We all know about the TJX case in 2006-2007 where over 46 million consumers credit card numbers and over 450,000 drivers license and social security numbers were stolen — a breach which was only discovered after an organized crime network had started using the credit card numbers for fraudulent purposes.  Identity theft has become one of the most common crimes, as evidenced by the following statistics:

FTC’s 2006 Identity Theft Survey http://www.ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006.pdf

• In 2005, approximately 8.3 million U.S. adults were victims of identity theft – 3.7% of the population!
• The median value of goods stolen was $500
• The majority of thefts involved existing accounts; only about 22% of cases involved new accounts being opened

Javelin Strategy’s 2009 Identity Theft Survey

• In 2008 10 million Americans were victims of identity theft (or about 1 in 10 adults)
• Total US account fraud in 2008 totaled $31 billion
• 43% of victims had physical paperwork or wallets stolen
• 38% had credit card numbers stolen
• 37% had social security numbers stolen

Using updated numbers for 2009, the Attorney General’s office released their report (here) on the Chapter 93 breach notification requirements.   It seems like most of the notifications have come from the financial services industry; they conclude that data is most at risk at financial services companies.  It’s also possible that financial services companies have compliance officers and are well aware of regulatory compliance issues, and hence have been complying with notification requirements more than other industries.  In other industries,  breaches still often go unreported and notification requirements are not met.

According to the report, 61% of  breaches were deliberate, malicious attacks such as stolen  laptops, hacked databases, etc; 39 percent of  breaches were inadvertent disclosures such as accidentally putting the wrong file in an envelope or attaching the wrong document to an e-mail.

On August 17th, the OCABR announced a revision to the 201 CMR 17 identity theft regulations(old version link). The initial compliance date was pushed back an additional 2 months, leaving businesses with less than six months to comply with this rule.    We have read over the old and new regulations and taken a look at the press releases and new files on the OCABR’s website.  According to the FAQ, the major changes include:

• More “Risk-based” Approach
• Some specific WISP provisions removed
• A “Technical Feasibility” qualifier was added to all of the technical requirements
• Better compatibility with federal requirements

The FAQ also has a discussion of what this “technical feasibility” requirement means, especially in regards to e-mail.  The OCABR seems to recognize that it is not technically feasible to encrypt e-mail, they recommend that “you should implement best practices by not sending unencrypted personal information in an email.”  They also recommend using alternate means such as a secure website.  You have to keep in mind when reading this that the OCABR is explaining their interpretation of the rules here, however it will be the Attorney General’s office who will be actually enforcing the regulations.

This has been the third time the deadline for 201 CMR 17 compliance has been pushed back.  The major requirements of 201 CMR 17, however, have not changed:  Companies are still required to have a written information security program in place, and that program still has most of the same requirements.

We are pleased to announce that Compliancehelp.net has come to a licensing agreement with Trend Micro that allows us to distribute a free 30 day version of their Email Encryption software with our Compliance Kits.  Trend Micro Email Encryption Client includes an outlook plugin that allows you to send emails securely.  Note, this software may not allow you to send secure messages successfully to Macs, Blackberrys, iPhones, or other non-standard email devices.

Laptops are a very common and inviting target for thieves. Intel commissioned this study where data was collected about 138 cases where laptops were lost by employees or contractors of companies across the U.S. Released on April 22, the study found that in one case the cost was nearly $1,000,000 for a single stolen laptop because of regulatory breach notification requirements and that the average cost of a lost laptop was $49,246. 80% of the cost of these losses was due to breach compliance requirements.   The costliest breaches were when laptops of senior executives were lost.  Cost also varied widely by industry, with the highest costs in the services, financial services, and health care industries.

On May 12th there was a hearing on Beacon Hill about a bill which would significantly weaken 201 CMR 17.   Back in January State Senator Micheal W. Morrissey introduced the bill,  S.173 , which would remove specific technical requirements like encryption.   The bill also removes compliance requirements from HIPAA-compliance health care organizations or other industries which already have to meet federal compliance standards.  This makes sense because these industries already had   This bill coincides with last week’s appointment of Barbara Anthony to the OCABR, the state organization in charge of writing the 201 CMR 17 regulations.

The OCABR and the Attorney General released a report containing statistics from the  first 10 months in which Massachusetts had a data breach notification requirement.  You can see the report by clicking here.  One surprising conclusion was that criminal acts such as burglarly and theft were resposible for a majority of the breaches, with the most common breach being stolen laptops or portable devices. A smaller percentage of breaches were caused by employee error.

Also, nearly 75% of the breaches involved data that was neither encrypted nor password protected.  Of course, the new 201 CMR 17 regulations were not yet in effect when this data was collected.

The state Office of Consumer Affairs and Business Relations (OCABR) has a lot of online resources on their site, but these can be very tricky to find and navigate.  Here, we have gathered some of the best resources so you don’t have to dig through the OCABR’s site trying to find them:

• Official 201 CMR 17 Frequently Asked Questions (FAQ)
• 201 CMR 17 Compliance Checklist
• The latest version of the actual 201 CMR 17 regulation
• Security Breach Notification Requirements

Today, the Massachusetts Office of Consumer Affairs and Business Regulation announced that it has amended the 201 CMR 17 identity theft regulations, primarily extending the timeline for compliance from May 1 2009 to January 1 2010.

“Businesses are becoming more aware of the urgency of this issue. To achieve the full benefit for consumers as quickly as possible, it’s worth making sure every business in the state has time to make the necessary changes to comply with these regulations,” Daniel C. Crane, Undersecretary of the Office of Consumer Affairs and Business Regulation, said in a press release. “We understand the impact of the current business environment, and feel this is an appropriate timeframe for companies to implement the necessary protections.”