Massachusetts Gets Tough On Data Security (Part One)
Temp Worker Arrested For Identity Theft At Health Agency

Massachusetts Gets Tough On Data Security (Part Two)

Yesterday's post discussed new legislation to protect Massachusetts residents. As you might expect, some businesses have protested the changes. Forbes Magazine reported:

"Massachusetts business owners and advocates protested new identity theft regulations at a hearing, saying the rules to protect customers' credit card numbers and personal information will be too costly and time-consuming in a down economy. The Office of Consumer Affairs and Business Regulation hearing was about again extending deadlines for the rules, which require businesses to encrypt laptops, wirelessly transmitted data and consumers' financial and personal information."

The complaints are ones you'd expect to hear:

"... the identity theft law will impede interstate commerce, hurt job creation, and cost too much for small businesses who have to hire outside technology support and upgrade their systems."

Some experts estimated the cost at $50,000 for a small business to comply with the new law. The Massachusetts Government estimated the cost at $10,000 for operation and maintenance in the first year. The companies asked the Massachusetts Government to reissue new regulations on May 1, 2009 and give them two years to comply.

Two years? I can see some foot-dragging due to the recessionary economy. However, business-as-usual just won't work. 2008 saw a record number of data breach incidents and records lost or stolen. And that's based on the fact that about 75 percent of companies release the number of records stolen or consumers affected. So, the real numbers are worse.

Plus, the cost of a data breach is rising significantly. These small businesses should compare the cost of compliance to the post-data-breach costs. $50,000 may seem like a lot, but at a $202 post-data breach cost per record, the break-even is only 248 records. Most small businesses probably have more than 248 customers. So, it is less costly for a small business to avoid data breaches by implementing strong data security now, rather than gamble with consumers' sensitive personal data and incur large post-data breach costs later.

Companies have to take responsibility for protecting consumers' sensitive personal data they use and archive: customers, employees, and former employees. While small businesses do not have the resources that large, multinational companies have to implement effective data security methods, business-as-usual won't work. Consumers have even less resources to protect their sensitive data, to pay for credit monitoring ($12 per month or more) and credit repair services (rates vary) after a data breach, and to pay fees to place and life Security Freezes ($5 - 10 per instance) on their credit reports. Plus, many consumers are unemployed.

Business has to pick up its rightful share of implementing data security methods, since they make money by using consumers' data. If this concerns you (and I hope that it does), I encourage you to write to your elected officials and tell them no more delays for small businesses to comply with the new data security laws.


Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.