A recent Commonwealth of Massachusetts law has really raised the bar in protecting consumer information. In addition to being one of the most comprehensive security laws in the nation, it can also impact any college or university, anywhere, that has a Massachusetts resident enrolled as a student. Here are three key elements of the Massachusetts law:
PII Defined
The statute mandates data safeguards for a wide range of consumer information. It defines Personally Identifiable Information (PII) as "name + 1;" that is, PII is a resident's name combined with just one other piece of identifying information. The law then extends its "long arms" to any group that acts as a custodian for a Commonwealth resident's personal data. Anywhere.
Security Defined
The law specifically defines compliance requirements. Most state statutes for information security don't specify what you must do to comply. The Massachusetts law goes into detail about creating an information security plan and provides a long list of required safeguards that range from authorization protocols to data encryption and everything in between.
Cost Defined
This Massachusetts regulation also identifies the potential cost of a breach of data security. It's "no more than $5,000 per violation." Is each breached record a violation? Can a fine of $5,000/record be possible? Only time (and the courts) will tell. But if this is true, then 1,000 records involved in a data theft would equal a penalty of $5,000,000; 10,000 records would equal $50,000,000. Wow!
The pendulum is definitely swinging towards more and tougher consumer protection, not less. The real issue is to what level of risk is your campus exposed. Whatever it is, it's more than it was.
Thanks for reading.