Data Security Law — Are you in Compliance?

The new Data Security Regulations in Massachusetts became effective as of March 1, 2010 and impose significant requirements on all businesses in the Commonwealth to protect personal information.  “Personal Information” (“PI”) is specifically defined as follows:

A Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following for that person: 

(a) Social Security number;

(b) driver’s license number or state-issued identification card number; or

(c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password.

Under the new regulations, business must protect PI that is under their control and have a written information security program (referred to as a “WISP”)  which both identifies what personal information a business has and how that information will be protected.  The more significant items that a WISP should contain include the following;

  • administrative, technical, and physical safeguards to protect PI;
  • the employee or employees to maintain and supervise WISP implementation and performance;
  • identification of the paper, electronic and other records, computing systems, and storage media, including laptops and portable devices, that contain PI;
  • identify the reasonably foreseeable internal and external risks to paper and electronic records containing PI;
  • describe the training that employees will receive to implement and monitor compliance with the WIPS requirements; and
  • disciplinary actions that an employee will face for violating the provisions of the WISP. 

The above list is not meant to be exhaustive but rather to highlight some of the more significant information that WISPS are required to contain. 

The new Data Security also requires companies to implement computer security measures including adequate firewalls and encryption technology to protect PI.  In addition, a business needs to have procedures regarding who has access to the PI maintained on a computer system and how access to the PI will be protected when employees leave the business. 

The penalties for failing to comply with the Data Security regulations are up to $5000 per violation.  Although it is still unclear as to what is considered a “violation,” it is clear that the potential penalties to a business can be significant.   All businesses should carefully analyze what PI they maintain and have a WISP in place to protect this PI.

Comments are closed.