Complying with the New Data Security Law

Guest post by: Marijo McCarthy
Become an Author

Free PDF Download
What's An Opinion, Anyway? - By Marijo McCarthy

As you know, I rarely devote a monthly newsletter to outlining changes in laws (other than to comment on their practical application through my clients' real experiences).

Why not? First of all, it's boring. Secondly... it's boring! Well, boring or not, a new law has been bestowed upon the business community by the Great and General Court of the Commonwealth of Massachusetts that is so important, I feel compelled to share the details.

As the year goes on, you will no doubt hear more about this requirement, so please consider this an introduction and a gentle nudge in the direction of beginning the process. Without further ado, I share with you an outline of the strictest law in the United States on protecting personal information of residents.

New Rules on Data Protection in Massachusetts

201 CMR 17.00: "Standards for the Protection of Personal Information of Residents of the Commonwealth" (issued under MGL C. 93H, Section 3... signed 8/07)

What Is it?

The regulations have been issued by the Commonwealth of Massachusetts Office of Consumer Affairs and Business Regulation in order to implement a law signed by Governor Deval Patrick in August of 2007 whose goal is to require employers to safeguard personal information of employees and customers.

When is it Effective?

The effective date has twice been moved back -- from January 1, 2009 to May 1, 2009, and again to January 1, 2010. Both times to give companies additional time to prepare.

What Does It Require and Who Must Comply?

The law requires that every person (defined as an individual, a corporation, an association, a partnership or other legal entity) maintaining documents or electronic data which contains Personal Information develop a comprehensive written Security Program to protect that Personal Information.

What Constitutes Personal Information?

Personal Information is a Massachusetts resident's name (first and last name or first initial and last name) combined with one or more of the following:

- a social security number; or

- a driver's license or state-issued ID card number; or

- a financial account number, or credit or debit card number.

What should be included in the Security Program?

Small business owners may visit www.mass.gov/consumer for a sample guide to assist with the process of developing their company's comprehensive written Security Program and a Compliance Checklist to be sure your Security Program is compliant with the new regulations. You don't have to have the most perfectly written program -- just be sure you have one.

What do I do after I create our Security Program?

- If possible, avoid keeping Personal Information, unless you are required to do so by law (smaller business owners have more flexibility in deciding what to keep and how and where to keep it);

- If you must maintain Personal Information (for instance, employee records generally contain social security numbers, which makes employee personnel files subject to the Security Program), be sure to isolate and protect those files; and

- Be sure your consultants, vendors and any other third parties who might have Personal Information as a result of their business transactions with you are in compliance (for instance, think about health insurance providers and payroll companies).

There are no small company exemptions from this new law, so small and large businesses alike are under the gun to begin outlining their plans. As always, I have identified resources to assist my clients with a new challenge and they include employment lawyers and technology consultants whose skills can help guide you through.

And, as always, I urge you not to wait until December to begin... the smart business owners have already carved out reasonable time and resources for this work. Remember, with the Attorney General's Office enforcement team breathing down your neck, voluntary compliance is always easier than involuntary!

How to maintain data privacy?

Data Security is Mandatory

Data Loss - The Scariest Term in Business Today

Security Concerns with Cloud Computing Services

Key 2011 Hacker Prevention Lessons

Retail Security

BlackBerry Application Development - The Apps Run on the Securest OS

Backup Software Solution is a Joke

Securing E-commerce

If you employ more than 50 people are you complying with the ICE Directive

Why Might the Wildcard SSL Certificate Be Right for eCommerce Security?

Best practices to follow for a secure mobile application development

Whats in a name?

Who can become a SSL partner?

Elections Ontario and Security

MORE HACKING. WHEN WILL IT STOP?

Boost your site performance with GeoTrust True Business ID Wildcard

Advantages of Using Web Application Firewall

How to Protect and Safeguard your Business Data

Data Security & Outsource Service Providers

Home > Legal > Marijo McCarthy > Complying with the New Data Security Law > Google +

Free PDF Download
What's An Opinion, Anyway? - By Marijo McCarthy

About the Author: Marijo McCarthy

RSS for Marijo's articles - Visit Marijo's website
Marijo McCarthy is principal of Widett and McCarthy, a Boston-area law firm that helps small business owners grow their businesses with pragmatic legal advice, mentoring and a solid team of professional advisors.
Click here to visit Marijo's website.

More from Marijo McCarthy
Dont Blow the Boilerplate in Contracts
Do Sweat the Small Stuff Beware of the Hidden Restrictions in NonDisclosure Agreements
Protect Your Business with a Written Contract
Confidentiality Agreements Ticking Time Bombs
Is There a Legal Way to Get Out of a Contract

Share this article. Fund someone's dream.

Share this post and you'll help support entrepreneurs in Africa through our partnership with Kiva. Over $50,000 raised and counting - Please keep sharing! Learn more.

Complying with the New Data Security Law

Related Articles

Related Forum Posts

Share this article. Fund someone's dream.


Name:
Email: