Venyu Blog

If I’ve said it once I’ve said it a hundred times. Just because you enact a law doesn’t mean compliance with it immediately follows. Take no texting while driving. Great concept. Good law. But mostly ignored and rarely enforced. In Massachusetts, for example, through July 7 only 245 citations for texting while driving have been issued. It doesn’t take a genius to figure out that’s probably about one percent of the folks who are actually doing it who get caught.

On the other end of the spectrum and slightly more germane to this post, on September 21 the Boston Globe reported that personal information from nearly one out of three Massachusetts residents — from names and addresses to medical histories — has been compromised through data theft or loss since the beginning of 2010, according to statistics released by the office of Attorney General Martha Coakley. The “net-net” of that is more than 2 million individuals of the total 6.6. million residents of the state have been the victims of deliberate acts of theft, of their identity, their records, their accounts, and so on. All this taking place in the legislative wake of MASS 201 CMR 17, still the most rigorous data and customer privacy law in the land.

As the Globe article correctly summarizes, all companies doing business in Massachusetts must — as a result of this law — inform consumers and state regulators about any security breaches that might result in identity theft.

That could include leaks of individual names along with other sensitive information, such as Social Security numbers or bank account, credit card, and debit card numbers. The law was passed in 2007, after hackers stole 45 million credit card numbers from Framingham-based retailer TJX Cos.

Coakley said that her office is just beginning to analyze the reports to find out whether the law is helping to reduce data breaches. But she predicted the problem will get worse as more Americans store vital personal data on various computer networks. “There is going to be more room for employee error, for intentional hacking,’’ Coakley said. “This is going to be an increasing target.’’

The attorney general’s office has received 1,166 data breach notices since January 2010, including 480 between January and August of 2011. About 2.1 million residents were affected by the various incidents, though it’s unknown whether any of them were actually defrauded as a result of the data leaks.

Of the reported incidents, 25 percent involved deliberate hacking of computer systems containing sensitive data. Another 23 percent involved accidental sharing of information with unauthorized people, such as sending faxes or e-mails with personal information to the wrong recipient. In 15 percent of cases, retailers reported the theft of customer credit card numbers. Data was also lost through thefts or accidental losses of laptop computers and paper documents, or in cases in which workers deliberately gained unauthorized access to client files.

The biggest single data breach in the report occurred last July, when South Shore Hospital in South Weymouth said it lost 14 years’ worth of records on 800,000 patients, employees, volunteers, and vendors. The hospital blamed an outside data management company for losing a batch of records they had been ordered to destroy.

 Other major breaches included an incident in May, when the state’s Executive Office of Labor and Workforce Development found a virus in its computer system that transmitted data to unidentified hackers.

The agency said that files on 210,000 state residents were compromised. A similar virus attack in June affected the records of more than 2,000 patients at Beth Israel Deaconess Medical Center.

While there can be little debate that having MASS 201 CMR 17 is a good idea — in fact, I think it’s highly necessary if only to hold companies accountable for their mistakes both criminally as well as civilly responsible, it is—much like the ban on texting while driving — only as good as the mechanism available to enforce it. If you can enforce it, it becomes a deterrent. If you can’t it becomes a winner take all event and the citizenry inevitably wind up on the short end of the stick.

Take steps now to protect your data and avoid punitive measurements against your business. Call Venyu today and have peace of mind that you’re doing your part to look after both the interests as well as the identities of your customers.