Data Privacy Laws and Visitor Management Systems
Veristream systems adapt to changing data privacy laws
Did you know that legislation now requires you to properly secure the personal information collected during visitor check-in?
The benchmark for data privacy laws in the United States comes from the state of Massachusetts according to Practical Law, a Thomson Reuters Legal Solution. While the vast majority of states have enacted legislation requiring companies to notify consumers of data breaches, the Massachusetts law is much more far reaching.
In light of multiple breaches of personal information, the law now requires any entity that collects personal information on a Massachusetts resident, to secure the data. This applies to entities of all sizes, including commercial properties that collect visitor information. The important part to understand is that even if your business or building isn’t in the state of Massachusetts, your visitor management system must comply with the law. The law is designed to protect the personal information of every resident of Massachusetts, regardless of where they travel.
The typical practice of signing in visitors to a property includes a sign-in and/or a scan of the visitor’s ID card. Most scanners will take a picture of the ID and store that image on the local computer or network. IDs often contain information such as home address, date of birth, and the photo. If not encrypted, this data might be accessible to unintended parties. .
According to MacDonnell Ulsch, CEO of ZeroPoint Risk Research, LLC, “The majority of breaches occur as the result of third parties.” In the case of building security, a variety of third parties may obtain access to personal information. This may include security personnel, vendors, and sanitation crews. Through the last several years, many of the large data breaches have involved these individuals. In fact,
data breach that affected Target last year, was result of information compromised by an HVAC contractor.( 1 )
Veristream understands the importance of data privacy and our system evolves to ensure it safely maintains personal information as directed by legislation. The Massachusetts law (201 CMR 17.00) requires the following when collecting and securing personal information regardless of where your organization is physically located.
If you handle or store any personal information from any Massachusetts resident, your organization is legally obligated to protect the information. The result of noncompliance may result in fines up to $5,000 per violation in addition to injunctive relief, attorney’s fees, and reasonable costs of litigation. Massachusetts isn’t alone in data privacy legislation. In fact, the vast majority of states have now implemented similar legislation requiring entities to properly safeguard personal data. Veristream software meets or exceeds all of the requirements of protecting personal data as dictated by state and federal laws.
To understand how far-reaching these laws are, here are just some of the protocols that must be taken to protect personal data:
- An individual must be appointed to maintain a program to protect personal information within the organization
- Organizations must develop a written plan designed to protect personal information. This plan must be routinely audited
- Reasonable steps must be taken to verify that employees and third party vendors with access to personal information do not pose risk
- The type of personal data collected is limited
- Whole disk laptop encryption is required on any laptop that stores personal information, this requirement extends to any mobile device
- Systems must be monitored for unauthorized use or access to personal information
- Businesses must notify law enforcement, attorney generals, and individuals in the event of a breach or unauthorized access of personal information
- Entities must safeguard and prevent misuse of personal information by third parties; this includes contracted security teams, cleaning crews, employees and visitors
Visitor data must be properly secured. These laws may be just the beginning of new legislation. Customers can rest assured that the personal information of all visitors is gathered and safeguarded to the highest standards, meeting the requirements of all state laws.