The document summarizes Massachusetts' new privacy law that establishes standards to safeguard personal information. It applies to any entity that stores personal information on Massachusetts residents. Personal information includes names plus social security numbers, driver's license numbers, or financial account information. Entities must implement plans to encrypt data, update security systems, and train employees on compliance. Non-compliance can result in fines or lawsuits.

1. 201 CMR 17.00 – New Privacy Law Irene Wachsler, CPA, MBA Tobolsky & Wachsler CPAs, LLC

2. Establishes minimum standards that must be met to safeguard personal information for both paper& electronic records Applies to “all persons that own, license, store or maintain personal information about a resident of the Commonwealth” What is the New Law?

3. Implementation has been pushed back to March 1, 2010 Good News!!!!

4. Since August 2008, the Office of Consumer Affairs and Business Regulation (OCABR) has investigated 320 incidents: Threatened to compromise the personal information of 625,365 Mass. Residents 60% of incidents involved theft of laptops / hard-drives 40% of incidents involved employee error / poor internal handling of sensitive information Identity theft costs consumers & businesses $52 billion annually Why????

5. Two pieces: First name & last name or first initial and last name and One or more of the following: Social security number Driver’s license / state-issued ID Financial account # / credit card / debit card What is Personal Information?

6. Absolutely! Tax Returns Copies of W-2s; bank, mutual funds stock statements, etc. Possibly your clients Do they have employees? Maintain payroll records, I-9s, 1099s? This applies to both Paper (“stuff” in the filing cabinets) and Electronic (data stored on your computer) Does this Apply to CPAs?

7. Some things are obvious: Prevent terminated employees from access to your computer & paper records. (Immediately get the computer, keys to the office, etc.) Use a password to logon to your computer (and don’t share / write down your password) Educate and train your employees on the importance of protecting your client’s personal information Lock your paper records / file cabinets How Do I Comply with the New Privacy Act?

8. Some things will require a change in work habits: Employees are prohibited from keeping open files containing personal information on their desks when they are not at their desks At the end of the day, all files containing personal information must be secured Paper and electronic records shall be disposed of in a manner that complies with M.G.L. c. 93I How Do I Comply with the New Privacy Act?

9. Some things are not so obvious: Encrypt all transmitted electronic records and files Ensure that your computer has up-to-date: Firewall protection Operating system security patches System security agent software including malware protection and virus definitions Hang out in the office when the cleaning crew arrives Designate a Data Security Coordinator who is responsible for implementing a plan to protect personal information How Do I Comply with the New Privacy Act?

10. Some things are not so obvious: Do not send a fax without confirming that the authorized recipient has exclusive access to the receiving fax machine How Do I Comply with the New Privacy Act?

11. Implements the Plan to protect the security and confidentiality of personal information Trains all employees Conducts regular testing of the Plan’s safeguards Evaluates the ability of service providers to comply with new law Conducts annual training for everyone – owners, employees, independent contractors, etc. All attendees must certify their attendance & familiarity with the Plan Data Security Coordinator

12. January 1, 2010 Paper records must be secured (i.e. locked) Electronic records must be encrypted Third-party service providers must be capable of protecting personal information All other portable devices must be encrypted – memory sticks, DVDs, PDAs, etc. Required written certification from third-party service providers Key Dates

13. You must immediately notify both the Attorney General’s Office and the Office of Consumer Affairs and Business Regulations: Include the nature of the breach The number of residents of the Commonwealth affected Any steps taken or plans to take relating to the breach What Happens if My Records are Breached?

15. Instructions for requesting a freeze on a credit report

16. Access to additional information including the date of the data breach and any steps you have taken or plans to take relating to the incidentWhat Happens if My Records are Breached?

17. Paper – burned, pulverized or shredded so that personal data cannot practicably be read or reconstructed Electronic media – destroyed or erased so that personal information cannot practicably be read or reconstructed Caveat emptor – “erasing” data on a computer does not meet this requirement. It is easy to reconstruct an “erased” file How Do I Dispose of Records in Compliance with M.G.L. c 931?

18. DISCLAIMER: The software tools listed on this and following pages are what our firm, Tobolsky & Wachsler CPAs, LLC uses. WE DO NOT OFFICIALLY ENDORSE THESE TOOLS NOR DO WE SUPPORT THEM. These tools are mentioned for discussion purposes only. Software Tools that We Use

19. Hardware: NetGearProSafe VPN Firewall < $100 at Circuit City Wireless NetGear Modem Encrypted wireless access $30 at CompUSA Software: Norton 360 $60 for 3-user license at Staples Firewall Protection

20. Norton 360 Automatic updates of malware & virus definitions Antispyware Email scanning of virus / junk email $60 for 3-user license at Staples Malware Protection & Virus Definitions

21. www.box.net Sharing of files Access anywhere via Internet connection Password protect files Invite clients to download files Files are encrypted prior to upload / download Files backed up across multiple, geographically separated servers $49.95 per month for 15GB of online storage Online Sharing of Files

22. Carbonite Online backup service Encrypts files before they are uploaded from PC Files remain encrypted at their data center Requires unique login to retrieve files $49.95 per year w/ unlimited storage Backup of Data

23. ComodoTrustConnect Protects identity and keeps information private Need to log in to TrustConnect website $50 per year Wireless Connections from Public Wi-Fi Hotspots

24. TrueCrypt – encrypted directories on laptops Microsoft encrypts data on hard drives Data Encryption

25. Irene Wachsler, CPA, MBA Tobolsky & Wachsler CPAs, LLC irene@milliecpa.com (781) 883-3174 To ensure compliance with the requirements imposed on us by Circular 230, we inform you that any tax advice contained in this communication (including any attachments) is not intended to and cannot be used for the purpose of (i) avoiding tax-related penalties under the Internal Revenue Code, or (ii) promoting, marketing or recommending to another party any tax-related matter(s) addressed herein. Thank You!