News

New Privacy Law may impact you!

[Mar 03, 2010]

A quick summary of the new sweeping privacy law in Massachusetts which had a compliance deadline of March 1st, 2010. Enacted in September 2008 to protect the personal information of Massachusetts residents, it applies to many companies which conduct business with residents of Massachusetts or have employees that reside in Massachusetts.

So now that I have your attention… here are some high-level notes to see if this may impact you:

Requirements
The Massachusetts law includes both “data at rest” and “data in transit” over a public network, such as the Internet, that contain personal information. This data must be encrypted.

Personal information is defined as a Massachusetts resident’s name in combination with one of the following:

- Social Security number
- Driver’s license number or state-issued identification card number
- Financial account number or credit/debit card number

This new legislation affects all organizations who own or license personal information of Massachusetts residents — regardless of the size or location of the business. 
This also includes:
- Businesses that track customers by account numbers (such as healthcare institutions and related vendors)
- Retailers that accept credit cards for purchases by Massachusetts customers
- Financial institutions (such as banks, insurers, or brokerages) with customers residing in Massachusetts
- Companies with branch offices located in Massachusetts

Failure to Comply
Are there consequences for non-compliance? Absolutely!

You can assume the new Massachusetts Privacy Law will increase a company’s exposure to lawsuits. The ramifications of not complying become quite real should an information breach occur.  In such a case where non-compliance is found, the Massachusetts Attorney General can file suit with the company.

In addition, civil penalties could be imposed for non-compliance with Massachusetts’ data breach notification statute (Massachusetts General Law 93H.) A civil penalty of $5,000 may be awarded for each violation of 93H. Furthermore, under the portion of 93H concerning data disposal, businesses can be subject to a fine of up to $50,000 for each instance of improper disposal.

Always remember also that here are other consequences which are not easy to calculate, such as the impact to a company’s brand or reputation.

Get Prepared
There are some reasonableness standards in the requirements that should make this easier to comply with if your company isn’t already. You still need a policy, need to inventory your stores of “personal information” and educate your employees about the importance of safeguarding personal information as a few examples.

How can I help?
I would be happy to discuss this more, please don’t hesitate to reach out. At a bare minimum I recommend you do some form of a risk assessment to see if your company is or should be compliant. This may only be a law for Massachusetts customers currently, but legislature is currently swimming in Congress to bring a national law similar to this into effect (if it would come to be passed).

Resources
The Office of Consumer Affairs and Regulation has published a useful 201 CMR 17.00 Compliance Checklist (.pdf).

You can also review the law itself contained in 201 CMR 17.00 Standards for the Protection of Personal Information (.pdf).