will not affect a taxpayer’s 2008 Connecticut income tax liability. However, if the amount of a taxpayer’s theft loss deduction allowed under Revenue Ruling 2009-9 or Revenue Procedure 2009-20 creates an NOL, then the taxpayer must file amended Connecticut income tax return(s) for the year(s) to which such NOL may be carried back for federal income tax purposes.

Massachusetts: On March 20, 2009, Massachusetts issued: “Notice—Individual Investors; Investments in Criminally Fraudulent Ponzi-type Schemes and Reporting of Fictitious Investment Income.” Massachusetts did not adopt the Revenue Procedure 2009-20 safe harbor in the case of individual investors since Massachusetts tax law does not recognize the theft loss deduction provided under federal tax law.

New Jersey: On April 2, 2009, the New Jersey Division of Taxation had issued guidance on the treatment of Madoff-related
or other Ponzi scheme losses for New Jersey gross income tax purposes. Under this guidance, taxpayers are allowed a theft
loss deduction for New Jersey gross income tax purposes in an amount equal to the original investment plus the income
reported in prior years minus distributions received in prior years. New Jersey does not allow NOL carrybacks or carry
forwards.

New York: On May 29, 2009, the New York State Department of Taxation and Finance issued guidance TSB-M-09(7)I (.pdf) on the
reporting of Madoff-related or other Ponzi scheme losses. In general, New York State will recognize the Revenue Procedure
2009-20 safe harbor.

For more information, Seyfarth Shaw put together some information: Some States Have “Weighed In” on Tax Treatment of Madoff-Related and Other Ponzi Scheme Losses (.pdf)