In fact, an onslaught of security breaches has prompted states like Massachusetts to create strict security breach prevention regulations. This regulation, the strictest in any state, will likely become the standard for the nation.
By March 1, 2010, no matter where they're based, all companies who hold sensitive personal information on one or more Massachusetts citizens must have a written information security program (ISP). These companies must also implement other safeguards that require thorough IT environment reviews. If professionals don't comply, they may face severe consequences, including lawsuits, costly fines, loss of clients and a negative reputation.These new information security program laws will significantly impact the way the personal information of clients is handled in the future. It's critical that professionals who work with client personal information, including IT consultants, CPAs and attorneys, follow specific, proactive steps to ensure they're in compliance. At a minimum, they must: identify administrative, technical and physical risks associated with personal information security; secure servers, networks, laptops, flash drives and portable hard drives; encrypt email containing PII; terminate employee access to personal information; develop a detailed security breach incident response plan; manage record destruction properly; train employees in information security procedures; and conduct the required annual program review.
Although companies have the best intentions, most are unprotected and unintentionally risking security breaches that could be devastating to their businesses. The new compliance regulations aim to protect both the companies and their clients from exposure.
