Massachusetts’ Data Protection Law, Ransomware, and You

Many businesses don’t think about ransomware until they suddenly can’t access any of their data without paying off a cybercriminal. However, Massachusetts has one of the most robust data protection laws in the nation. This means that even if you manage to regain your data, your business may still be in jeopardy if you don’t follow Massachusetts’ data protection laws. Here’s how you can protect your business.

Ransomware is on the Rise in Massachusetts

If the recent ransomware attack against Brookside ENT hasn't brought ransomware top-of-mind, you haven't been paying attention. 

Ransomware attacks are on the rise, not only in Southern New England but throughout the nation. Large organizations aren’t the only ones being targeted. Nonprofits, municipal organizations, healthcare providers, and businesses of all types and sizes are getting hit.

While staff training, spam protection, and content filtering are essential steps to protect your data, your backup is a critical fallback if a bad actor manages to access your network. It's fair to say that your backup is the primary weapon you have against a cyberattack, as it is the only method you can use to recover your data for most ransomware attacks.

However, if you did manage to resist a ransomware attack by recovering your data from a backup, your business is not in the clear. Recovering your data doesn't erase the fact that your business has suffered a data breach. A breach that has potentially placed your customers' sensitive information at risk requires your company to follow Massachusetts’ Data Protection law.

In other words, recovering your data isn't the end of your concerns; it's the beginning.

Understanding the Data Protections Law for Massachusetts  Businesses

Known as 201 CMR 17.00, or the Standards for the Protection of Personal Information of Residents of the Commonwealth, this measure was signed into law in early 2010. The Data Protection Law outlines a series of security standards Massachusetts businesses have to meet:  

• Any personal data your business collects must be encrypted.
• There must be policies dictating how both physical and digital records are kept and stored.
• Network security controls must be put in place.
• An organization must abide by risk management policies.
• Employees need to be trained in proper data security practices.
• Any data breaches and policy changes need to be documented.
• All third-party providers with access to data must maintain the same requirements.

The main requirement of 201 CMR 17.00 is to notify your customers if their data has been compromised. This means even if you managed to recover your data, you may be obligated to report the breach. It is this area where many businesses fail, either out of ignorance or a desire to avoid bad PR. Unfortunately, most bad actors aren't reliable, and no company should trust their actions. In other words, don't pay the ransom in hopes of achieving a positive result. 

If your business suffers from a ransomware attack, it doesn’t necessarily mean that data was stolen, but it’s certainly critical to talk to a cybersecurity professional who understands the Data Protection Law.

Many businesses erroneously believe that no one will learn of the data breach if they pay the ransom. This is a mistake on two levels. First, it assumes the cybercriminal didn't copy the data they stole and already put it on the dark web. If they did so, it's only a matter of time before news of the breach gets out.

Secondly, the cybercriminal may not release the data back to you even if you pay them. It is not uncommon for businesses to pay the ransomware only to find they're still unable to access their data. 

So, not only does the business lose control of their data, by trying to conceal the event they have lost their customers’ confidence in their ability to protect them. By delaying the notification, your business could see further penalties. However, there are steps your business can take to protect your data, and Datalyst can help.

How Managed IT Supports Businesses Subject to Massachusetts’ Data Protections Law 

Many businesses struggle with cybersecurity because they view data security as an individual problem requiring a standalone solution, not part of an entire business technology strategy. The benefit of partnering with us is that we can develop a cybersecurity plan that covers all areas of weakness. 

Datalyst can assist you in the creation or review of your required Written Information Security Policy (WISP) as well as performing a network and security assessment to determine your current risks.

Effective cybersecurity requires more than a firewall or antivirus.

For example, a staple of our services, Desktop Monitoring and Management, can benefit your cybersecurity. This service allows us to eliminate out-of-date or suspect software from your system through the automatic deployment of patches and security updates. Such software creates openings that cybercriminals can exploit, gaining access to your data, making the management of your applications a significant asset in the protection of your data. 

This is just one of several services and solutions Datalyst offers.

With Datalyst as your technology partner, your business won’t run afoul of Massachusetts’ Data Protection laws because its data will be secure. Call (774) 213-9701 today to learn how managed IT can not only protect your business from cyberattacks but can also increase your productivity, which in turn can improve your bottom line.