Postponement of Mass. Privacy Regulations to March 1, 2010

Commonwealth’s Privacy Regulations Revised and Simplified

Citing concessions to the burdens placed on small businesses, on August 17, 2009, the Commonwealth’s Office of Consumer Affairs and Business Regulation (“OCABR”) again revised the so-called identity theft or privacy regulations, further extending the date for compliance until March 1, 2010.

The major conceptual change in the revised regulations is their new emphasis on a “risk-based approach” to implementation.  In plain terms, a company now has the flexibility to scale its efforts  in implementing the regulations based on “the size, nature of its business, the kinds of records it maintains, and the risk of identity theft posed by its operations,” as summarized by the OCABR.  Where the prior version of the regulations indicated that compliance would be judged (assumedly at the time of enforcement) in light of the relative business size along with the amount and accessibility of personal information, that scalability has now shifted to the demands required of a business in initially implementing the regulations.  According to OCABR, the “[n]ew language in the regulations recognizes that the size of a business and amount of personal information it handles plays a role in the data security plan the business creates.”

The revised regulations postpone, again, the date for compliance an additional two months (formerly the deadline was January 1, 2010).  The plain language of the remaining changes to the regulations tighten, focus and simplify language, but do not appear to materially change the process for businesses.  Each company must still evaluate its use and storage of personal information, create a comprehensive written security plan or plans, implement feasible safeguards (including employee training and reasonable protection of electronically stored and transmitted information), and monitor and report breaches and unauthorized disclosures – although each phase may be moderated to the scale and nature of business operations and volume of protected information.  A public hearing on the revisions will be held by OCABR on September 22, 2009, which may result in further updates.  Look for additional alerts throughout the fall.

For more information on these topics, please contact:

Karen A. Whitley, Esq. 617-226-3402 :

Kathleen E. Cross, Esq. 617-226-3433 :

This alert may be considered advertising under the rules of the Supreme Judicial Court of Massachusetts.  The information in this alert is provided for background purposes and should not be considered legal advice.  Hanify & King, Profession Corporation © 2009

NSS joined AIM

NSS has joined AIM as a corporate member this week.  In an earlier blog I wrote about the website, the Massachusetts online business-to-business network.  AIM created this website along with the Commonwealth of Massachusetts.  It is all about creating jobs and bringing economic opportunity to Massachusetts.

We believe that NSS offers a unique value to emerging businesses of the Commonwealth with our CFO on Demand model.  Our CFO team is highly experienced not only in the arena of finance, but also in operations and management.  Today’s CFO needs to provide more than the governance piece of finance by bringing the organizational mind set to the table. We understand how to grow companies and hope to be of value to the other AIM members.

Rudi Scheiber-Kurtz, CEO
Next Stage Solutions, Inc.

Discrimination and Harrasment Claims on the Rise

We are happy to have another guest blogger, Lauren Brenner, President of the HCR Group telling us what CEO’s need to know about Discrimination and Harassment claims.


When was the last time you distributed your Anti-Harassment Policy, trained your Managers/Supervisors on their compliance obligations and conducted Anti-Harassment Training with your employees?

Reality Check:

The most recent statistics are from 2007 and states that 75,768 EEOC (Equal Employment Opportunity Commission) claims were filed, resulting in $229,900,000 in monetary awards (Note: this does not include lost company time or legal fee expenses).

In Massachusetts during this same period, 3,413 MCAD (Massachusetts Commission Against Discrimination) cases were filed, of which 83% of claims were employment related, the other 17 % were filed for housing, public accommodations-related situations.

Of the MCAD filings the top 6 complaint categories were:

Disability – 20.5%
Sex – 17.4%
Race – 19.3%
Retaliation – 13%
Age – 9.4%
National Origin – 8.8%

What Can You Do?

Whether you have 1 employee to several hundred, you need to protect your organization.  This includes:

  • Training managers and supervisors as to their legal obligations so that they can help to enforce a zero tolerance policy;
  • Adding the term “zero tolerance” in all written anti-discrimination and harassment policies and procedures;
  • Conducting annual anti-discrimination and harassment training for all employees and maintain the proper postings in common areas in the workplace; and
  • Instructing supervisors and managers to report, and your designated Human Resources Representative to investigate any and all complaints made by employees, no matter how trivial or inconsequential.

Please contact Lauren Brenner, President/HR Division, HCR Group if you would like more information.

Announcement of the New Website

Yesterday I attended a ceremonial announcement on the unveiling of the website, a collaboration between the Commonwealth of Massachusetts and Associated Industries of Massachusetts (AIM), an organization that supports businesses in Massachusetts and provides many programs and resources.

The event took place at the headquarters of the Roxbury Technology Company where President and CEO Beth Williams welcomed all of us.  Ms. Williams talked about the importance of using local vendors and encouraged us to do the same, now even easier to accomplish with this new web portal. makes it easy to connect with companies of all sizes that call Massachusetts home.  It is a Business-to-Business Network for services and products.  Richard Lord, President and CEO of AIM, also spoke with enthusiasm of the new portal by exclaiming “We want to lead the recovery, not follow it!”

Secretary Greg Bialecki from the Executive Office of Housing & Economic Development for Massachusetts participated in the official launch of the website stating the importance of collaboration between government and business.  They want to work hand in hand.

Take a look at the website yourself and consider joining. After all, together we can move ahead of the recovery!

Rudi Scheiber-Kurtz, CEO of Next Stage Solutions, Inc


We are fortunate this month to have an article about the New Massachusetts Privacy Regulations written by Karen A. Whitley, Esq. and Kathleen E. Cross, Esq., experts on this subject, and lawyers at Hanify & King, Professional Corporation. Please read carefully.

In response to several highly publicized breaches of confidential customer financial information, the Massachusetts Legislature passed a well-intentioned and straightforward law in August 2007 intended to “safeguard the personal information of residents of the commonwealth.”   In February 2009, the Office of Consumer Affairs and Business Regulation (“OCABR”) fulfilled its charge to prepare regulations implementing the new law, with a set of extensive requirements for every person or business which “own[s], license[s], store[s] or maintain[s]” personal information of a resident of the Commonwealth.  The breadth, cost and implementation timetable for these regulations, found at 201 C.M.R. 17.00 et seq., has elicited a concerted backlash from notable business groups from lawyers to the mutual fund industry to health care providers.

In the short term, to ease the predicted strain on businesses, the OCABR postponed the deadlines for compliance with the regulations from January 1, 2009 to May 1, 2009, and more recently postponed the deadlines to January 1, 2010. However, many businesses will still be hard pressed to comply fully within that timeframe, especially given the possible added costs for revamping information technology policies and software.  Notably, neither the law nor the regulations contain any exemption or opt-out for any category or size of business (which may be as small as a single person’s sole proprietorship).  Considerations such as the “size, scope and type of business” as well as the volume of personal data handled by a particular business will be taken into account when evaluating compliance with the regulations.  All businesses, including those outside of Massachusetts, are subject to these regulations if they hold personal information of residents of the Commonwealth.

What is Protected: Personal information is specifically defined as a resident’s first name or initial along with his or her last name plus one or more of the resident’s 1) social security number, 2) driver’s license number or state identification card number, 3) financial account number, credit card number, with or without personal i.d. number or password.  If any of the foregoing information is lawfully available to the general public, it is not considered personal information under the statute and regulations.

How Personal Information Must Be Protected: Generally, each business must create a written information security program (“WISP”) that sets forth the components of their privacy plan “applicable to any records containing  . . . personal information” and customized to their business.  The regulations recognize two levels of protection, one generally applicable to all records with personal information and a second level applicable to personal information on computer and other electronic devices.

General Protections for All Personal Information:

Every WISP must contain provisions for:

1)      Designating one or more employees to maintain the security program;

2)      Placing limits on collection of personal information, on the length of time it is retained, and to the persons allowed access to the information to “that reasonably necessary to accomplish the legitimate purpose for which it is collected”;

3)      Identifying all records and places personal information is stored within the business, unless all information will be treated as personal information;

4)      Providing, in writing, reasonable restrictions on physical access to personal information and storage of such information in locked areas or containers;

5)      Assessing the risk of disclosure of personal information in all records which the business holds, including an assessment of existing safeguards (for example, employee training, compliance with security policies, how breaches of security are prevented/detected);

6)      Identifying security policies for employees (for example, use and transport of personal information outside the business, discipline for violations of policy, and cutting off access to information immediately upon termination of employment);

7)      Verifying that third-party vendors with access to personal information comply with the regulations, including revising contracts requiring vendors to maintain security safeguards.  Effective January 1, 2010, a business must ask each third-party vendor for a certification that it has a WISP which complies with the regulations;

8)      Including procedures for regular monitoring and upgrading of security measures;

9)      Requiring at least annual review of security procedures or review whenever a business undergoes a material change in practices implicating records containing personal information; and,

10)   Outlining procedures for documenting any breach of security, mandatory post-breach review of events and remedial measures to protect personal information.

Protections for Personal Information in Electronic Form:  When a person or business “electronically stores or transmits” personal information, the WISP must include security procedures covering computers and wireless systems, such as:

1)      Secure user authentication protocols to a) control user ids, methods of assigning and selecting passwords or other unique access technologies b) restrict access to active users and active accounts and c) block access after multiple unsuccessful attempts to access the system;

2)      Restrictions on access to records with personal information to only those employees with a “need to know” and assignment of user id plus passwords to access the secure system;

3)      Encrypting all transmitted records with personal information that will travel on public networks or by wireless transmissions;

4)      Monitoring electronic systems for unauthorized use;

5)      Encrypting all personal information on laptops and other portable devices;

6)      State-of-the-art firewall, malware and security software as well as OS security patches that are regularly updated; and,

7)      Employee training and education on security of electronic personal information.

Although each WISP will be different based on the size and needs of a business, a sample WISP for a small business can be found on OCABR’s website.

Disclosure of a Breach: Disclosure obligations under the statute are triggered whenever a person or business becomes aware of a security breach or that personal information was acquired or used by an unauthorized person or for an unauthorized purpose.   A security breach is broadly defined as the unauthorized use or acquisition of encrypted data containing personal information with enough information about the security process to create a substantial risk of identity theft or fraud against a resident.  If the person  or business merely stores or maintains personal information, it must timely disclose the breach to the owner or licensor and provide required information about the breach as well as cooperate with the owner/licensor.  An owner or licensor of personal information must provide notice of any breach to effected residents, the Attorney General of the Commonwealth and the director of OCABR.  The statute (c. Mass. G.L. c. 93H) describes the information which must be provided about the breach.

Enforcement: Enforcement will be handled by the Attorney General’s Office, which may seek injunctive relief as well as penalties.  The Attorney General’s office has not yet issued any guidance about its enforcement of the law or regulations.

Bottom Line:  Almost all businesses will be subject to the new regulations as the most basic personnel information for employees is, by definition, personal information.  However, many businesses subject to these regulations already take some, if not all, of the foregoing measures to protect personal information, as well as other information considered confidential or proprietary to its business, whether dictated by law (in which case, these entities may already be considered compliant) or by industry standard.  However, most will need to re-examine current protections and practices, if not start from square one, to create a WISP that includes the key components mandated by OCABR.  Including a senior IS employee or consultant will be essential for any business keeping personal information electronically.  Furthermore, each business should collaborate with any of its third-party vendors who handle personal information to ensure that those vendors (payroll companies, copying facilities, document storage facilities, etc.) are also compliant.

While OCABR is not unsympathetic to this new financial burden for businesses in a difficult economic time, any burden is outweighed by the interest in protecting personal data.  In light of the imminent deadline for enforcement, businesses are well-advised to begin the process of bringing systems into compliance as soon as possible.

Concurrent with the survey of information which will be necessary to draft a WISP, it is advisable to review and update other related policies, such as document or email retention policies, confidentiality policies, and policies governing employees’ use of company property, including laptops and electronic devices. In situations where personal information might have been compromised, Hanify & King’s lawyers are also available to help employers determine the appropriate course of action, and will guide employers through the required steps of notifying affected individuals and various governmental agencies.

For more information about the new privacy regulations or for assistance drafting a WISP or implementing other compliance measures and employer policies, please contact Karen A. Whitley, Esq.

Karen A. Whitley, Esq. represents employers and management in all types of employment-related legal matters, including litigation, training, investigations, and counseling.  Ms. Whitley is a shareholder of the firm and also a founding member of the firm’s WomenatLaw initiative.

Kathleen E. Cross, Esq. is a shareholder of the firm and a founding member of the firm’s WomenatLaw initiative, concentrating her litigation practice in areas of internal business disputes in closely-held corporations and limited liability companies and partnerships, as well as bankruptcy litigation.  Ms. Cross also advises charter schools in all areas of charter school law.

This alert may be considered advertising under the rules of the Supreme Judicial Court of Massachusetts.  The information in this alert is provided for background purposes and should not be considered legal advice.

ICIC is Calling for Nominations

Do you know any fast-growing firms located in an inner city?  Are you a high growth inner city company?  Initiative for a Competitive Inner City ICIC is seeking nominations for its 2009 Inner City Capital Connections Program and 2010 Inner City 100 Program.

For more information and nomination forms, please go to or call Alex Rodrigues at 617. 297.3140

Reframing the Marketing Plan in a Tough Economy

All too often in difficult economic times, as companies evaluate budgets, marketing programs and personnel are eliminated as a cost saving measure. In most cases this short-sighted decision quickly and negatively impacts lead generation, customer relationship management and perceived competitive differentiation. In fact, a period of market silence can make it difficult – if not impossible – to realize the company’s ability to ultimately achieve the market position necessary to achieve long-term goals.

Rather than starting by eliminating the most expensive programs and personnel, I encourage my clients to take a step back and rethink the overall marketing strategy with the goal of creating a marketing plan that is both affordable and effective. Such an approach starts with reviewing your marketing objectives to make sure they’re aligned with near-term business objectives and long-term business strategy. This exercise is especially critical for young companies, where functional groups frequently work quickly and independently from one another. In a fast-paced, siloed environment, it’s easy to develop a disconnect between marketing and business objectives.

So the first step is to eliminate any marketing objectives that do not directly relate to achieving the company’s business objectives. Sometimes this may require a total reframing of the marketing objectives. Once this is complete it becomes a straightforward exercise to eliminate those programs that don’t serve the new marketing objectives, and to replace them with a marketing plan and programs that do.

Consider the following as you construct or revise your marketing plan:

1. Don’t waste resources on unimportant items. If you are a B2B company, don’t spend countless hours and inordinate money on your company name and logo. Keep it simple. If someone can spell it, pronounce it, and it is unique in its industry and doesn’t offend when translated into another language, then it’s good enough.

The best logo for a B2B company will incorporate the company name. I don’t believe in spending extra marketing dollars trying to make prospects remember an independent symbol that is only meaningful to you. Beyond that, the logo also needs to be shrinkable – in other words, it needs to be recognizable even at a small size. If your logo is grandiose and overly complex, there is a chance that your company name will disappear when it is shown in a small format, such as when publishers or event managers squeeze lots of logos onto a page.

The same lessons apply to product nomenclature. Don’t make your customers choose whether they remember your company name or your product name – trust me, they will never remember both. Keep it simple by focusing on the corporate brand and sticking to basic product names when first launching. Once you’ve built the corporate brand, you can leverage its positive attributes across many product lines.

2. Invest in seasoned experts. Make sure someone is in charge of strategy, positioning and messaging.Hire the most senior person you can afford.Don’t try to save money by hiring a junior marcom manager unless someone on the executive team has a background in positioning and developing a marketing strategy – it will cost you more money in the long run.I’ve seen companies make this mistake over and over again. They hire a junior person who doesn’t understand strategy and who focuses instead on what they know best – execution and “look and feel.”The end result is a lot of expensive programs with beautiful graphics that are disconnected from a positioning perspective and don’t produce measurable results.

If you can’t afford an internal marketing person, then leverage outside consultants. In today’s world, there are plenty of independent marketing specialists (design, web development, events, public relations, writing, etc.) who are more than happy to work on both short-term and long-term projects. In fact, many are open to flexible compensation options (i.e., cash vs. equity) and are willing to work with you to build a solid program within the constricts of your budget.

3. Construct a Positioning/Messaging playbook. The most powerful marketing programs are those in which all program elements are aligned from a positioning and messaging perspective and “everyone is singing the same song.” The easiest way to make this happen is to create a Positioning/Messaging playbook that serves as a reference for all organizations, both internal and external, that are engaged in customer and market communications. The playbook should provide an overview of the company, product positioning goals, and key messages related to the company, its products, competition, strategy, market and customers. Once the playbook is created, distribute it as a confidential document to those persons within the organization who communicate externally with customers, investors and influencers. Provide subsets of the document to external marketing support personnel to ensure consistency in messaging across marketing programs. Treat the playbook as a living document and update it regularly.

4. Pay attention to your website. Most companies make a significant investment in the initial development of their website. The good news is that in today’s economic climate the costs of site development have dropped and talented web development organizations are easy to find. The bad news is that many companies view website development as a milestone event when in fact it should be viewed as an ongoing marketing program.

A website is only valuable if the content is fresh, current and visible. If your last site update is dated six or more months in the past, it sends a message that your company is inactive – not the perception any company wants to create.

Investing in site development but not search engine optimization (SEO) is akin to throwing money away. If you aren’t visible in the search engine results pages, prospects won’t find you. As noted on, 62% of searchers click on links on the first page of results and only 23% of all searchers progress beyond the first page of results[1]. SEO should be an integral part of all site and content development. Investing in SEO after the site has been designed is like building a house without a foundation – a costly exercise that can undermine all the work you’ve put into the site.

If you don’t know anything about SEO, I strongly recommend that you attend a Bruce Clay Seminar or read Search Engine Optimization for Dummies authored by Bruce Clay and Susan Esparza. Note: one way to keep long-term site costs down is to invest in a content management system (CMS) when you develop the site. This will enable any non-technical company personnel to quickly and easily update the site without the need for external development support.

5. Communicate on a regular basis with prospects and customers. Maintaining mindshare with prospects and customers doesn’t have to be an expensive proposition. Email newsletters, a company blog and phone calls are simple and cost-effective ways to reach out. Keep it short and sweet and communicate regularly. Invest the time in making sure that the information you communicate is relevant and valuable to the recipients. If your missives are not relevant, they will be quickly labeled junk. On the other hand, by delivering something of value, you’ll enhance your position in the mind of your audience.

6. Keep talking to the analysts. I used to be quite negative about working with the industry analysts. With a few notable exceptions (shout out to Tom Nolle who was fantastic!), meetings weren’t productive and frequently deteriorated into the vendor pushing for an endorsement and the analyst trying to coerce the vendor into becoming a client. A lively conversation about the market landscape and technology trends rarely materialized.

It’s a different world now. Recently while working with a client, I had the opportunity to meet with IDC, Forrester and Aberdeen and was more than pleasantly surprised. In all cases the analysts were knowledgeable about our market space, offered great insight, and engaged in a spirited dialogue. We didn’t have to beg for an endorsement. In this new world of social media, if analysts like what you are doing, they blog about it. Likewise, if they don’t agree with your strategy, they also blog about it or say nothing at all. It’s somehow so much more honest.

Of course, analysts would like you to become a client of their firm, but not at the expense of everything else. They understand the current economic climate and its impact on marketing budgets. They’re banking on the fact that if they provide real value you’ll become a client when the budget is there.

So the big message here is: even if you don’t have the budget now, engage with this community. They can offer a big-picture perspective of your industry that is hard to come by when you’re focused on your own day-to-day strategy. Plus they know your competitors and can frequently provide insight into who would make a good partner.

7. Leverage social media. Twitter, Facebook, YouTube, blogs and other social media outlets have given us efficient, cost-effective and useful tools for communicating directly with our key constituent audiences. Having said that, engaging in social media is an extremely time-intensive task. Just because all these new outlets exist doesn’t mean that you need to use them all. Social media options should be evaluated like any other program to determine which, if any, best serve the business objectives.

Once you commit to a social media program, it’s important to stay engaged to gain long-term positive mindshare. While the thought of producing a steady stream of content may seem daunting, don’t forget you have numerous resources within your company. In fact, one of the nice things about social media is that it gives you an opportunity to leverage the talent across your organization. Engineering, operations, customer service and even sales can all become credible public voices for the company. If you are new to social media and unsure of how it fits into the bigger marketing picture, I recommend reading The New Rules of Marketing and PR by David Meerman Scott.

8. Swap out expensive programs for cheaper alternatives. Just because your budget is constrained doesn’t mean you have to eliminate programs in their entirety. Tough times require creative alternatives. Consider replacing a Public Relations agency with a freelance contractor. If you can’t afford a freelance contractor, then restrict your PR activities to social media oriented news releases that you can disseminate easily and cost effectively through outlets like Instead of large expensive tradeshows consider regional seminars (you can charge for those to help cover costs) or webinars. Instead of printing collateral, invest your money in collateral content development and disseminate electronically.

In today’s economy, you need to squeeze the most out of every marketing dollar. That starts with a solid foundation (i.e., plan) comprising the most effective components for the lowest cost. Regardless of what programs you put in place, you can’t treat marketing as a one-dimensional activity or endeavor. Choose a range of activities and channels that will best help you meet your objectives.

I can’t stress enough the importance of making sure that every program on the marketing plan serves either a short- or long-term business objective. If you can’t articulate how a program does that, it doesn’t belong there. In tough economic times, the old rationalizations of “creates good will,” “is good for the brand” or ”helps build awareness” aren’t good enough. Every program that you implement should be measurable against a series of objectives. If the program isn’t successful, it should be quickly eliminated.

By taking the time upfront to map out your plan – and making a commitment to investing needed funds and the best resources – you’ll set the stage for short- and long-term success.

Anita J. Brearton | Managing Director | Golden Seeds, Boston |