With all the other things that small nonprofits have to worry about, Internet security usually is relegated to a “someday” status, that is, “we’ll get around to that someday” with the result that the problem never gets solved. But there are a lot of good reasons that you should pay attention, particularly if you work with client financial information and personal information. Today, I will explain the “whys'” of encryption and in my next post what you can do about it. For organizations governed by HIPPA, please find your way to other excellent explanations– that is a level of security beyond this article.
So… why do we have to worry about data security? Short answer: Massachusetts law requires that “personal information” be maintained and transmitted securely. “Personal information” means a person’s first and last name (or first initial and last name) and a social security number, loan or credit card number or driver’s license. If you have a document that contains those two elements (name and number), you are required to store and transmit it in a way that is designed to keep it away from hackers and other baddies that want it.
Nation: faxing this information is not a secure method of transmission. I don’t know how many lenders, lawyers, companies big and small– well meaning all– somehow think that the fax machine will save them from liability under the data protection regs. The fax machine is no safer (and in some cases, less safe) than the Internet. If there is one takeaway from this blog post it is this: your fax machine will not save you. If you are trying to get things done in a way that meets the requirements of Massachusetts data privacy laws, let go of your fax machine and learn how to encrypt your messages and attachments. It is the only compliant way of transmitting personal information (short of the U.S. mail).
By the way, the same Massachusetts regulations that require personal information to be encrypted before it leaves your computer are the same that require you to have a WISP– a Written Information Security Plan. All organizations using or having custody of personal information need a WISP. If you don’t have one, then step one in getting compliant with the regulations is preparing one. If you want to discuss information security plans further or the Massachusetts data privacy regulations, then call me.
Next up: encryption for the faint of heart.