|
In an apparent response to recent, widely-publicized episodes of corporate
data breaches in which sensitive personal information was disclosed or stolen
from businesses, the Massachusetts Office of Consumer Affairs has adopted
regulations affecting all business that collect or retain “personal
information” of Massachusetts residents, even if those businesses are
not located in Massachusetts!
1. What’s covered?
The regulations cover “personal information”,
meaning a person’s name and any of the
following:
(A) social security
number;
(B) driver’s
license number or state-issued ID number; or
(C) financial account
number (including bank accounts,
insurance
policies,
etc.) or credit or debit card numbers.
These regulations would apply to anyone employing a Massachusetts
resident, as well as to most businesses with Massachusetts customers - including
purely “web-based” businesses in other states that take orders from
Massachusetts residents.
2. What’s required?
Among
other requirements, these regulations require that companies:
(A) appoint a person
responsible for compliance;
(B) adopt a written
compliance plan; and
(C) implement and
maintain security measures for holding and transmitting “personal information",
in any form, whether the information is stored in electronic or physical
(“hard-copy”) records.
The regulations also require encryption of some “personal information” -
including information stored on laptop computers, PDAs and cell phones - and
system protocols to lock-out hackers. Merely password-protecting data is
not sufficient.
3. Who must comply?
All
persons and entities with “personal information” of any Massachusetts resident,
whether or not the persons/entities possessing the information (or the
Massachusetts residents to whom the information pertains) are currently located
in Massachusetts.
4. When is compliance required?
By Monday, March 1, 2010.
5. What if I don’t comply?
The regulations impose up to a $5,000 penalty
per violation. |