I found an interesting article over at meeb.com, lawyers that seem to specialize in real estate and properties. I was looking up 201 CMR 17.00 compliance information--the compliance date was March 1, 2010--and happened upon how condominium managers are affected by Massachusetts's data breach notification and encryption laws.
As already discussed a couple of times previously, MA 201 CMR 17 penalties have some teeth to them (maximum of $5,000 per violation, although it's not quite yet known what "violation" means exactly: per file? Per name of resident affected? Per computer lost?) Obviously, many businesses are affected by this law. However, I kind of forgot that it's a data protection law, not a "consumer" data protection law. Which is why the fact that condo managers need to follow this law came as something of a surprise, although it shouldn't have.
As already discussed a couple of times previously, MA 201 CMR 17 penalties have some teeth to them (maximum of $5,000 per violation, although it's not quite yet known what "violation" means exactly: per file? Per name of resident affected? Per computer lost?)
Obviously, many businesses are affected by this law. However, I kind of forgot that it's a data protection law, not a "consumer" data protection law. Which is why the fact that condo managers need to follow this law came as something of a surprise, although it shouldn't have.
Why do condo managers need to see if they're in compliance with 201 CMR 17? For two reasons, at least: They have employees. If a company has any employees--even just one--it is required to keep W-4 and I-9 forms (for tax withholding and employment eligibility verification). These forms require first and last names; SSNs and/or other forms of identifying information; and are to be retained by a company for at least three years. Obviously, this data has to be protected per 201 CMR 17. Direct payment / Automatic withdrawal. As noted in the article, many property management companies make available a direct payment program, where a biller automatically withdraws money from a person's bank account. Financial information--such as bank account numbers--is also required to be protected from breaches if they happen to be combined with first and last names. Guess who's making a trip down to the lobby, where the management office is, to see if his information is protected?
Why do condo managers need to see if they're in compliance with 201 CMR 17? For two reasons, at least:
Guess who's making a trip down to the lobby, where the management office is, to see if his information is protected?
One thing to constantly keep in mind is that this is an information breach law. The fines and penalties apply even if a file full of paper documents are lost. For example, a folder full of direct payment authorization documents are lost? Chances are you'll be fined for that, assuming the folder was not secured in a locking file cabinet. What's important is not what form the information takes. Ensure that you're not just concentrating your efforts on laptop encryption like AlertBoot, internet firewalls, anti-virus software, and the like.
One thing to constantly keep in mind is that this is an information breach law. The fines and penalties apply even if a file full of paper documents are lost. For example, a folder full of direct payment authorization documents are lost? Chances are you'll be fined for that, assuming the folder was not secured in a locking file cabinet.
What's important is not what form the information takes. Ensure that you're not just concentrating your efforts on laptop encryption like AlertBoot, internet firewalls, anti-virus software, and the like.
Related Articles and Sites:http://www.meeb.com/articles/ID%20theft.pdf