873 Concord Street, Framingham, MA 01701508.872.0000www.meltzerlaw.com
Comprehensive New Massachusetts Privacy Regulations Affect AllBusinesses with Personal Information of Massachusetts Residents
Stephen E. Meltzer, Esquire, CIPP
[This article was originally drafted and published on March 11, 2009; Updated with amended provisions October 15, 2009]
On Halloween in 2007, the Massachusettslegislature enacted Chapters 93H and 93I of theMassachusetts General Laws to help preventbreaches of security and to protect residentswhose information is in the custody of others. InSeptember of 2008, pursuant to Chapter 93H,the Massachusetts Office of Consumer Affairsand Business Regulation (OCABR) promulgatedregulations that define the minimum securitystandards in connection with the safeguardingthe personal information of Massachusettsresidents. The “Standards for the Protection of Personal Information of Residents of theCommonwealth” can be found at 201 C.M.R.17.00, and the new regulations, as amendedthrough August 17, 2009, have a compliancedeadline of March 1, 2010. The statedobjectives of the regulation are to “insure thesecurity and confidentiality of customerinformation in a manner fully consistent withindustry standards; protect against anticipatedthreats or hazards to the security or integrity of such information; and protect againstunauthorized access to or use of suchinformation that may result in substantial harmor inconvenience to any consumer.” A majority of states and the federal governmenthave now adopted laws and regulations toprotect consumers’ personal information. Thenew Massachusetts regulations, are among themost comprehensive and stringent. The newregulations impose notice requirements forsecurity breaches and carry the potential forsignificant penalties for noncompliance.
Who is Regulated
Any natural person, corporation, association,partnership or other individual or legal entitythat owns or licenses “personal information” about a resident of Massachusetts is subject tothe regulations. This would include any personor business that employs Massachusettsresidents if its employee records include certainpersonal information. A business need not haveany operations in Massachusetts to be subject tothe regulations and the application of theregulations is not limited to any particularindustry, and no industry is exempt from therequirements for compliance.For purposes of the new regulations and Chapter93H, “personal information” is defined as aMassachusetts resident’s first name and lastname, or first initial and last name,
combinedwith
one or more of: ”(a) Social Securitynumber, (b) drivers license or state-issuedidentification number, or (c) financial account orcredit or debit card number, with or without anyrequired security code, access code, personalidentification number or password, that wouldpermit access to a resident’s financial account.” Lawfully obtained, publically availableinformation is not considered “personalinformation.”
Information Security and Protection
Any business that owns or licenses personalinformation must “develop, implement, andmaintain a comprehensive information securityprogram” to secure and protect recordscontaining personal information that is written inone or more readily accessible parts (a “CWISP”).The program must be “consistent with thesafeguards for protection of personal informationand information of a similar character set forthin any state or federal regulations by which theperson who owns or licenses such informationmay be regulated.” The program must “containadministrative, technical, and physicalsafeguards that are appropriate to” (a) the size,scope, and type of the business, (b) theresources available to the business, (c) theamount of stored information, and (d) the needfor security and confidentiality of both consumerand employee information. Every program,however, must incorporate at least the followingcomponents:(a)
Designate an employee to maintain theWISP.(b)
Identify and assess reasonablyforeseeable risks (Internal andexternal).(c)
Develop security policies for keeping,accessing and transporting records.(d)
Impose disciplinary measures forviolations of the program.(e)
Prevent access by terminatedemployees.(f)
Oversee service providers andcontractually ensure compliance.(g)
Restrict physical access to records.
Leave a Comment