UBP blog


From phishing, to spyware to network snooping, how identity thieves get your information online and what you can do to stop them

As the Internet evolves and identity theft criminals get more and more tech-savvy, it isn’t any wonder the number of identity theft crimes has skyrocketed over the past few years.  

To keep your personal information safe online, you’ll need to first know the most common methods thieves use to collect your information. That way, you can figure out what actions you’ll need to take to stop them.

These are:

  1. Phishing: Phishing happens when a thief sends out an email under the guise of a legitimate company. The email in question will generally contain links to a very legitimate-looking website. Once the victim arrives at the website, he or she will be asked to give a bank account number, credit card number or other piece of personal data.
  2. Spyware: Spyware is software that collects personal data from individuals’ own computers without them even knowing it. It infects their computers when they visit certain websites or open email attachments from unknown senders. Also, anyone with manual access to computers can install spyware on them.
  3. Fraudulent e-commerce sites: Identity thieves often set up fraudulent e-commerce sites for goods they advertise through spam email blasts or on price comparison websites. When individuals place orders on these sites, identity thieves are able to capture their names, addresses, credit card numbers and other information.
  4. Wireless network snooping: Tech-savvy identity thieves use this technique to connect to unsecured wireless networks and steal information from computer files or information that’s en-route from sender to its final destination.

Massachusetts ID theft law compliance deadline is today:

Any entity that employs and/or does business with Massachusetts residents must be in full compliance today, March 1, with our nation’s toughest ID theft law to date—Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00).

Fines for noncompliance are steep and auditors from the MA Attorney General’s office will be coming any day now, are you prepared to show your compliance or face the facts?

Now is not the time for second guessing, call us now at 617-859-1777 and schedule your free 30 minute compliance overview in partnership with Foley and Foley law firm of Massachusetts.


To prevent identity theft at work you need to know where the thieves will go

Identity thieves can steal personal information from you at work, in public, online or even from your home (a place that so many of us think is a safe haven). The first step to protecting your information in all these places is knowing where the thieves will go to get their hands on it.

Let’s start off by looking at the workplace.

Personal information in any given workplace is vulnerable to the prying eyes and hands of permanent staff, temporary and contract workers or even the after-hours custodial staff that comes in and cleans the building every night.

If there’s an identity thief lurking in and around your workplace, chances are they’ll go for one of the following.

  • Unattended Personal Belongings: This includes both unattended purses and wallets as well as easily accessible personal documents employees may either keep at work of bring with them to work.
  • Employee personnel files: Any employee with access to the personnel files that are kept in HR has easy access to employees’ Social Security Numbers and DOB’s as well as a host of other data ID thieves may use to commit fraud. 

Data in personnel files is especially vulnerable to threats from within an organization. A disgruntled employee or even a temp worker could steal employee personal information, sell it to an identity thief or use it themselves to commit fraud.

Effective monitoring is the key:

The information above goes to show that employers should carefully monitor access to all employee personal information. Certain vital details such as who has access to this information, how long they have access to it and what precise business or compliance need their access to this information will fulfill should be spelled out clearly in your Written Information Security Plan required by Massachusetts law 201 CMR 17.00 (which is enforceable the first of next month).

On top of this, employers should communicate to employees the importance of consistently monitoring all accounts they have in their name, checking for any unauthorized activity or the presence of any new accounts that they didn’t open themselves.  

Individuals who steal your identity or credit card numbers depend on you not to look too closely at your bills and ensure that every charge on them was actually yours. “Small” charges of under $100 are often less scrutinized than larger amounts and thieves know this. That’s why you should never just “excuse away” unfamiliar and unauthorized charges, just because they appear small.

Deadline for Massachusetts Identity theft law 201 CMR 17.00 is just a week away:

One week from today, all businesses that “own, license, store or maintain” personal information on any Massachusetts residents must be fully compliant with the Commonwealth’s identity theft law 201 CMR 17.00. Is your company compliance-ready, and can you prove it to the auditor who may come knocking at your door?

To help Massachusetts businesses get compliance-ready, Universal Benefit Plans has partnered with local employment law firm Foley and Foley to offer a complimentary 30 minute compliance review for qualifying companies. Call us at 617-859-1777 to learn more and see if your company qualifies.


The security of your identity is only as strong as the passwords you keep—Part 1

If you lived during the Middle Ages and had a castle, you’d want to prevent invaders from breaking in, destroying your property, kidnapping your loved ones, etc. So what would you do? Build a moat, correct?

Now most, if not all of you, would pull out all the stops to create the deepest, most crocodile-filled moat imaginable. After all, it would be your only barrier for keeping invaders out. When creating passwords for your personal information you should use this exact same logic.

That’s because just like a moat is the only barrier keeping invaders out of a castle, your passwords are often your only barrier standing between personal information and identity thieves.

All passwords you use to access personal information (both online and off) should be both strong and secret. This blog post will educate you on how to keep them strong.

What is a strong password?

A strong password is one that includes:

  • 6 or more characters
  • Letters numbers and symbols
  • At least one case change

When creating your passwords, make sure that they are both easy for you to remember and difficult for others to guess.  If your password contains two distinct words or proper names, make sure they are unrelated to one another. 

One strategy you can use to create a strong, memorable password is to use the first letter of every word in a popular saying (making at least one of the letters uppercase) and add a number plus a symbol to the end. For example, a strong password using the popular saying “Speak softly and carry a big stick” might be Ss&cabs13.

Once you’ve set a strong password, you should also take the following precautions:

  • Never use the same password for more than one of your main accounts: If you do, it could take just one security breach to compromise everything in all of your accounts.
  • Change your passwords regularly: The Commonwealth of Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) recommends that individuals change their passwords for access to personal information at least every 6 months.  A helpful tip for reminding yourself to do this is to use a recurring event such as a time to change your password (i.e. change your password every daylight savings time).

For any entity that employs and/or does business with Massachusetts residents, OCABR has passed our nation’s toughest ID theft law to date—Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00).

Businesses must be fully compliant with the law by March 1, 2010. Is all your company’s personal information on Massachusetts residents encrypted and/or protected? Do you have a Written Information Security Plan in place?

These are just a few of the 201 CMR 17.00 requirements that must be met. Attend our  free webinar February 11th at 2 pm and in just 30 minutes you’ll know the answers to these questions plus so much more.


What Identity Thieves Want

Identity theft is a huge and costly problem. In fact, it has recently surpassed drug trafficking as the number one crime in the nation and claims one new victim every 3 seconds.

Identity theft can happen to anyone and its results are devastating: stolen funds, a tarnished credit rating and obligations to pay off debt that isn’t even your own.

To keep from becoming victims of identity theft, all individuals should:

  • Keep sensitive personal information under wraps
  • Learn to recognize and put a stop to common identity theft strategies
  • Act quickly to limit damage

This blog post will focus on keeping sensitive personal information under wraps, and knowing what identity thieves want is a logical first step to keeping personal information safe. That’s because when you know what identity theft criminals want from you (and what they’d do with it) you’ll know exactly what personal details to keep safe and secure.

The following table shows you what common pieces of personal information identity theft criminals want and why they want it.

Type of Information Why ID theft criminals want it
Social Security Number (SSN) Your social security number uniquely identifies you for employment and credit purposes and serves as the gateway to all your financial information
Date of Birth Your date of birth (especially if used alongside your SSN) can be used by an ID theft criminal to verify your identity
Financial Account Numbers This includes bank account numbers and credit card numbers. ID theft criminals can use them to take money out of your accounts or make payments both over the phone and online.
Mother’s maiden name ID theft criminals want this information because it’s often used to verify an individual’s identity and authorize access to their financial information.
PIN numbers and passwords These allow access to banking, credit card and online accounts
Driver’s license number This number can be used by ID theft criminals to obtain a fraudulent ID


Starting March 1, 2010 The Commonwealth of Massachusetts Attorney General’s office will begin enforcing Regulation 201 CMR 17.00. The Regulation is designed to prevent identity theft and it’s the toughest identity theft law for businesses in our nation to date.

Is your company up to speed with compliance? Can you afford not to be?

Register to attend our free webinar February 11th at 2 pm and in just 30 minutes we’ll walk you through the necessary steps to get compliant and stay compliant.



Could the encryption law go nationwide?

As many employers know, Massachusetts Regulation 201 CMR 17.00—enforceable as of March 1, 2010 requires all businesses that “own, license, store or maintain” personal information on Massachusetts residents to:

  1. Digitally encrypt all records containing personal information
  2. Create and implement a Written Information Security Plan (WISP) outlining administrative, technical and physical safeguards for personal information protection
  3. Update all firewalls and system security measures on all computers that store and process personal information

Although Massachusetts’ identity theft law is the strictest in our nation to date, there could soon be a Federal law not too unlike 201 CMR 17.00—although the details of this law haven’t quite been ironed out yet.

The Personal Data Privacy and Security Act of 2009:

Senator Patrick Leahy, a Vermont Democrat, is sponsoring a bill called the Personal Data Privacy and Security Act of 2009.

The bill contains the following provisions:

  • New Data Protection Standards: Private and government entities that keep personal data would be required to establish effective programs for ensuring that it’s kept confidential. These requirements include risk assessment and vulnerability testing as well as measures for controlling access to sensitive information, detecting and logging unauthorized personal information access, and protecting personal data both in transit and at rest.
  • New Federal Breach-Notification Standard: If a breach were to happen, companies would not only need to notify all individuals whose data was compromised, but in some cases, credit reporting agencies and the United States Secret Service as well.
  • An Office of Federal Identity Protection would be established as part of the Federal Trade Commission (FTC) to monitor data breaches and enforce identity theft law.
  • Breach notification exemptions: The law would provide private and government entities that have taken adequate measures to protect sensitive data (i.e. encryption) some exemptions from data breach notification requirements. Also, companies would not be required to immediately make a data breach notification if it gets in the way of a criminal investigation. However, both of these exemptions will need to be vetted by the US Secret Service.
  • Criminal penalties for executives that willfully conceal a data breach: Executives of companies that experience a data breach and willfully avoid notifying affected parties would be subject to criminal penalties under this new law.

Federal ID theft law will likely pre-empt state laws:

One major point to note about this bill is that if passed, it would pre-empt (i.e. nullify) state identity theft and data breach notification laws. This means that the rules of data security could change quite a lot for Massachusetts employers, although it hasn’t been established quite how much they’d change.

The Personal Data Privacy and Security Act of 2009 was approved November 2009 by the Senate Judiciary Committee and is currently under consideration by the full Senate.

We will keep very close tabs on Congress’ progress with this law and keep you posted on any major changes that occur.


One of these things is not like the other

Q: The following are used to store and/or communicate employee benefits information.

  1. Files on your hard drive
  2. A fax machine
  3. An HRIS system
  4. Email

Of these 4 options, 3 are encryptable and one is not. Which one is not encryptable?

A:  If you answered number 2, a fax machine, then you are correct.

Here’s why:

You can encrypt both the files you store on your hard drive containing personal employee information and the email you use to communicate it to other HR staff and your broker. All you’ll need to do is purchase file encryption software and email encryption software, then have IT install it on all computers where personal employee information is housed and communicated.

You can also purchase (or get for free through your broker) an encrypted Human Resources Information System (HRIS) to securely store all vital employee and benefits information and protect it from being lost or stolen.

However, you cannot encrypt a fax machine. This means that effective March 1, 2010 when the law Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00) goes into effect, employers’ days of faxing claim and enrollment forms are over, and for a good reason.

Think of it this way, you have  a new hire enroll in a family plan for your health insurance, she fills out the paperwork and you fax it to your broker (or who you think is your broker) but you press a wrong key on the fax machine by accident. Who do you think your fax went to? It was certainly not your broker.

And, what do you think the person who received the fax did with it? Did they throw it away without shredding it (that’ll be a $50,000 check made payable to the Commonwealth of Massachusetts if the improperly disposed data gets stolen) or see the Social Security Numbers of your employee, her husband and two children and think, “Wow, four identities for the price of one!”?

How do you send employee personal information now that faxing it is obsolete?

You, the employer, can do one of two things.

  1. Scan the document containing employee personal information, purchase email encryption software and send it using your new encrypted email. 
  2. If your encrypted HRIS system has secure communication capabilities (between the HR/benefits administrator and broker), scan the document and send it through your HRIS. Universal Benefit Plans’ proprietary dual-encrypted online HRIS system, The HR in a Box™ has a feature called the Agency Help Ticket Center that will do just this.

Instead of encrypting file after file on computer after computer, or purchasing encrypted email just for the purpose of communicating personal employee information, you could get The HR in a Box™ dual encrypted online secure information storage vault and communication vehicle for free.

Call us at (617) 859-1777 to see if your company qualifies; the clock to March 1 is ticking.

Want to learn more about the law Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00) and the many other things you must do to get your company compliant?

Register to attend one of our free 30 minute webinars:



Three ways to prevent a large scale identity breach at your company

On Monday August 17, three men (one American and two Russians) were charged with stealing personal data from more than 130 million credit and/or debit cards.  Data was stolen from customers of Heartland Payment Systems, 7-Eleven, the Hannaford Brothers supermarket chain and two other unnamed corporate entities.

 The men are charged with conspiring to hack into computer networks and stealing data as far back as October 2006. This hacking and identity theft case is believed to be the largest one the US Department of Justice has ever prosecuted.


 How the breach was executed:

 To tap into the retailers’ networks, the three hackers used a very sophisticated technique known as a SQL Injection Attack. This technique enabled them to maneuver around the Firewalls on computer networks containing credit and debit card data.

 The hackers then installed “sniffers” on the victims’ computer systems to intercept credit and debit card data as transactions are processed.

 How to prevent this from happening at your company:

Although hackers are always looking for new and innovative ways to access and compromise personal information, there are still things companies can do to help prevent a  data breach.

1. Encrypt your networks

This is especially important if your company has a wireless network. According to a recent PC World article, both the TJX and Lowes data breaches were made possible because of non-existent wireless network security. That’s why you should secure your wireless network with encryption. Also, a form of authentication should be required for anyone to access the wireless network.

 2. Stay on top of things

Make sure to consistently monitor all computer systems containing personal information. This frequent exposure will help sensitize you to the earliest signs of compromise or suspicious activity. That way, you’ll be alert and ready to take action before any major damage is done (or any major funds are lost).

 3.  Go above and beyond

This means that you should do more than the bare minimum at your company to pass a security audit. As much as we like to think lawmakers enact security laws because they have nothing better to do with their time, they really do have our best interest at heart. 

Data security laws are there to protect your sensitive data on your computer networks. If you’re only doing the bare minimum that the lawmakers want, you might not be reaping the full benefit of these laws in the end.

Massachusetts’ Identity Theft Law:

In response to the huge, costly problem of identity theft, Massachusetts Governor Deval Patrick signed identity protection law 201 CMR 17.00. Effective March 1, 2010, this law is the toughest one any US state has passed to date.

To prepare businesses for compliance with this law, Universal Benefit Plans conducts free 30-minute educational webinars twice per-month. To sign up for a webinar, please visit www.universalbenefitplans.com and check out our events calendar.


Is your third-part service provider in compliance with 201 CMR 17.00?

In recent years, there have been multiple high profile data breaches involving third-party providers of credit card and other financial services. One of the many ways identity thieves access personal information these entities maintain is by hacking into non-password protected, unencrypted databases. Under the Massachusetts identity theft law 201 CMR 17.00, companies that work with these third-party providers will be liable for any data security breach involving personal information of Massachusetts residents if they did not take any action to ensure that the provider was operating in full compliance with the law.

For small and mid-size businesses that work with online credit card processing companies, it is no longer safe to just assume that these companies are in compliance with the law. You must now take a look deeper and investigate them to ensure that they are in compliance. It is vital as well to make sure that you include in all contracts with these providers an explicit requirement that they maintain data security safeguards compliant with 201 CMR 17.00.

Although January is still several months away, the time to start preparing for Massachusetts law 201 CMR 17.00 to go into effect is now. That means identifying all records of personal information on any Massachusetts resident within your organization and bringing together an inter-departmental team to craft your organization’s Written Information Security Plan.

To help companies out with their 201 CMR 17.00 compliance efforts, Universal Benefit Plans will hold a free 35 minute educational webinar July 21st at 11:00 am.

Register to attend at: https://www2.gotomeeting.com/register/660426874

Are you aware of all subtleties of the upcoming Massachusetts identity theft legislation (201 CMR 17.00)?

As some of you may already know, the Commonwealth of Massachusetts has passed the strictest information security legislation in our nation to date (201 CMR 17.00)  in order to protect citizens against identity theft. This law goes into effect January 1, 2010 and takes a far more proactive approach than the “data breach notification” laws that 40 other states have put into place.

The law requires organizations that collect, maintain and transmit the personal information on any Massachusetts resident to digitally encrypt it to the extent technically feasible. The law also requires organizations to develop, implement and monitor a Written Information Security Plan. As you would expect, this law is highly complex. We would like to alert you to the many many subtleties that may prove challenging to your organization.

Process Monitoring Requirements:

The upcoming Massachusetts law requires organizations to monitor systems containing personal information for the purpose of tracking who, what and when such information was accessed. This is done to help diagnose and prevent unauthorized access of such information and can be done either electronically or manually.

Revised regulations regarding assurance from third-party providers:

When the law was originally passed, it would have required all third-party service providers and vendors that have access to the personal information of any Massachusetts resident to provide written certification of their compliance. This requirement has since been abolished and now, organizations are required to do the following:

“(1) verify that its third-party providers have the capacity to protect the personal information that you give them access to, and (2) ensure that such third- party providers are applying protective security measures that are at least as stringent as those required under the new Massachusetts regulations.”

It is still essential for you, as an employer, to evaluate the way in which all of your third-party service providers handle your most sensitive information.

As you can probably already see from just the few subtleties we’ve mentioned thus far, many organizations will have to adjust many procedures and re-think the way they do business in just a short time.

Universal Benefit Plans has broken down the Massachusetts Information Security Legislation and will be presenting free 30-minute webinars throughout the month of June on this topic.

To view upcoming webinar dates and register for one, you can view the Events calendar on our website and click on the link for the date of the webinar you want to attend.

What steps have you taken at your company to ensure that terminated employees are immediately denied access to personal information?

Newly terminated employees are among the many individuals with a motive to commit identity theft, not limited to the theft of personal information of any employee, customer, and/or contractor of his or her former employer.

According to the Massachusetts Information Security Legislation effective 1/1/2010, ALL Massachusetts employers must:

  • Immediately block terminated employees’ on-site and remote access to personal information. This includes deactivating their passwords and usernames.
  • Require terminated employees to return all records containing personal information.

These measures are just a small part of the comprehensive Written Information Security Plan (WISP) this new state law requires companies to create spelling out all of their administrative, technical and physical safeguards for all records containing personal information on Massachusetts residents.

To learn more about the law, creating and implementing a WISP, my company will hold free educational webinars. To register, please visit the events page of our website.

Create a free website or blog at WordPress.com.