In a previous blog post on the pending Massachusetts Privacy Laws we outlined what was required to comply with the regulations, which probably left you a bit worried and uncertain about your next steps.  To help clear any previous confusion, we will delve into more details about managing a compliance program, to help avoid the risk of random acts of non-compliance that might get you and your company into serious legal trouble.

Basically a compliance program is a management directed, budgeted, operational business function — think program management 101. The program should cover include at a high level all the standard operational or business functions:

• Communications
• People
• Processes
• Technology
• Metrics

Communication: As with anything in business, communications can never be over emphasized, even if their importance is often overlooked.  The point is to keep the program on everyone’s mind.  Use standard communications tools such as: announcements, posters, emails, newsletters, surveys and quarterly compliance reporting.  To really drive home the importance, link compliance communications to employee performance so that the desire to stay current is personally beneficial.

People: Staff attitudes will determine the success of your compliance program; technology alone will not keep you data safe and secure.  Do not assume that everyone has a common understanding of compliance as you launch your program.  Staff training will help with common understanding and expectations, but you still need written job descriptions. Written roles and responsibilities are critical for setting expectations for meeting compliance objectives.  Identify a group coordinator role whose job it is to disseminate information and coordinate communications with the compliance program manager.

Processes: The processes needed for developing and deploying a compliance program include: writing policies, conducting risk assessments, establishing regular compliance activities, being ready for any compliance incidents and maintaining a planned events calendar.  Focus your business processes support compliance on the way your company uses and stores personal information (PI).  The policies should indicate that PI can only be stored in approved locations and that PI can only be used within approved guidelines.  Establish a hot line or question box so you can quickly respond to any compliance concerns related to a particular business practice.  Err on the side of caution.  It is far more prudent to delay a response to verify the need, then to respond rapidly with possibly inappropriate information and expose your company to a potential fine or lawsuit.

Technology: You have probably spent a great deal of resources maximizing information sharing to grow your company’s products and services.  So does that mean that you need to restrain this activity in the future?  Not exactly; compliance does not imply curtailing information sharing per se, but you do want to look at PI with a new pair of eyes to decide when, with whom and where you will share PI.  Being accountable does not mean you are restricted in your use of the information, it just means that you must protect and use it in a more aware manner.  To achieve this objective, you need controls.  We will visit this notion of controls in a future blog, for now controls=protections.

Compliance Metrics: Your compliance program is alive and changing on a minute by minute basis.  It is important to develop compliance metrics to monitor the success of your program.  The indicators are based on what you consider the most important factors to measure.  A few examples might include, the percentage of people trained in compliance, days since last review of access logs or incidents that have been noted.

Don’t just sweep compliance under the rug and hope it goes away – it won’t.  You will not reach compliance after a breach.  Be proactive to be safe.

Massachusetts recently passed a new privacy protection law that is strictest in the nation to date.  If you are not in Massachusetts you might not think it applies to your business, but if your organization has any employees or customers in Massachusetts then you are affected by Massachusetts Privacy Law 201 CMR 17.00 — Standards For The Protection Of Personal Information Of Residents Of The Commonwealth.  In a nutshell, the law states that you need to place safeguards on any personal information (PI) that your company touches, either in electronic or paper form.  You will need to be in compliance with the law by 2010, so to get you started, here is a quick tutorial.

First determine if you have any personal information (PI) that needs protection.  PI is defined as a combination of a person’s first and last name connected to any one of the following pieces of information: driver’s license number, credit card number or Social Security number. Specifically, you should examine: the number of records, the people and processes that access it, how it is transmitted and where it is stored.  Ideally, you want to minimize the amount of information to what is needed to perform your business processes.   In addition, you want to keep it for as short a time as possible, and reduce the number of people and processes that access to the data.  Following these best practices will reduce your liability and exposure under the law.

Here are some recommended steps to meet the legal requirements:

• Policy – Write a high level policy that indicates your company intends to comply with the spirit and letter of the law, completely.
• Exposure – Give your business leaders and executives a crash course on the ramifications of the law in terms of business risk. A couple of hours should be enough to cover the basics.
• Communication – Inform the company staff that the law is coming and request their help in meeting the compliance obligations.
• Data classification – Create a classification scheme for all the likely PI types of information: Public, Company Private, Company Protected, etc.
• Discovery – Use a search engine on suspected harbors of PI to find out where the PI resides in your data structures. Survey employees to identify PI in the workplace.
• Need to know – Review job descriptions and note if a position requires PI access. Technical security policies can then be adjusted using role based security tools, such as Active Directory groups.
• Lifecycle – Look at your business processes to understand the lifecycle of PI in your enterprise.
• Administration – Assign a senior person to be responsible for compliance and have them assign business line or location deputies for enforcement. Make sure they have the proper authority.
• Technical -Encryption options should be considered, but a policy that prohibits PI from being stored on a vulnerable laptop is a much easier solution.
• Physical – Data centers, network closets and front doors need to be properly secured. This recommendation is just common sense even if you have no PI.
• Training - Everybody, yes everybody, in the company should receive training, reminders and yearly refreshers on what information you are responsible for protecting and why.

Hopefully these recommendations will smooth your path towards compliance and reduce risk.  Whatever you do, don’t just ignore Massachusetts Privacy Law 201 CMR 17.00; your business does not need the additional headaches.  So what are you waiting for?

David Goldstein, managing partner, and Sean Megley, a consultant at Knowledge Management Associates created this entry.