Mass. Morass: New Data Privacy Law
March 12, 2010
(Tony Martignetti is managing director of Martignetti Planned Giving Advisors, LLC, a planned giving consultancy; the author of Charity Registration: State-by-State Guidelines For Compliance; and a frequent seminar leader at the Foundation Center. You can connect with him on LinkedIn and Twitter.)
There's a new Massachusetts regulation that affects nonprofits that access or store personal information provided by residents in the state. Do you accept gifts from Bay State donors and process their credit cards? Process or save copies of their checks? Are you seeing or holding the Social Security numbers of constituents?
A "yes" to any of these brings your organization within the purview of Title 201 of the Code of Massachusetts Regulations Section 17.00, Standards for the Protection of Personal Information of Residents of the Commonwealth. And compliance isn’t pretty.
What’s In A Name
Whether you are at risk of becoming tangled in the law’s web starts with how "personal information" is defined. In Massachusetts, the definition starts with first and last name, or first initial and last name. If either of those combinations is paired with any of the following, you've got personal information on your hands: Social Security number; driver's license number; financial account number; credit card number; or debit card number (even without the PIN or access code). If you got the information from public sources, including government records, you're in the clear. But that's not likely to apply to many nonprofits. In most cases, donors will have voluntarily provided their personal information when they made a gift. Or, if you're a school, hospital, library, social service or other organization that requires identification to access services, you may have come across it in the course of doing business.
What Are You Doing With It
If you've got personal information, you're doing something with it. Anything here sound familiar? You own, license, receive, store, maintain, process, or have access to it. (That covers everything but "fold, spindle and mutilate.") If that's a "yup," then read on.
Do Your Duty
You have personal information on Massachusetts residents. According to state law, you must protect it under a comprehensive, written "information security program," or ISP, that includes administrative, technical, and physical safeguards. I like to write, but this doesn't sound like fun to me.
Your ISP must:
- designate the employees in charge of the program
- identify security and confidentiality risks
- provide for employee training
- impose penalties for infractions
- prevent former employees from having access to personal information
- oversee vendors who may have access to that information
- restrict physical access to the information
- insure at least annual review of your security program
The law also demands a host of computer security requirements, including password protection and user IDs; restricting access to active users; blocking access after multiple unsuccessful attempts to access information; restricting access on a need-to-know basis; encryption; firewalls; and lots of other system features that torment and thwart the everyday user.
And to think I used to prefer New England clam chowder over Manhattan!
A Shortcut -- Data Downsize
At no cost to the end user, seemingly unlimited computer storage has led to data bloat in a lot of offices.
If you're scratching your head wondering how you could possibly prepare a complete and accurate ISP, I have a suggestion: downsize your data. Don't save what you don't need. You'll still need to comply with the law because you're processing credit cards, checks, and (perhaps) stock transfers that are essential to your fundraising, but if you don't hold on to the numbers (remember, checks have account numbers printed across the bottom), your ISP will be much simplified. Insist on ASAP processing, then shredding after use. (Security experts recommend microcut shredders because they make it impossible to reassemble the pieces.) Downsizing in this way will reduce access issues, eliminate physical and data storage, cut down on your security needs, and free you of many computer security requirements.
If it's Social Security numbers you're holding on to, ask yourself whether you really need them. Alternatively, can you do business with only the last four or five digits?
Again, for all processes that pull you into this regulatory morass, consider data downsizing. And remember, the above only applies to Massachusetts residents. But any organization might realize benefits -- including improved security -- from downsizing the amount of data it holds on to. (Not to mention the fact that having a different set of business practices for a single state's residents can be a considerable pain.)
Comply Or Pay
A different law (General Laws of Massachusetts, Chapter 93A, Section 4) provides for $5,000 penalties, plus investigation costs, for scofflaws. You don't want to be one of those. Aside from avoiding fines, operating within the law is the right way to do business.
The regulation I've summarized is written in fairly comprehensible language (unlike most byproducts of the legislative process), and you can download a PDF copy here. Go ahead: Download and share it with your stakeholders, then look critically at your true data needs and come up with with a plan for compliance.
My best wishes for success in all your fundraising.
-- Tony Martignetti, Esq.