Last month, we explored how data gets compromised in confirmed data loss incidents. Earlier this month, we discussed what data is most at risk of being lost, and why it has value.
Because of the value of this data, Massachusetts passed 201 CMR 17 in 2009 which defined the standards for the protection of personal information of residents of the Commonwealth. In these regulations, personal information is defined as a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of additional data elements, including a Social Security Number, Driver’s license number, or financial account number. All businesses have to follow the acceptable minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records.
When it is known that a data breach has occurred, it is a requirement to notify the Massachusetts Office of Consumer Affairs and Business Regulation. As a result, there is nearly a decade of data regarding data that’s been lost, and the Commonwealth records and reports upon known breaches, of which there were 1,835 in 2018, affecting 442,941 MA residents!
Curious as to who reported incidents? View the 2018 report.
Currently, 48 States have some from of data privacy regulations in place, with some variance as to the depth of technical controls, administrative controls, and incident reporting required.
In our “Cybersecurity Express” Security Awareness Training, we discuss how perhaps the greatest risk is the Reputational Risk associated with having experienced a data loss incident. There are some very familiar names on the 2018 MA report, and no one wants their business to be the next listed.
Be sure you business is leveraging the appropriate physical, technical, and administrative controls to keep data secure, and train your employees to use a Healthy Dose of Skepticism to avoid phishing tactics so that you can Keep Calm and Compute On!