Recommendation for Enforcement of 201 CMR 17.00
Attorney General Martha Coakley
One Ashburton Place
Boston, MA 02108
RE: NEW YORK YANKEES POTENTIAL VIOLATIONS OF c. 93H; 201 CMR 17.00
Dear Attorney General Coakley:
Recently your office announced its first successful enforcement of Massachusetts’ year-old data security law (G.L. c. 93H; 201 CMR 17.00) against Briar Group, LLC. For those of us in the state who have been trying to help organizations become compliant with this landmark set of regulations, the announcement of enforcement was welcome. At long last the law actually has teeth as we predicted.
In seminar after seminar beginning in late 2008, my colleagues and I presented summaries of the law and tried to keep up with the shifting regulations and twice delayed date of implementation. We consulted with computer security experts about standards and urged our clients and potential clients to “get compliant” because of the risks to reputation, to the bottom line and of course, because of government enforcement.
Audiences and decision makers at first did not even know that their organizations created or held Personal Information (PI). Even after realizing that the simple act of accepting checks from or employing Massachusetts’ residents implicated the new law, the general mood was that the threat of enforcement was remote; the economic climate was too severe to justify the cost of compliance.
I predicted to my audiences that enforcement would come and that this was a serious law. I warned people that they did not want their organization to become the poster boy for enforcement; all it takes is the loss of a single laptop to start the enforcement gauntlet.
To keep seminars lively I try to give examples and tell jokes. The best examples always have a twist of humor. To spice up my warnings after your Senatorial election campaign, I started to imagine the perfect AG enforcement:
The New York Yankees! I described to several Massachusetts audiences that The New York Yankees would be the ideal target for an aggressive and public 93H enforcement action by our Attorney General. There are surely some Western Massachusetts residents who are Yankees fans. What a perfect storm for the home team. It had all the makings of a great story, heroes, villains, redemption and a real sign that 93H must be reckoned with. Who better to make an example of than those damn Yankees?
The website datalossdb.org reported that on April 25, 2011, the New York Yankees misdirected emails containing 17,000 records of seasons ticket holders. The Yankees reported the incident on April 27th but according to the New York Daily News there was no financial information included in the data breach.
At first I thought this was a daydream come true until I saw the Post story. As you know the 201 CMR 17.00 final regulations define Personal Information “data elements” to include financial account numbers:
Personal information, a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account. . . 201 CMR 17.02
Judging from the reactions of hundreds of people who listened to the hypothetical version of a New York enforcement effort, I humbly suggest that this data security breach is of importance to citizens of Massachusetts and should be formally investigated. If you are short handed I would be happy to pitch in, for the team.
Steven J. O’Neill, Attorney at Law