One of the most significant tasks introduced in 2009 was presented by new guidelines under the Massachusetts Privacy Law, which requires a slew of changes to administrative and security processes.  Compliance calls for a significant overhaul for many companies, and the deadline is just around the corner: March 1, 2010.  The marketplace has demonstrated an urgent need for a new standard of  information protection, so we do not expect a great deal of leniency for those that fall behind.  Companies need to take the new law seriously, gear up, and put appropriate defenses in place around the personal information of their employees and customers.

This is without question a daunting call to action, however the need for the law remains unquestioned.  In fact, a report published by the Office of Consumer Affairs and Business Regulation [PDF] notes that since 2007, over 1 million Massachusetts residents have been impacted by security breaches.  The report states that 495 incidents were criminal in nature, while 312 “generally demonstrated poor employee handling of residents’ personal information, including transporting sensitive data, either in disregard of company policies, or in an environment without sufficient policies in place to secure such information.”

A few additional findings from the report include:

- The OCABR received 807 notifications of security breaches

- Most breaches (76 percent) were electronic in nature

- It may have been expected that financial services breaches impacted the highest number of individuals (707,305), but it is perhaps a bit surprising to find that the second greatest impact was felt from incidents involving the education sector (130,161)

The law takes aim at improving defenses against the criminal element while shoring up process to reduce risk of negligent handling of data.  And most importantly, it applies to — by the letter of the law — all persons that “own or license” personal information from a resident of the Commonwealth, specifically any individual or company that “Receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of goods or services directly to a person that is subject to this regulation.”

That means pretty much everyone.

The most important step to compliance might be the WISP - a Written Information Security Program (WISP) that ensures the security and confidentiality of personal information in both physical and electronic format. The actual scope and complexity of a WISP will vary depending on an organization’s size and scope of business, availability of resources, nature and quantity of data stored, and the need for security and confidentiality of both consumer and employee information.

There is of course much more to understand before diving in. We encourage you to take a look at this 2009 Perspectives article for more detail, including specific action items and consequences for failing to comply.

I shared - and gained - valuable insight participating in a panel entitled “What keeps you up at night?  Solving strategic financing challenges for today’s lean manufacturers“ for the Greater Boston Manufacturing Partnership last week.  Our panel discussion was focused on partnerships, mergers and acquisitions, and joint ventures, and it was interesting to see the parallels between evolving strategies for growth and the manufacturing drive for continuous improvement.

From a manufacturing perspective, specific management and execution models like Lean and Six Sigma become critical to not just propping up a company, but providing a process that yields ongoing benefits and maximizes shareholder exit value. Proactive work on the accounting and financial controls side, meanwhile, calls for a similar commitment to process and can similarly add value to an organization’s exit price.

A couple of key themes that arose during the panel included the significance of having transparent and current financials, and the necessary attention required for to problem-solving that truly gets to the root of the issue (in particular, the need to ask “why?” five times).

I appreciate the opportunity from the GBMP and look forward to contributing more in the future!

Earlier this month we wrote about how the new revenue recognition rules are having an impact in the technology sector, but it doesn’t end there. In fact, my colleague Michelle Kupka and I will be leading a webcast regarding the current changes in revenue recognition this coming Tuesday, November 3.  And if there are readers out there who have struggled with rev rec, we’d love to hear your take on whether the new rules will be an improvement - or just another hurdle.

Among the industries that will be affected, life sciences and biotech stand out due to their long R&D cycles, their capital requirements and the infrastructure required to manage and market products from concept to distribution.  This hits home for us in Massachusetts, where the steady growth of the life science and biotech industries depend not just on science and commercialization, but on compliance and a strong balance sheet as well.

A great number of life science and biotech projects are embarked upon as joint development arrangements with pharmaceutical companies or distributors, and as a result, revenue is often generated under complex scenarios.  These arrangements often include payments linked to milestones, upfront payments, joint funding payments, joint product launch funding, licensing of future products developed and other issues. It is these complicated relationships that result in misstated revenue, in turn leading to an above-average rate of financial accounting restatements.

FASB’s new revenue recognition rules take these circumstances under consideration, and in particular they address:

1. whether the arrangement represents a single unit of accounting or multiple units;

2. if the arrangement represents a single unit of accounting, how the revenue should be recognized when such arrangements spans over multiple financial reporting periods; or

3. if there are multiple units, how revenue should be attributed.

Under the new revenue recognition guidance, the elimination of the requirement to establish fair value of undelivered products or services using objective and reliable evidence (replaced by the concept of “Estimated Selling Price”), as well as the elimination of the use of the residual method for allocating arrangement consideration will make things a bit easier and serve to facilitate consistency in revenue recognition accounting for these types of collaborative development arrangements.

While we will begin to see some clarity, vagueness will still persist in certain areas.  On the bright side, due to the life science and biotech industries’ unique approach to collaborative development arrangements and long-term view of success, companies should find some comfort in these new rules.