One of the most significant tasks introduced in 2009 was presented by new guidelines under the Massachusetts Privacy Law, which requires a slew of changes to administrative and security processes.  Compliance calls for a significant overhaul for many companies, and the deadline is just around the corner: March 1, 2010.  The marketplace has demonstrated an urgent need for a new standard of  information protection, so we do not expect a great deal of leniency for those that fall behind.  Companies need to take the new law seriously, gear up, and put appropriate defenses in place around the personal information of their employees and customers.

This is without question a daunting call to action, however the need for the law remains unquestioned.  In fact, a report published by the Office of Consumer Affairs and Business Regulation [PDF] notes that since 2007, over 1 million Massachusetts residents have been impacted by security breaches.  The report states that 495 incidents were criminal in nature, while 312 “generally demonstrated poor employee handling of residents’ personal information, including transporting sensitive data, either in disregard of company policies, or in an environment without sufficient policies in place to secure such information.”

A few additional findings from the report include:

- The OCABR received 807 notifications of security breaches

- Most breaches (76 percent) were electronic in nature

- It may have been expected that financial services breaches impacted the highest number of individuals (707,305), but it is perhaps a bit surprising to find that the second greatest impact was felt from incidents involving the education sector (130,161)

The law takes aim at improving defenses against the criminal element while shoring up process to reduce risk of negligent handling of data.  And most importantly, it applies to — by the letter of the law — all persons that “own or license” personal information from a resident of the Commonwealth, specifically any individual or company that “Receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of goods or services directly to a person that is subject to this regulation.”

That means pretty much everyone.

The most important step to compliance might be the WISP - a Written Information Security Program (WISP) that ensures the security and confidentiality of personal information in both physical and electronic format. The actual scope and complexity of a WISP will vary depending on an organization’s size and scope of business, availability of resources, nature and quantity of data stored, and the need for security and confidentiality of both consumer and employee information.

There is of course much more to understand before diving in. We encourage you to take a look at this 2009 Perspectives article for more detail, including specific action items and consequences for failing to comply.

We recently issued an alert about FASB’s new rules regarding “Revenue Arrangements with Multiple Deliverables” and “Applicability of AICPA Statement of Position 97-2 to Certain Arrangements That Contain Software Elements.”  FASB ratified the standards in late September, and they will cause some shifts in accounting for technology companies.

Before the change, companies that made smart-phones, telecommunications equipment, semiconductor equipment and other related products were required to bundle the hardware in their products with vital software components, and then use software rules to recognize the revenue.  From a business perspective, this raises the potential for a reduction in reported revenue. Companies like Apple, for example, suffered when sales and profits from their iPhone appeared lower (17% and 58% lower respectively) under the traditional system.  CFO Magazine covered this nicely in their September piece, “New Revenue-Recognition Rules: The Apple of Apple’s Eye.”

The new rules allow companies to recognize more of the revenue from a hybrid-type product than before. Unbundling software from hardware allows the hardware sales to be recognized sooner, as software’s revenue is added up more slowly; over the life of the contract or according to the software’s expected life cycle. This is designed to give a more accurate picture of revenue, which can have a tremendous impact on corporate earnings and shareholder value.

The new rules also put the U.S. on par with the rest of the world, which has already adopted the practices. Companies will be required to comply by June 15, 2010 but are allowed to adopt the practice as early as this quarter.

Sounds good right? The change could create a bump in sales and profits in the short-term for the companies affected. However, as described in our September 8th post, the benefits come with a cost: “The new guidance will require enhanced financial statement disclosure – the new EITF proposal includes a four page example of such a disclosure (no, I am not kidding). These additional disclosure requirements will entail both qualitative and quantitative information surrounding the significant judgments involved with multiple deliverable revenue recognition.”

Thus, while the new rules will likely have a positive impact on financial statements, there may be significant leg-work involved in order to get there.

We’ve gone into detail in the past about the new Massachusetts Privacy Act that will take effect next year, and this Boston Business Journal story on data security breaches at Citigroup and Bank of America struck us as the deadline for compliance comes into sight.  It appears that credit card information was compromised, which of course leads to a host of problems for consumers and the banks alike.

The new Privacy Act will go a long way to ease these burdens, as for the first time laws will be enacted to prevent these breaches, as opposed to outlining steps to take after incidents occur.  On the consumer side, this is excellent protection to have, but of course on the business side it requires heavy lifting to comply with the stringent guidelines.

If you’re interested, you may want to check out this MFA webinar on the privacy law or this related Perspectives article.