A geek stranded on Martha’s Vineyard
Basics of the New Massachusetts Data Privacy Regulation
Last week I gave a lightning talk on this topic at Boston Ruby Group. There was nothing new in the technical part of my presentation; everyone in the audience was a professional developer and was already following good security practices.
However, I was impressed by the number of people who were not aware that now it's not only good practice; it's the law. And if you don't do it, you're subject to penalties.
I decided to write this short post with the highlights in order to help spread the word. You can get the full presentation from SlideShare. I also provide several links below to get more information and resources to help your small business become compliant.
The official name of the regulation is 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth
The regulation became effective March 1, 2010
Any individual, company, or organization, that stores personal information of residents of the Commonwealth of Massachusetts must comply
What is Personal Information?
Person's first name (or initial) and last name and anyone of these:
- Social Security number
- Driver’s license number
- Account number: credit card, bank account, etc.
The regulation requires one to maintain a comprehensive written information security program (WISP). This document must analyze the risks to security and describe how they'll be prevented. Some of its elements are:
- Designate one person to be in charge of security
- Security policies
- Restrictions upon access to personal information
- Keeping audit trails
- Overseeing service providers
The most important are:
- Firewalls, anti-virus, keeping software updated
- User authentication: passwords or biometrics
- Access control (permission is granted when needed only)
- Encryption is mandatory for:
- Email containing personal information
- Wireless networks
- VPN for remote access
- Laptops and other portable devices
The simplest way to comply with the regulations is not maintaining any personal information (PI) at all. However, this is rarely the case. If you own a business with 2 employees and keep their Social Security numbers, you must comply.
It's easy to use web-based services to do payroll, this way the PI won't be saved in your computer, but with your service provider. Keep paper records in a locked file cabinet inside a secure office. You still need the WISP though (see link to sample below).
If You Need Encryption
The encryption requirement is what has created more problems among small businesses, because they don't have the expertise to implement the technology.
The easiest way to comply is again: don't do it. If you need to send documents containing personal information to your customers, use fax, FedEx, even first class is compliant. And don't save personal information in your laptop, this way there's no need to encrypt it.
Encryption technology has been around for a long time and it's free if you use open source software, like GPG for email and TrueCrypt for encrypting laptops.
The problem with GPG is that it's complicated for non-technical users, especially the part that involves handling the cryptographic keys.
There are several products that provide easy to use solutions to send and receive secure messages with your customers. I like to recommend the one I developed: Solid Secure. There's no software to install. It's very easy to use because it works just like Gmail or Yahoo Mail. But as the owner of your business, you control who becomes a user.
Resources and Additional Information
- Complete content of 201 CMR 17.00 from the official website of the Commonwealth of Massachusetts
- Frequently Asked Questions Regarding 201 CMR 17.00 by the Office of Consumer Affairs and Business Regulations
- Compliance checklist by the Office of Consumer Affairs and Business Regulations
- Article by a Boston lawyer explaining 201 CMR 17.00
- A Sample WISP you can adapt to your organization needs
- Encryption guides, how to use GPG and TrueCrypt
Disclaimer: I am not a lawyer and this is not legal advice
My Second Week at Anything Goes Lab
Post about the 1st week.
If there were a single lesson I would take from these 2 weeks it would be: don't be afraid of failure. We all know this, but putting it in practice is not easy. Fear has kept me from doing many things. How did I learn this time? I heard very smart people telling stories about their failures, and they were not embarrassed; they even laughed about it.
The most convincing was having Bill Warner telling how a New York editor rejected his book. Some of his ideas were inspired by Wayne Dyer's The Power of Intention and he gave him credit for it. The editor's answer was pretty close to if I wanted to read Wayne Dyer I'd buy a book by Wayne Dyer.
As a team, we also had our own dose of failure. Scott Kirsner, a writer for the Boston Globe, came to visit. When he compared us to Curves, I don't think he meant it as a compliment.
We invited 2 guests to have lunch and talk; they were Eric Peters and Desh Deshpande. Eric was CTO and technical co-founder of Avid Technology. It was interesting to hear how Eric and Bill created the co-flow that made Avid successful.
What is Co-Flow?
All of us have multiple intentions, and because we're humans, there aren't two people with the same intentions. It's like our DNA.
A company on the other hand, has only one intention - the vision of the original founder, what he wanted to achieve with the idea. Because it is unique, it's called the primary intention. The goal of a startup is then, to build an invention to achieve the primary intention. We say that the primary intention flows through the invention.
But the founder is not alone; there are co-founders and employees, all with intentions of their own. There's co-flow when the members of the team not only follow the primary intention, but also add-up to it. They amplify it. This is the most powerful concept in building a company from the heart.
It's essential to identify the primary intention very clearly and communicate it to every member of the company. This was one of the main goals during our first week at Anything Goes Lab.
Eric Peter's task was to create the technology to allow movie editors to use a computer. It was the 80's. They were still cutting celluloid to do their work. Bill asked Eric to create the hardware and software to display movies at 15 frames per second. Defining the target display refresh rate was a tricky decision. Make the number too low and the editors won't like the product or will buy a competitor. Make it too high and you'll run into technical difficulties, need more resources, and delay the release.
Eric accepted the requirement without arguing. Didn't say anything either when Bill asked is it ready? - which I assume happened countless times. He knew his people (the editors) better than Bill. He knew 15 wasn't enough to convince them to switch. When he got back to Bill with a working solution, it was capable of displaying 30 frames/second.
This is a good example of co-flow at work. It's also proof of the exceptional abilities of Eric Peters as an engineer. It gave Avid a huge advantage over the competition, today its yearly sales are over $600 million.
Desh (co-founder of Cascade Systems and Sycamore Networks) shared some of his stories as an entrepreneur. We have an audio recording of this session.
He agreed with most of our ideas when we discussed the principles of building a startup from the heart. He thinks using your head is an obstacle especially in the beginning. If you use your head you might never start a company. The first steps are irrational and come from the heart. But when things have started, the head can be useful too, for instance, recognizing that some approach you've been trying doesn't work. Follow your heart; use your head.
Among the teachings Desh shared with us, was one that made a big impression on me - something I already knew. But the clarity and conviction he used struck me: identify the good people early and never miss an opportunity to work with them.
Some of you might be wondering what goal we achieved; what concrete deliverables we completed in these two weeks, I know it, because we asked ourselves the same question the last few days. We took the boards and put everything in a wiki. You're welcome to take a look and make comments. There are 26 of us, with our stories, our people, intentions, beliefs and inventions.
We've already started working on our startups and intend to be in touch and help each other through this journey. Who knows - in 5 years, if we're lucky, someone else will invite us to talk to a group of young entrepreneurs, tell them our story and how it all started at Anything Goes Lab.
Post about the 1st week.
My First Week at Anything Goes Lab
Post about the 2nd week.
When 2 ladies you did not know tell you that they are your groupies, you know you are doing something right. This happened to me at Innovation Breakfast, when I told Bobbie and Janet that I was one of the members of Anything Goes Lab. I have always been envious of rock stars; I felt so flattered.
What is Anything Goes Lab?
It is a workshop for entrepreneurs, founded by Bill Warner and Nick Tommarello. Instead of building our companies with our heads, we are learning to build them from our heart. Business plans and how to raise capital are still important, but instead of working on these topics we spent the past week talking about our passions and motivations; trying to establish who are the people we want to help with our invention.
As humans, this makes sense with most things we do in life, but how do we apply it to starting a business? This is what Anything Goes Lab is about. Bill has worked for several years creating a methodology and tools to help entrepreneurs achieve this goal, we are the first group of people with whom he is putting his ideas into practice. It is why we are called Launchpad 1A, and yes, we are guinea pigs, which makes it even more exciting.
You can watch this presentation for details. Here, I am just telling a short part of the story from my perspective.
The first task is to complete a statement. I would share mine if it were ready. This is Bill’s statement:
- I intend to help people follow their heart
- I believe people need tools to follow their heart
- I believe people are pushed to follow their head
- My people need help to follow their heart
Simple but powerful. The success of your company will depend on how your actions (and your co-founders) are aligned with this statement.
What Do We Do?
Before starting the program I thought it would be "work" with some conversations. It happened to be the opposite: conversations with some "work". It fits Bill’s idea of what a startup is - a long intense conversation, peppered by bursts of invention, fueled by intention, motivated and moderated by beliefs.
We are divided in 5 groups. Mine is called In2Possible; we are 7 guys and 1 girl. Each group has a board where we compose our statements. We use cards with different colors for intentions, beliefs, people, inventions, stories and goals.
Collaboration is everything, we talk to everyone, not just within our group. I feel psyched being surrounded by such smart people working on so many cool projects, with so many clever ideas.
An interesting aspect of the experience is that we feel as if we knew each other for a long time. In part it is because we share similar interests, but also because we are discussing intentions and beliefs, we have been talking from our hearts.
We intend to tell the world what is happening here. It is why I am writing this blog post. We want to spread the word about the concept of starting a company from the heart and want more people involved in the project.
We have been blogging, taking pictures and recording videos: http://ag1uncut.posterous.com, but have not done any editing - thus the name uncut. We want to make the content public and welcome anyone who wants to use it.
We tweet with the hashtag #anythinggoeslab and this is a list with most of the members of Launchpad 1A: http://twitter.com/chrismyles4/launchpad1a/members
What is Next
But how do you go to the next step: building the invention?, this is what we will be addressing this week, I will tell you how everything goes.
Post about the 2nd week.