While provisioning yet another server or fielding a call from Sales for a password reset, you get the call. “Why didn’t you tell us about those Massachusetts files?” There’s no panic, because you haven’t the faintest idea what the caller is talking about. Yours is a Florida company. There’s not even a field sales office in Massachusetts.
What comes next is more disconcerting. “This is over my head. Expect a call from Legal.”
You check your inbox. Had you missed a broadcast about a class action lawsuit?
A few minutes with your favorite search engine turns up “MA 201 CMR 17
,” and more than a few casual citations. Yours is mostly a regional company based in the Southeast, but you’ve got some — hundreds? thousands? — of records from Massachusetts citizens.
Compliance issues? You’re a computer professional. Perhaps privately sensing that perhaps this work is nontechnical, nonetheless you dutifully read on. Some of the Massachusetts requirements are unsurprising. Perhaps the bases are already covered: a Written Information Security Plan (WISP), encryption from laptops to servers, policy controls on third party access, yada yada. You realize you’re not there yet, but already steps have been taken in the right direction.
Fines? $5,000 per breach or lost record. Lose records for a thousand Massachusetts residents and the firm could be out $5M. Okay, that’s serious.