New Massachusetts regulations on businesses that collect personal information on Massachusetts residents
Posted October 29th, 2008 by ColinC
Massachusetts has adopted new regulations governing businesses that collect personal information on Massachusetts residents. These regulations take effect January 1, 2009 and impose rules on the collecting, securing and safeguarding of such personal information.
Coleman & Gagnon has prepared a Business Client Advisory which includes Common Questions/Practical Answers regarding the changes. This Business Client Advisory is available at our website at the following link:
http://www.colemangagnon.com/uploadedFiles/PersonalInfoMemo%20CAC%20fina...
Please email me if you have any questions and/or comments. Thank you.
Website:
Coleman & Gagnon
Chapter 93H and the regs mentioned by Colin apply to every employer and every company that keeps copies of client's check, for starters. The Office of Consumer Affairs and Business Regulations has a web page devoted to this law:
http://www.mass.gov/?pageID=ocatopic&L=3&L0=Home&L1=Business&L2=Identity....
The web page includes a link to a model information security plan. This plan is probably a good starting point.
In line with the Lexpertise collaboration initiative, this might be a good starting project for some substantive collaboration. I have published a copy of the OCABR model plan on google docs at:
http://docs.google.com/Doc?id=dc2kgd5d_5cn95g9c6.
If you want to participate in this collaboration, let me know.
Please let me know what has happened to your suggestion about collaborating on a model plan. I'd be interested in participating, especially with respect to very small businesses.
I just blogged about this, and am wondering whether the FTC red flag rule (which was supposed to take effect 11/1 but is now delayed) pre-empts the MA rule in any way. Haven't really thought it through. My blog post, at http://bit.ly/2aiw9C, includes links to the FTC Red Flag rule info.
I'd like to hear more on this topic. The tug of war between thestates and federal law will be ongoing. Congress will need to pass some national legislation or it will be chaos for multi-state companies to conform to each state law.
New Massachusetts regulations are a clarion call for corporate human resources departments to join the war on identity theft. The regulations mandate the development and implementation of a "written, comprehensive information security program" to safeguard the personal information of Massachusetts employees and consumers. Such a program rarely will be fully effective without the involvement of human resources professionals and in-house employment counsel.
==================================================
Roger
massachusetts drug rehab
The date for implementation has been moved to May 1, 2009. Here is a link to the OCABR site:
http://www.mass.gov/?pageID=ocapressrelease&L=3&L0=Home&L1=Business&L2=I...
Does anyone know if Mozy complies with the new regs? Does anyone have any experience with Mozy?
Although the new regulations impose a broad range of requirements, the most pressing compliance issue for many organizations will be the new obligation to encrypt all personal information of Massachusetts residents that is stored on any portable device which includes laptops, flashdrives, Blackberries or cell phones (to the extent feasible) that is transmitted over the Internet or by wireless connections.Although laptop encryption is becoming more common, frequent reports of losses of laptops containing unencrypted personal data demonstrate that many organizations have not completed the transition to encrypted storage on their portable devices. Similarly, some of the best publicized losses of personal data, including those that resulted in massive identity theft, have occurred because of exploitation of insecure wireless connections.Even organizations that have no facilities or personnel in Massachusetts should anticipate that they will be subject to the regulations if they maintain personal information of any Massachusetts residents. Personal information is defined as: first name and last name or first initial and last name in combination with Social Security number; driver’s license number or state-issued identification card number; and financial account or credit or debit card number with or without any required security code, access code, personal identification number or password that would permit access to an individual’s financial account.