As previously highlighted in Bingham’s Privacy and Security alerts dated October 31, 2008, November 18, 2008, February 18, 2009, August 19, 2009 and November 5, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation has issued regulations (“Regulations”), codified at 201 CMR 17.00, requiring that persons who “own or license personal information about a resident of the Commonwealth” comply with strict requirements to safeguard such personal information. These new regulations go into effect on Monday, March 1, 2010.
Is YOUR Business Covered by the Regulations?
As we have previously reported, the Regulations require ANY business that “receives, stores, maintains, processes, or otherwise has access to ‘personal information’” (i.e., first name or initial and last name, in conjunction with (1) social security number, (2) driver’s license or state-issued identification number, or (3) financial account or credit/debit card number) about a resident of Massachusetts to:
- Establish a comprehensive information security program with “up-to-date” firewall protection and identify and assess reasonably foreseeable internal and external risks to all systems that hold personal information of Massachusetts residents;
- Ensure that the safeguards of any information security program be “consistent with” similar safeguards imposed by any applicable state or federal law;
- Encrypt all wirelessly transmitted data and documents containing personal information sent over the Internet or saved on laptops or flash drives; and
- Take “reasonable steps” to select and retain third-party vendors that have the capacity to maintain appropriate security measures for personal information and contractually require such vendors to maintain such safeguards.
If you have any questions or concerns as to whether your business complies with these Regulations, please contact one of the lawyers listed below to receive a copy of Bingham’s “Practical Guide to Complying With the New Massachusetts Data Security Regulations.”
To review the full text of the Regulations, click here.
Bingham’s Privacy and Security Group helps companies in a broad range of industries comply with a complex array of data protection and privacy laws, regulations and standards. We have successfully handled numerous major data breach matters in a variety of jurisdictions. For more information on this alert, please contact the following lawyers:
James Snell, Co-chair, Privacy and Security