Complying with Massachusetts' Personal Data Security Law

In 2010, Massachusetts passed a comprehensive data security law and related regulations which must be complied with by all businesses that maintain “personal information” of its employees, customers, or vendors, etc.

The law and its attendant regulations impose minimum standards for safeguarding personal information contained in both paper and electronic records. The law and the regulations were meant to greatly diminish the risk of one’s personal information being compromised by creating a significant onus on the possessors of such information to safeguard it. The regulations were promulgated by the Commonwealth’s Office of Consumer Affairs and Business Regulation and are contained in the Code of Massachusetts Regulations at 201 CMR 17.00.

Personal information is defined as a Massachusetts resident’s first name and last name or first initial and last name in combination with the resident’s: (a) Social Security number; or (b) driver’s license number; or (c) a financial account number or credit card number. Businesses that fail to take the necessary steps to safeguard this personal information will, if a breach occurs, be subjected to potential civil penalties of $5,000 for each violation, among other things.

KEY ELEMENTS OF THE REGULATIONS

At its core, there are two main areas that must be addressed to protect one’s organization from significant potential liability. They are: protection of the data generally (via what is referred to in the regulations as a Written Information Security Program “WISP”) and through the implementation and use of certain computer system information technology protections and practices. In this article, I will very briefly highlight the key items of the WISP document.

WRITTEN INFORMATION SECURITY PROGRAM (WISP)

Whether an organization has taken appropriate steps in its WISP to protect information shall be evaluated by taking into account: “(i) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (ii) the amount of resources available to such person; (iii) the amount of stored data; and (iv) the need for security and confidentiality of both consumer and employee information.”

Each WISP must address the following points: It should: 1) specifically name one or more designated individuals as the overseer of the organization’s protection of personal information; 2) identify risks & assess current safeguards; 3) contain policies regarding whether and how employees may keep, access, and transport records containing personal information off of business premises; 4) contain statements that employees will be subject to discipline measures for violations of the WISP; 5) bar access by former employees the moment they leave your organization’ employ; 6) contain a statement that the organization will take reasonable steps to verify that third-party service providers that the organization allows access to personal information (e.g. credit card processor) have the capacity to protect such personal information; 7) specify that personal information should only be retained for the minimum amount of time needed to complete the transaction for which it was provided; (8) detail the process by which the organization identifies paper, electronic and other records, including laptops and portable devices which contain personal information; 9) establish written procedures to restrict physical access to records; 10) contain language that the “designated employee” will regularly monitor the organization’s personal information practices  to confirm whether the organization is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; 11) contain a statement that, in addition to the regular monitoring (see #10), the organization’s designated employee will also conduct a thorough review of the WISP no less often than annually; and 12) contain a procedure to document breaches that occur and what responsive actions will be/were taken.

Your organization should make sure it has prepared a WISP which addresses each of the above items and to make sure your IT department has taken all of the requisite IT steps required under the regulations (which were not discussed in this short article but can be found in 201 CMR 17.00) as well.