UBP blog


From phishing, to spyware to network snooping, how identity thieves get your information online and what you can do to stop them

As the Internet evolves and identity theft criminals get more and more tech-savvy, it isn’t any wonder the number of identity theft crimes has skyrocketed over the past few years.  

To keep your personal information safe online, you’ll need to first know the most common methods thieves use to collect your information. That way, you can figure out what actions you’ll need to take to stop them.

These are:

  1. Phishing: Phishing happens when a thief sends out an email under the guise of a legitimate company. The email in question will generally contain links to a very legitimate-looking website. Once the victim arrives at the website, he or she will be asked to give a bank account number, credit card number or other piece of personal data.
  2. Spyware: Spyware is software that collects personal data from individuals’ own computers without them even knowing it. It infects their computers when they visit certain websites or open email attachments from unknown senders. Also, anyone with manual access to computers can install spyware on them.
  3. Fraudulent e-commerce sites: Identity thieves often set up fraudulent e-commerce sites for goods they advertise through spam email blasts or on price comparison websites. When individuals place orders on these sites, identity thieves are able to capture their names, addresses, credit card numbers and other information.
  4. Wireless network snooping: Tech-savvy identity thieves use this technique to connect to unsecured wireless networks and steal information from computer files or information that’s en-route from sender to its final destination.

Massachusetts ID theft law compliance deadline is today:

Any entity that employs and/or does business with Massachusetts residents must be in full compliance today, March 1, with our nation’s toughest ID theft law to date—Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00).

Fines for noncompliance are steep and auditors from the MA Attorney General’s office will be coming any day now, are you prepared to show your compliance or face the facts?

Now is not the time for second guessing, call us now at 617-859-1777 and schedule your free 30 minute compliance overview in partnership with Foley and Foley law firm of Massachusetts.


To prevent identity theft at work you need to know where the thieves will go

Identity thieves can steal personal information from you at work, in public, online or even from your home (a place that so many of us think is a safe haven). The first step to protecting your information in all these places is knowing where the thieves will go to get their hands on it.

Let’s start off by looking at the workplace.

Personal information in any given workplace is vulnerable to the prying eyes and hands of permanent staff, temporary and contract workers or even the after-hours custodial staff that comes in and cleans the building every night.

If there’s an identity thief lurking in and around your workplace, chances are they’ll go for one of the following.

  • Unattended Personal Belongings: This includes both unattended purses and wallets as well as easily accessible personal documents employees may either keep at work of bring with them to work.
  • Employee personnel files: Any employee with access to the personnel files that are kept in HR has easy access to employees’ Social Security Numbers and DOB’s as well as a host of other data ID thieves may use to commit fraud. 

Data in personnel files is especially vulnerable to threats from within an organization. A disgruntled employee or even a temp worker could steal employee personal information, sell it to an identity thief or use it themselves to commit fraud.

Effective monitoring is the key:

The information above goes to show that employers should carefully monitor access to all employee personal information. Certain vital details such as who has access to this information, how long they have access to it and what precise business or compliance need their access to this information will fulfill should be spelled out clearly in your Written Information Security Plan required by Massachusetts law 201 CMR 17.00 (which is enforceable the first of next month).

On top of this, employers should communicate to employees the importance of consistently monitoring all accounts they have in their name, checking for any unauthorized activity or the presence of any new accounts that they didn’t open themselves.  

Individuals who steal your identity or credit card numbers depend on you not to look too closely at your bills and ensure that every charge on them was actually yours. “Small” charges of under $100 are often less scrutinized than larger amounts and thieves know this. That’s why you should never just “excuse away” unfamiliar and unauthorized charges, just because they appear small.

Deadline for Massachusetts Identity theft law 201 CMR 17.00 is just a week away:

One week from today, all businesses that “own, license, store or maintain” personal information on any Massachusetts residents must be fully compliant with the Commonwealth’s identity theft law 201 CMR 17.00. Is your company compliance-ready, and can you prove it to the auditor who may come knocking at your door?

To help Massachusetts businesses get compliance-ready, Universal Benefit Plans has partnered with local employment law firm Foley and Foley to offer a complimentary 30 minute compliance review for qualifying companies. Call us at 617-859-1777 to learn more and see if your company qualifies.


The Security of your Identity is only as strong as the passwords you keep—Part 2

As discussed in the previous blog post, your passwords are often your only barrier protecting personal information from the prying eyes of identity thieves. So, it goes without saying that they should be kept both strong and secret.

We’ve gone over how to make your passwords strong, here are a 4 steps that you should take to make sure they’re kept secret:

1. Don’t write your passwords down:  The safest place to store your passwords is clearly your own mind, which is why they should be relatively easy for you to remember. However, if you’re someone with a lot of different passwords to different accounts, you might need to write them down somewhere to remember which one is which.

If this is you, you’ll need to be extra careful about where you put them. Avoid keeping them in places that are easy for a thief to access, such as in your pocketbook, taped to the monitor of your keyboard or even on a sticky note on the back of your mousepad.

2. Don’t use the “remember my passwords” setting:  Whenever automatic logins and “remember my passwords” settings are enabled on your computer, anyone can sign into your computer as you and log in to all of your personal databases.

3. Don’t log into accounts containing personal information on public computers: Public computers include those in libraries, schools, universities or at an Internet café. Your passwords and usernames could be saved by the computer and used to access your accounts by someone else at a later date.

4. Don’t share your password with others: Also, as soon as anyone finds out your password, you should immediately change it (even if the person promised not to use it or tell anyone else).

Starting March 1, 2010, all businesses that “own, license, store or maintain” personal information on any Massachusetts residents must be fully compliant with the Commonwealth’s identity theft law 201 CMR 17.00. This means encryption, creation and implementation of a Written Information Security Plan and a whole host of other responsibilities must be completed by the end of this month.

Is your company compliance-ready, and can you prove it to the auditor who may come knocking at your door?

To help Massachusetts businesses get compliance-ready, Universal Benefit Plans has partnered with local employment law firm Foley and Foley to offer a complimentary 30 minute compliance review for qualifying companies. Call us at 617-859-1777 to learn more and see if your company qualifies.


The security of your identity is only as strong as the passwords you keep—Part 1

If you lived during the Middle Ages and had a castle, you’d want to prevent invaders from breaking in, destroying your property, kidnapping your loved ones, etc. So what would you do? Build a moat, correct?

Now most, if not all of you, would pull out all the stops to create the deepest, most crocodile-filled moat imaginable. After all, it would be your only barrier for keeping invaders out. When creating passwords for your personal information you should use this exact same logic.

That’s because just like a moat is the only barrier keeping invaders out of a castle, your passwords are often your only barrier standing between personal information and identity thieves.

All passwords you use to access personal information (both online and off) should be both strong and secret. This blog post will educate you on how to keep them strong.

What is a strong password?

A strong password is one that includes:

  • 6 or more characters
  • Letters numbers and symbols
  • At least one case change

When creating your passwords, make sure that they are both easy for you to remember and difficult for others to guess.  If your password contains two distinct words or proper names, make sure they are unrelated to one another. 

One strategy you can use to create a strong, memorable password is to use the first letter of every word in a popular saying (making at least one of the letters uppercase) and add a number plus a symbol to the end. For example, a strong password using the popular saying “Speak softly and carry a big stick” might be Ss&cabs13.

Once you’ve set a strong password, you should also take the following precautions:

  • Never use the same password for more than one of your main accounts: If you do, it could take just one security breach to compromise everything in all of your accounts.
  • Change your passwords regularly: The Commonwealth of Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) recommends that individuals change their passwords for access to personal information at least every 6 months.  A helpful tip for reminding yourself to do this is to use a recurring event such as a time to change your password (i.e. change your password every daylight savings time).

For any entity that employs and/or does business with Massachusetts residents, OCABR has passed our nation’s toughest ID theft law to date—Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00).

Businesses must be fully compliant with the law by March 1, 2010. Is all your company’s personal information on Massachusetts residents encrypted and/or protected? Do you have a Written Information Security Plan in place?

These are just a few of the 201 CMR 17.00 requirements that must be met. Attend our  free webinar February 11th at 2 pm and in just 30 minutes you’ll know the answers to these questions plus so much more.


What Identity Thieves Want

Identity theft is a huge and costly problem. In fact, it has recently surpassed drug trafficking as the number one crime in the nation and claims one new victim every 3 seconds.

Identity theft can happen to anyone and its results are devastating: stolen funds, a tarnished credit rating and obligations to pay off debt that isn’t even your own.

To keep from becoming victims of identity theft, all individuals should:

  • Keep sensitive personal information under wraps
  • Learn to recognize and put a stop to common identity theft strategies
  • Act quickly to limit damage

This blog post will focus on keeping sensitive personal information under wraps, and knowing what identity thieves want is a logical first step to keeping personal information safe. That’s because when you know what identity theft criminals want from you (and what they’d do with it) you’ll know exactly what personal details to keep safe and secure.

The following table shows you what common pieces of personal information identity theft criminals want and why they want it.

Type of Information Why ID theft criminals want it
Social Security Number (SSN) Your social security number uniquely identifies you for employment and credit purposes and serves as the gateway to all your financial information
Date of Birth Your date of birth (especially if used alongside your SSN) can be used by an ID theft criminal to verify your identity
Financial Account Numbers This includes bank account numbers and credit card numbers. ID theft criminals can use them to take money out of your accounts or make payments both over the phone and online.
Mother’s maiden name ID theft criminals want this information because it’s often used to verify an individual’s identity and authorize access to their financial information.
PIN numbers and passwords These allow access to banking, credit card and online accounts
Driver’s license number This number can be used by ID theft criminals to obtain a fraudulent ID


Starting March 1, 2010 The Commonwealth of Massachusetts Attorney General’s office will begin enforcing Regulation 201 CMR 17.00. The Regulation is designed to prevent identity theft and it’s the toughest identity theft law for businesses in our nation to date.

Is your company up to speed with compliance? Can you afford not to be?

Register to attend our free webinar February 11th at 2 pm and in just 30 minutes we’ll walk you through the necessary steps to get compliant and stay compliant.



You’re 201 CMR 17.00 compliant and that’s great but do you know how to stay compliant?

Filed under: Massachusetts encryption law — ubpblogger @ 9:24 am
Tags: ,

As you may know, Massachusetts’ upcoming law Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00), requires all businesses that “own, license, store and maintain” personal information on any Massachusetts resident to create and implement a Written Information Security Plan (WISP).

Your WISP needs to be comprehensive and it must spell out all of your technical, physical and administrative safeguards for your personal information. If you’re company already has a WISP and it’s good to go for March 1, you’re definitely one step ahead of the game. However, you’re not off the hook just yet. You’ll need to continuously re-evaluate your plan in order to stay compliant.

Q:  The Law requires companies to evaluate their WISP for comprehensiveness and effectiveness:

A)    Once every year

B)    Once every 5 years

C)    Every time business practices change in a way that impacts personal information security

D)    Both A and C 

A:  If you answered both A and C, then you are correct. Companies required to create and implement a Written Information Security Plan (WISP) are also required to annually evaluate it and re-train employees on it as well.

They are also required to do this whenever business practices change in a way that impacts personal information security. Here’s an example.

“Well we’re movin’ on up”

Let’s say a company is doing really well, is on a trajectory for growth and decides they need to move to a new (and larger) building for more office space. At their former location, the HR department had a small office in which physical files containing employee personal information were stored. The door was only open when the HR Manager or her assistant were in the office working, at all other times it was locked and only the two of them had the key.

At their new office building, a professional cleaning crew comes in every night and vacuums the floor of each office. Because of this, the HR Manager or her assistant would now need to secure all files containing employee personal information in locked file cabinets at the end of each day. They’ll also need to ensure that only the two of them have keys to this cabinet and that all of the above measures are added to their updated WISP.

Want to learn more about the law Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00) and the many other things you must do to get your company compliant?

Register to attend one of our free 30-minute webinars:




Three ways to prevent a large scale identity breach at your company

On Monday August 17, three men (one American and two Russians) were charged with stealing personal data from more than 130 million credit and/or debit cards.  Data was stolen from customers of Heartland Payment Systems, 7-Eleven, the Hannaford Brothers supermarket chain and two other unnamed corporate entities.

 The men are charged with conspiring to hack into computer networks and stealing data as far back as October 2006. This hacking and identity theft case is believed to be the largest one the US Department of Justice has ever prosecuted.


 How the breach was executed:

 To tap into the retailers’ networks, the three hackers used a very sophisticated technique known as a SQL Injection Attack. This technique enabled them to maneuver around the Firewalls on computer networks containing credit and debit card data.

 The hackers then installed “sniffers” on the victims’ computer systems to intercept credit and debit card data as transactions are processed.

 How to prevent this from happening at your company:

Although hackers are always looking for new and innovative ways to access and compromise personal information, there are still things companies can do to help prevent a  data breach.

1. Encrypt your networks

This is especially important if your company has a wireless network. According to a recent PC World article, both the TJX and Lowes data breaches were made possible because of non-existent wireless network security. That’s why you should secure your wireless network with encryption. Also, a form of authentication should be required for anyone to access the wireless network.

 2. Stay on top of things

Make sure to consistently monitor all computer systems containing personal information. This frequent exposure will help sensitize you to the earliest signs of compromise or suspicious activity. That way, you’ll be alert and ready to take action before any major damage is done (or any major funds are lost).

 3.  Go above and beyond

This means that you should do more than the bare minimum at your company to pass a security audit. As much as we like to think lawmakers enact security laws because they have nothing better to do with their time, they really do have our best interest at heart. 

Data security laws are there to protect your sensitive data on your computer networks. If you’re only doing the bare minimum that the lawmakers want, you might not be reaping the full benefit of these laws in the end.

Massachusetts’ Identity Theft Law:

In response to the huge, costly problem of identity theft, Massachusetts Governor Deval Patrick signed identity protection law 201 CMR 17.00. Effective March 1, 2010, this law is the toughest one any US state has passed to date.

To prepare businesses for compliance with this law, Universal Benefit Plans conducts free 30-minute educational webinars twice per-month. To sign up for a webinar, please visit www.universalbenefitplans.com and check out our events calendar.


Is your third-part service provider in compliance with 201 CMR 17.00?

In recent years, there have been multiple high profile data breaches involving third-party providers of credit card and other financial services. One of the many ways identity thieves access personal information these entities maintain is by hacking into non-password protected, unencrypted databases. Under the Massachusetts identity theft law 201 CMR 17.00, companies that work with these third-party providers will be liable for any data security breach involving personal information of Massachusetts residents if they did not take any action to ensure that the provider was operating in full compliance with the law.

For small and mid-size businesses that work with online credit card processing companies, it is no longer safe to just assume that these companies are in compliance with the law. You must now take a look deeper and investigate them to ensure that they are in compliance. It is vital as well to make sure that you include in all contracts with these providers an explicit requirement that they maintain data security safeguards compliant with 201 CMR 17.00.

Although January is still several months away, the time to start preparing for Massachusetts law 201 CMR 17.00 to go into effect is now. That means identifying all records of personal information on any Massachusetts resident within your organization and bringing together an inter-departmental team to craft your organization’s Written Information Security Plan.

To help companies out with their 201 CMR 17.00 compliance efforts, Universal Benefit Plans will hold a free 35 minute educational webinar July 21st at 11:00 am.

Register to attend at: https://www2.gotomeeting.com/register/660426874

Are you aware of all subtleties of the upcoming Massachusetts identity theft legislation (201 CMR 17.00)?

As some of you may already know, the Commonwealth of Massachusetts has passed the strictest information security legislation in our nation to date (201 CMR 17.00)  in order to protect citizens against identity theft. This law goes into effect January 1, 2010 and takes a far more proactive approach than the “data breach notification” laws that 40 other states have put into place.

The law requires organizations that collect, maintain and transmit the personal information on any Massachusetts resident to digitally encrypt it to the extent technically feasible. The law also requires organizations to develop, implement and monitor a Written Information Security Plan. As you would expect, this law is highly complex. We would like to alert you to the many many subtleties that may prove challenging to your organization.

Process Monitoring Requirements:

The upcoming Massachusetts law requires organizations to monitor systems containing personal information for the purpose of tracking who, what and when such information was accessed. This is done to help diagnose and prevent unauthorized access of such information and can be done either electronically or manually.

Revised regulations regarding assurance from third-party providers:

When the law was originally passed, it would have required all third-party service providers and vendors that have access to the personal information of any Massachusetts resident to provide written certification of their compliance. This requirement has since been abolished and now, organizations are required to do the following:

“(1) verify that its third-party providers have the capacity to protect the personal information that you give them access to, and (2) ensure that such third- party providers are applying protective security measures that are at least as stringent as those required under the new Massachusetts regulations.”

It is still essential for you, as an employer, to evaluate the way in which all of your third-party service providers handle your most sensitive information.

As you can probably already see from just the few subtleties we’ve mentioned thus far, many organizations will have to adjust many procedures and re-think the way they do business in just a short time.

Universal Benefit Plans has broken down the Massachusetts Information Security Legislation and will be presenting free 30-minute webinars throughout the month of June on this topic.

To view upcoming webinar dates and register for one, you can view the Events calendar on our website and click on the link for the date of the webinar you want to attend.

Blog at WordPress.com.