March 1st Creeps Closer, Massachusetts Data Security Law Looms
OK, so we're officially seven days away from 201 CMR 17.00 Even the name of it sounds scary. 201 CMR 17.00 is the official name of the new Massachusetts data privacy laws that are now regarded as the most stringent privacy laws in the country. The State of California had previously been the standard for such laws, and were considered over-the-top when they came out several years back. Leave it to the Commonwealth to break the barriers.
Here at TGA, we have completed the audit of our own data privacy exposures and have implemented our written information security plan (WISP) as of today. It has been somewhat of a tedious task, but not quite as brutal as we feared when the regulations first came to light. All in all, it was somewhat of a "Nike" situation - Just Do It. So now we can all sit back and rest soundly knowing that these new regulations will stop the data breaches, right? We'll see.
As you sit back to admire your new WISP, keep in mind that cyber liability insurance is available for those businesses that have high exposure to data breaches, or those who simply like to cover all the angles. Complying with the regulations is simply a risk management tool to mitigate the risk of data breaches; it doesn't mean that you won't have a data breach. Cyber criminals are crafty and motivated people that find ways around barriers to get what they want. Several insurers offer cyber liability coverage, each with their own proprietary form. The premium will depend on the nature of your business and the overall scope of exposure, i.e. how much sensitive data your business collects and maintains.
On the flip side, don't think that you can simply buy the insurance coverage and forgo compliance with the law. There are holes in the coverage that could leave you with some hefty fines if your data breach caused financial loss to a third party. And hey, who knows if the state is going to actually send inspectors out to check on us? That's a similar question to - who knows if the state is going to create their own data security laws?