The Far Reaching Arm of the Massachusetts Data Protection & Privacy Law
The Massachusetts Data Protection & Privacy law (201 CMR 17.00) went into effect on March 1, 2010. It applies to any individual or company who receives, stores, maintains, processes or has access to “personal information” acquired in connection with employment or with the provision of goods or services to a Massachusetts resident. Notably, the law is not restricted to companies located in Massachusetts, such that if any company possesses the personal information of a Massachusetts resident, the law is applicable. Applicability of the law is especially critical since violations can carry fines of up to $5,000 per record compromised.
The law mandates that companies develop, implement, maintain and monitor a written information security program (WISP) outlining electronic and physical safeguards that protect the confidentiality of all personal information in their possession. Personal information is described as including, “a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements relating to that resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number.”
A WISP must cover a number of elements, including designating employees responsible for the program, creating an inventory of personal information, assessing the risk of improper disclosure, developing policies, implementing disciplinary measures for failure to comply, and annual monitoring and upgrading safeguards. Companies must also educate and train employees on “the proper use of the computer security system and the importance of personal information security.”
While the law applies to both paper and electronic records, it does not apply to publicly available information. Regardless of whether the personal information is in paper or electronic form, access must be restricted, and the data must be safeguarded. For instance, physical records and data must be kept in “locked facilities, storage areas or containers”. Similarly, computer systems are also subject to security measures including unique user ids and passwords, encryption of portable devices (i.e. laptops) that contain personal information, firewall protection for all operating systems, and the use of patches and virus definitions.
Lastly, in cases where a third-party service provider has been retained, the provider must adhere to Company’s WISP and any applicable federal regulations.