Full Text

It was late October 2019. An unexpected ringtone interrupted his afternoon coffee break. Dave Collins, an IT security consultant for Keystone Insurance, glanced at his cellphone and saw the caller was Kevin Pullman, the CEO of Keystone. He picked up the phone and a hoarse voice blasted out:

"Dave, our system is hacked! You'd better come right away. All customer service stations are having trouble accessing files on the server. There is a banner on the screen of the accountant's computer that says all our files are encrypted."

After a brief pause, Kevin added, "Dang, speaking of the Devil!"

Just a day earlier, after some routine system maintenance work, David spoke with Kevin on whether to beef up the IT security and implement a Written Information Security Program (WISP) to be compliant with Massachusetts data security regulations (201 C.M.R. 17.00). Massachusetts WISP law was established in 2010 and updated in 2019. Although many companies still had not implemented it (Salem, 2019), Dave felt that it was in the best interest of Keystone to create a WISP sooner rather than later, but Kevin was not sure if WISP was necessary for small businesses like Keystone. Cybercriminals would go after the big whales rather than the small fish, as he figured.

KEYSTONE INSURANCE

Keystone Insurance was a small father-and-son insurance agency in Boston. There were four customer service agents who answered customer questions, updated policies, and handled claims. There was one accounting person, Peggy Johnson, who lived in California. She used LogMeln at home to connect to her PC in the Boston office to do her work. This allowed...