The Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 CMR 17.00, go into effect today, March 1, 2010. The regulations impose strict data security requirements on every business that owns or licenses “personal information” about a resident of Massachusetts, regardless of where the business is located or does business.
Personal information, for purposes of these regulations, means a Massachusetts resident’s 1) first name or initial; 2) last name; and 3) one of the following: a) social security number; b) driver’s license or state identification card number; or c) financial account or credit/debit card number. The regulations thus apply, at a minimum, to virtually all employers with Massachusetts employees and businesses that process payments from Massachusetts customers.
The heart of the regulations is the requirement that all businesses have a written information security program. The program must evaluate risks to personal information held by a business and specify the administrative, technical, and physical measures the business takes to safeguard the information. The regulations, described in detail below, require a number of fairly specific elements in the program, including requirements for training, vendor selection, access to physical data, and computer security.
Although the requirements are detailed, your business’s requirements under the program may be limited by two factors: 1) compliance is evaluated based on the size and scope of the business and its personal information, thus enabling smaller businesses with less risk to develop a less comprehensive program; and 2) specified computer security elements are required only when “technically feasible,” which generally means “reasonable.”
For further information from the Massachusetts Office of Consumer Affairs and Business Regulation, see their website.
Remember also that some of the Massachusetts requirements require preparation similar to the Federal Trade Commission Red Flag Rules, which go into effect for many businesses on June 1, 2010.
If you would like assistance in reviewing your organization's privacy or data security practices, or developing new policies or training programs, please contact Susan Lyon at
slyon@perkinscoie.com or (206) 359-8002.