After three different drafts were circulatedby the Commonwealth, the Massachusetts DataProtection Regulations have nally taken effect.As of March 1, 2010, any person or businesswith personal information about a Massachusettsresident must comply with a new regulatoryscheme intended to protect that information fromimproper use or disclosure.The Ofce of Consumer Affairs and BusinessRegulations originally promulgated the regula-tions in Fall 2008, mandating that those holdingpersonal information about Massachusetts resi-dents devise and implement specic, detailedpolicies to protect the security and integrity of thatinformation. Virtually all Massachusetts busi-nesses are covered, and the regulations alsoapply to entities outside the Commonwealth thathold Massachusetts residents’ Social Securitynumbers, credit card numbers, driver’s licensenumbers or nancial account numbers.The regulations have been controversial, par-ticularly among members of the Massachusettsbusiness community, who widely complained thatthey were inexible, overly broad and expensiveto implement.The nal version of the regulations were aimedat addressing some of those concerns, while stilladhering to the fundamental goal of requiringbusiness practices that minimize the risk of futuredata breaches.

2009

www.Gesmer.com

40 Ba s, Bn, mA 02109

617.350.6800

This may be considered advertising under Mass. R. Prof. C. Rule

7.3

(c)

March 2010

Massachusetts Data ProtectionRegulations Take Effect

The regulations apply to both paper and elec-tronic records, and can cover such commonplaceitems as benets records, payroll les, invoicesevidencing customer payments, and databasesthat use Social Security numbers as unique iden-tiers. Virtually any business with a Massachu-setts employee falls under the regulations’ scope.The regulatory requirements are extensiveand detailed, and demand the adoption and main-tenance of a written information security plan anddesignation of an individual to be responsible for it. The information security plan must:1. identify reasonably foreseeable risks torecords containing personal information;2. address policies regarding the storageand transportation of records outside of business premises;

Client

Ay