Do you comply with laws on ID protection?
The Commonwealth of Massachusetts has issued 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth, which governs the use and transmission of data that could be used for identity theft. According to the law, which goes into effect May 1. 2009, anyone storing such information must ensure its protection against theft.
The University of Massachusetts at Boston is taking steps to ensure that we comply with the law, and such efforts were underway long before the law was enacted, since such protection is just common sense. Other laws, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA), already govern our actions in this area.
Under the new law, you must ensure that your computer (especially if it’s a laptop), flash drives, backups (such as CDs), and other records are adequately protected against theft and intrusion if you store information about residents of the Commonwealth. This means keeping your computer secure and making sure any data you carry with you is encrypted. The law is somewhat onerous and the penalties for failure to comply can be severe, so all this raises a serious question:
Why do you need to keep this information?
The information in question, according to 201 CMR 17, is the last name, first name or initial, and one of the following: social security number, driver’s license or state ID number, or any financial account number "that would permit access to a resident’s financial account." Personally, I cannot see any circumstance in which an employee would need to store this information. Am I missing something? If you can think of any circumstance in which you would need to keep a student’s social security number, driver’s license number, or credit card number, please let me know.
The best way to comply with this law is not to keep this information at all!