Getting Ready for the New Privacy LawBy Irene Wachsler, CPA, MBA
The new law201 CMR 17.00 Standards for the Protection of Personal Information of Residents of the Commonwealthis designed to protect each residents personal information from potential identity theft. The following primer should help.
Your organization may have personal information if it received any donation, processed a credit card transaction, or if it has employees or consultants. Personal information consists of two pieces of data:
Both the check and the photocopy contain the donors name, the donors financial institution, and the donors account number.
Example 2. Your organization is hosting its 10th anniversary gala event. An individual donor calls you on the phone and reserves two tickets for $150. The donor gives you her credit card information for processing. You write this information on a piece of paper so that you can submit it for credit card processing.
The piece of paper that you wrote the information on contains personal information ” the donors first name or initial, her last name, and her credit card information.
Example 3. An organization (or its payroll service) issues Form W-2s to its employees and Form 1099-MISCs to its consultants.
Each W-2 contains the employees name and social security number. The Form 1099-MISC may contain the consultants social security number. Also, many organizations use their accounting package, (QuickBooks, PeachTree, etc.) to store the individual contractors name, address and social security number.The first two are examples of documents that contain personal information. In the last example, both documents (Form W-2 and Form 1099-MISC) and an electronic program (accounting package) store personal information.
What Do I Do with this Personal Information?
The new privacy law requires that you restrict access to any documenteither paper or electronicthat contains personal information only to people who have a need to see the information. For example, you may decide that only the executive director and the financial officer should distribute paychecks and have access to the accounting folder stored on the computer network server.
Also, make sure that you really need all the information that you are collecting. For example, if you offer services to clients, you may want to consider assigning a unique number to them instead of using their social security or license number.
Lastly, when employees leave the organization, make sure you collect their keys and terminate their login ID so that they can no longer access any computer system.
Paper Document Handling
You must maintain all paper documents in a secure environment. One way to easily achieve this is to lock all paper documents in a filing cabinet or in a locked room with restricted access.
If you do not need the document any more, then shred it using a crosscut shredder. You cannot throw the paper away in the trash.
Also, if you have a cleaning crew that comes in, you must make sure that all of your papers are locked at the end of the day. If this presents a challenge, then ask your cleaning crew to come earlier in the day while you are still working.
Electronic Program/File Handling
There are a number of things that you must do to protect your computer systems. Most organizations are already doing this:
The new privacy law requires that the organization monitor its computer systems on a periodic basis to make sure that there is no unauthorized access. Most firewalls and anti-virus programs offer logging which notes each time a user is denied access to the system. You should review these logs on a periodic basis. You may want to consider printing these logs and sign off that they have been reviewed.
Written Information Security Plan
The new privacy law requires that organizations have a Written Information Security Plan (WISP). A WISP is a documented plan that describes how the organization will maintain compliance with the new law. The WISP plan can be as simple as documenting one or more of the above policies. For example, an organizations WISP document might contain a policy that states all paper documents containing personal information must be stored in the locked filing cabinet next to Joes office.”
Also, each organization must designate a security officer whose function is to train each employee on the above procedures. We recommend that, at a minimum, you review your WISP with each employee and have each individual employee sign-off that they have received training and understand your organizations WISP Policy. You may also want to consider offering this training on an annual basis.
While I am not officially endorsing the following tools, you may find them helpful in complying with the new privacy law: