Data Privacy

MASSACHUSETTS DATA PRIVACY REGULATIONS

Compliance Date:  March 1, 2010

Overview:  Massachusetts has issued privacy regulations to protect employee and consumer information.  The purpose of the regulations is to get businesses to implement security measures designed to prevent intentional wrong doing and inept record handling.  These regulations require that businesses develop, implement, maintain and monitor a written information security program (sometimes referred to as a WISP).

Is Your Business Subject To The Regulations:  The regulations apply to any company that “owns, licenses or maintains personal information about a resident of Massachusetts.”  This means that even if your business is located in another state, you need to comply with the regulations with respect to your Massachusetts customers and employees.

The regulations apply to oral, paper and electronic records.

Definition of Personal Information:  Personal Information includes:  a first and last name or a first initial and last name combined with:

·         A social security number

·         Driver’s license number

·         Financial Account number (i.e. bank account number)

·         Credit or Debit Card number

Information lawfully obtained from publicly available information or from federal, state or local government records is NOT personal information under the regulations.

What Do You Need To Do:  The Regulations require that by March 1, 2010, businesses must draft and implement a “comprehensive written information security program” to protect personal information. The regulations reflect a risk-based approach intended to balance the realities of running a small business with protecting consumers and employees.  Accordingly, when formulating your WISP, you may take into account (1) the size, scope and type of your business; (2) the amount and type of data stored by your business and (3) the amount of resources available to your business.   The fundamental question you must ask yourself when evaluating your business is:  What is the risk of identity theft posed by the operation of my business?

BUT ALL BUSINESSES BIG AND SMALL must have a written plan in place.

Contents of The WISP:  The WISP is a very detailed document, requiring you to cover a lot of ground.  You can find the specific requirements at http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf.

Because this list is so intimidating the Massachusetts Office of Consumer Affairs has published a Compliance Checklist to help business owners draft their WISPs. You can find this checklist at:

http://www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdf.

What Should You Do Now:  If you your business maintains personal information you need to

·         Determine how personal information is stored in your office

·         Evaluate whether any personal information is transmitted to third parties (i.e., payroll services,  financial services companies)

·         Determine if such third parties are complying with the regulations

·         Develop a WISP

·         Educate your employees about the WISP and the importance of keeping personal information safe

·         Update your employee handbook to reflect the notification to employees regarding the WISP.

You should be aware that the regulations require that you select and retain vendors that hold or use the personal information of your employees and/or customer who are capable of complying with the regulations.  The regulations require that your vendors by CONTRACT implement and maintain appropriate security measures. Contracts with your vendors entered into prior to March 1, 2010 need not contain data security provisions but all contracts in effect as of March 1, 2012 must.  Accordingly, if you are entering into a long term contract with a vendor who will hold personal information, you need to make sure that the contract addresses the compliance issues so that you are not bound to continue to perform if your vendor does not comply with the regulations by the deadline.

Penalties for Non-Compliance:  Failure to comply with the regulations may subject you to fines by the Commonwealth of Massachusetts of up to $5,000 per occurrence (whether this means per item of information or per event is unclear).  You may also be sued for negligence by private citizens.  If you have a data security breach you must make a report to the Office of Consumer Affairs and Business Regulation of the Attorney General.