Getting Ready for the New Privacy Law
By Irene Wachsler, CPA, MBA

Irene Wachsler
Irene Wachsler
The new Massachusetts privacy law, due to take effect March 1, 2010, means that all nonprofits, in addition to all businesses, must take steps to protect personal information they collect. The good news is that doing so won’t break the bank.

The new law—201 CMR 17.00 Standards for the Protection of Personal Information of Residents of the Commonwealth—is designed to protect each resident’s personal information from potential identity theft. The following primer should help.
Personal Information
Your organization may have personal information if it received any donation, processed a credit card transaction, or if it has employees or consultants. Personal information consists of two pieces of data:
  1. The individual’s first name or first initial and their last name
  2. One or more of the following information:

    a. Financial account #, credit card # or debit card #

    b. Driver’s license or state-issued ID

    c. Social security number

Example 1. In response to the annual appeal, a nonprofit organization receives a personal check for $50 from a donor. The organization photocopies the check for its records.

Both the check and the photocopy contain the donor’s name, the donor’s financial institution, and the donor’s account number.

Example 2. Your organization is hosting its 10th anniversary gala event. An individual donor calls you on the phone and reserves two tickets for $150. The donor gives you her credit card information for processing. You write this information on a piece of paper so that you can submit it for credit card processing.

The piece of paper that you wrote the information on contains personal information ”“ the donor’s first name or initial, her last name, and her credit card information.

Example 3. An organization (or its payroll service) issues Form W-2s to its employees and Form 1099-MISCs to its consultants.

Each W-2 contains the employee’s name and social security number. The Form 1099-MISC may contain the consultant’s social security number. Also, many organizations use their accounting package, (QuickBooks, PeachTree, etc.) to store the individual contractor’s name, address and social security number.
The first two are examples of documents that contain personal information. In the last example, both documents (Form W-2 and Form 1099-MISC) and an electronic program (accounting package) store personal information.
What Do I Do with this Personal Information?
The new privacy law requires that you restrict access to any document—either paper or electronic—that contains personal information only to people who have a need to see the information. For example, you may decide that only the executive director and the financial officer should distribute paychecks and have access to the accounting folder stored on the computer network server.

Also, make sure that you really need all the information that you are collecting. For example, if you offer services to clients, you may want to consider assigning a unique number to them instead of using their social security or license number.

Lastly, when employees leave the organization, make sure you collect their keys and terminate their login ID so that they can no longer access any computer system.
Paper Document Handling
You must maintain all paper documents in a secure environment. One way to easily achieve this is to lock all paper documents in a filing cabinet or in a locked room with restricted access.

If you do not need the document any more, then shred it using a crosscut shredder. You cannot throw the paper away in the trash.

Also, if you have a cleaning crew that comes in, you must make sure that all of your papers are locked at the end of the day. If this presents a challenge, then ask your cleaning crew to come earlier in the day while you are still working.
Electronic Program/File Handling
There are a number of things that you must do to protect your computer systems. Most organizations are already doing this:
  1. Each computer user must have their own unique login ID and password. The password must be at least seven characters long and contain one or more digits. You may want to consider requiring that each user change his password every 90 or 120 days.
  2. Each computer system must have the latest version of firewalls, malware, and virus definitions. Microsoft Windows offers a firewall, as do most routers (NetGear, Cisco, etc.). You can also purchase a third-party firewall from Norton. Both McAfee and Norton offer very inexpensive anti-virus software that you can load onto your computer system.
  3. You must encrypt all software and data files that contain personal information. It is much easier to encrypt the entire hard drive than it is to encrypt individual files. Microsoft Windows has an encryption tool. Another encryption program, TrueCrypt, is open-source software and is free.
You also need to encrypt any portable device that may have documents with personal information. This includes laptops, iPhones, BlackBerrys, PDAs, and flash drives. Other points to keep in mind:
  • Any emails containing personal information, including attachments, must be encrypted.
  • Before you send any faxes, including e-fax, that contains personal information, you must confirm that the authorized recipient has exclusive access to the fax machine/fax e-mail.
  • If you backup any electronic files that are not encrypted and contain personal information, then these backups should be locked in a secure location off-site. You may want to consider renting a safety deposit box at your local financial institution.
  • If you are getting rid of your computer or portable device, you must physically destroy the disk or device. Erasing electronic files doesn’t cut it as it is easy to reconstruct the data. There are companies that specialize in this service.
Monitoring Your Computer Systems
The new privacy law requires that the organization monitor its computer systems on a periodic basis to make sure that there is no unauthorized access. Most firewalls and anti-virus programs offer logging which notes each time a user is denied access to the system. You should review these logs on a periodic basis. You may want to consider printing these logs and sign off that they have been reviewed.
Written Information Security Plan
The new privacy law requires that organizations have a Written Information Security Plan (WISP). A WISP is a documented plan that describes how the organization will maintain compliance with the new law. The WISP plan can be as simple as documenting one or more of the above policies. For example, an organization’s WISP document might contain a policy that states “all paper documents containing personal information must be stored in the locked filing cabinet next to Joe’s office.”

Also, each organization must designate a security officer whose function is to train each employee on the above procedures. We recommend that, at a minimum, you review your WISP with each employee and have each individual employee sign-off that they have received training and understand your organization’s WISP Policy. You may also want to consider offering this training on an annual basis.
Useful Tools
While I am not officially endorsing the following tools, you may find them helpful in complying with the new privacy law:
  • Locked filing cabinets
  • Wireless NetGear Modem: encrypted wireless access ”“ $30
  • Norton 360: firewalls, malware and virus definitions ”“ $60 for 3-user license
  • Carbonite: online, secured backup of computer data files ”“ $60 annually per computer
  • PGP: computer encryption ”“ $400 per license
  • Sandisk 8GB Ultra Backup USB Flash Drive ”“ $60
  • Box.Net: secured, online storage facility that allows sharing of files containing personal information (e.g. tax returns, copies of bank statements, mutual funds, etc.) ”“ 15GB storage at $49.95 per month
Irene Wachsler is managing partner with Tobolsky & Wachsler CPAs LLC, which specializes in audits, reviews, and compilations for nonprofit organizations. Contact her at or call 781-883-3174.