UBP blog

07/15/2009

Is your third-part service provider in compliance with 201 CMR 17.00?

In recent years, there have been multiple high profile data breaches involving third-party providers of credit card and other financial services. One of the many ways identity thieves access personal information these entities maintain is by hacking into non-password protected, unencrypted databases. Under the Massachusetts identity theft law 201 CMR 17.00, companies that work with these third-party providers will be liable for any data security breach involving personal information of Massachusetts residents if they did not take any action to ensure that the provider was operating in full compliance with the law.

For small and mid-size businesses that work with online credit card processing companies, it is no longer safe to just assume that these companies are in compliance with the law. You must now take a look deeper and investigate them to ensure that they are in compliance. It is vital as well to make sure that you include in all contracts with these providers an explicit requirement that they maintain data security safeguards compliant with 201 CMR 17.00.

Although January is still several months away, the time to start preparing for Massachusetts law 201 CMR 17.00 to go into effect is now. That means identifying all records of personal information on any Massachusetts resident within your organization and bringing together an inter-departmental team to craft your organization’s Written Information Security Plan.

To help companies out with their 201 CMR 17.00 compliance efforts, Universal Benefit Plans will hold a free 35 minute educational webinar July 21st at 11:00 am.

Register to attend at: https://www2.gotomeeting.com/register/660426874

Advertisements

Are you aware of all subtleties of the upcoming Massachusetts identity theft legislation (201 CMR 17.00)?

As some of you may already know, the Commonwealth of Massachusetts has passed the strictest information security legislation in our nation to date (201 CMR 17.00)  in order to protect citizens against identity theft. This law goes into effect January 1, 2010 and takes a far more proactive approach than the “data breach notification” laws that 40 other states have put into place.

The law requires organizations that collect, maintain and transmit the personal information on any Massachusetts resident to digitally encrypt it to the extent technically feasible. The law also requires organizations to develop, implement and monitor a Written Information Security Plan. As you would expect, this law is highly complex. We would like to alert you to the many many subtleties that may prove challenging to your organization.

Process Monitoring Requirements:

The upcoming Massachusetts law requires organizations to monitor systems containing personal information for the purpose of tracking who, what and when such information was accessed. This is done to help diagnose and prevent unauthorized access of such information and can be done either electronically or manually.

Revised regulations regarding assurance from third-party providers:

When the law was originally passed, it would have required all third-party service providers and vendors that have access to the personal information of any Massachusetts resident to provide written certification of their compliance. This requirement has since been abolished and now, organizations are required to do the following:

“(1) verify that its third-party providers have the capacity to protect the personal information that you give them access to, and (2) ensure that such third- party providers are applying protective security measures that are at least as stringent as those required under the new Massachusetts regulations.”

It is still essential for you, as an employer, to evaluate the way in which all of your third-party service providers handle your most sensitive information.

As you can probably already see from just the few subtleties we’ve mentioned thus far, many organizations will have to adjust many procedures and re-think the way they do business in just a short time.

Universal Benefit Plans has broken down the Massachusetts Information Security Legislation and will be presenting free 30-minute webinars throughout the month of June on this topic.

To view upcoming webinar dates and register for one, you can view the Events calendar on our website and click on the link for the date of the webinar you want to attend.

What steps have you taken at your company to ensure that terminated employees are immediately denied access to personal information?

Newly terminated employees are among the many individuals with a motive to commit identity theft, not limited to the theft of personal information of any employee, customer, and/or contractor of his or her former employer.

According to the Massachusetts Information Security Legislation effective 1/1/2010, ALL Massachusetts employers must:

  • Immediately block terminated employees’ on-site and remote access to personal information. This includes deactivating their passwords and usernames.
  • Require terminated employees to return all records containing personal information.

These measures are just a small part of the comprehensive Written Information Security Plan (WISP) this new state law requires companies to create spelling out all of their administrative, technical and physical safeguards for all records containing personal information on Massachusetts residents.

To learn more about the law, creating and implementing a WISP, my company will hold free educational webinars. To register, please visit the events page of our website.

Benefits identity theft skyrockets. Are you safeguarding personal employee data in your HR department?

Filed under: Massachusetts encryption law — ubpblogger @ 9:26 am
Tags: , ,

The Problem:

In 2008, a record 79 million identity thefts occurred in the United States. According to a report by the Alexander Hamilton Institute, an estimated 50-70 percent of these thefts happened in the workplace. Employee benefits documents—and employee files in general—contain all of the information necessary for an information thief to steal someone’s identity.

Benefits identity theft can come both from within the company (i.e. a temporary employee working in HR who has access to employee information files a reimbursement account claim as someone else) or from outside of the company (i.e. an employee’s online statement gets hacked and the hacker wipes out all of his or her retirement savings with the click of a mouse).

What the experts suggest:

Benefits identity theft is a problem that employers often overlook until it is too late. Employers should therefore create and put into place a policy for the safe handling of sensitive data, from its collection to its disposal. All paper personnel files should be secured with combination locks. If your company maintains electronic personnel files, work with IT to ensure that all such records are encrypted and password protected.

To protect your employees from reimbursement account theft, you should keep signatures of all employees on file so that you can be prepared to audit a suspicious looking reimbursement check. You should run reports of your company’s newly-terminated employees so that you can audit cancelled reimbursement checks in their names. For greater protection, only send reimbursements through direct deposit to an account that you have verified belongs to the correct employee.

Enhanced, double-encrypted HRIS solution FOR FREE:

The HR in a Box™, Universal Benefit Plans’ A to Z HR and benefits management solution, is a dual-encrypted time- and cost-saving tool for small-to-mid size enterprises. With The HR in a Box™, not only will your company eliminate the time-consuming and costly practice of manual benefit administration, you will also be able to rest assured that all of your employee benefits data is secure. The HR in a Box™ also generates reports of employees terminated as far back as you want them, making the process of auditing cancelled reimbursement checks an easier one.

To learn more about how having The HR in a Box™ can help your company or to schedule a free product demo, visit http://www.universalbenefitplans.com.


Encrypting employee information and identity theft

Filed under: Massachusetts encryption law — ubpblogger @ 8:30 am
Tags: , ,

Although 42 of our 50 states that have passed what are called, “data breach notification laws,” Massachusetts is definitely leading the charge on the issue of safekeeping critical information, and seemingly, for all benefits reform in the U.S. Massachusetts has legislated that encryption of all critical employee data be accomplished by 2010. This could save millions of dollars (and thousands of families) by virtually ending identity theft in the workplace. But is it worth the burden on corporations, both in time and financially? Are we asking too much? How are overtaxed, understaffed employee benefits teams to accomplish this?

Although one of the biggest issues for organizations and their employee benefits teams right now is that a critical data breach almost insures that you’ll be slapped with one (or more) class-action lawsuits – thus becoming a huge liability issue – the costs of preventing such a breach (i.e., identity theft) can be huge. With millions of records already lost and millions more at risk  there’s simply no way to get around the fact that encryption of records MUST be part of a comprehensive data security plan.

Why? Quite bluntly, anyone who’s been – or who knows someone who’s been — the victim of identity theft will tell you that it’s an awful, horrible crime – and trying regain their status and protect themselves in the future is like a never ending nightmare. The amount of personal data collected by employee benefits teams and human resources departments is, by necessity, enormous. Protecting those individuals MUST be a top priority, and if the nation follows the lead of Massachusetts any time soon, it will be.

If you’re fortunate enough, you may find that your insurance broker is actually able to maintain all of your employee data and handle the encryption issue themselves, thus protecting your employees AND your company from the nightmare of identity theft and the liability that goes along with it

« Previous Page

Blog at WordPress.com.