Client Alert

Action Required – Massachusetts Comprehensive Data Protection Law Soon To Be Enforced

January 7, 2010

  • Print
About Site Tools
Massachusetts has adopted broad and game-changing data protection requirements applicable to any company that sells goods or services to consumers in Massachusetts or employs residents of the state. Specifically, if a company has personal information about Massachusetts residents (whether employees or customers), it must comply with this law. Companies subject to this law must adopt a comprehensive data security policy by March 1, 2010. For purposes of the Massachusetts law, personal information includes name plus social security number, driver’s license number (or state-issued identification card number); financial account number, or credit or debit card number. 
 
All businesses with contacts to Massachusetts should examine their risks and obligations under this law.
 
At a minimum, a company must adopt a comprehensive security policy that it memorializes in writing with the following components: 
  • Designation of an employee to maintain the security program;
  • Identification and assessment of security risks to the confidentiality and/or integrity of company records (whether in paper or electronic format);
  • Development of security policies for employees relating to storage, access and transportation of records; 
  • Disciplinary measures for violations of privacy policy;  
  • Means for preventing terminated employees from accessing information;  
  • Plan for overseeing/selecting service providers;
  • Restrictions on the physical access to information;
  • Regular monitoring of the program;
  • Review of the security measures; and
  • Means for documenting actions taken in response to security breach.
Companies must implement a plan to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect personal information. In addition, with regard to contracts executed beginning on March 1, 2010, companies must contractually obligate third party service providers to protect personal information. 
 
The company also must adopt specific computer system security requirements that include, when technically feasible: 
  • Encryption of all protected information that will travel across public networks;
  • Encryption of all protected information to be transmitted wirelessly;
  • Encryption of all protected information stored on laptop or other personal devices;
  • Secure user authentication protocols, access control measures and system monitoring;
  • Minimum firewall, antivirus and OS security patch requirements;
  • Employee education and training;
  • Reasonable restrictions upon physical access to records, locked facilities, etc.; 
  • Regular monitoring to ensure policy is operating in a reasonable manner; and
  • Reviewing the scope of the security measures at least annually or when there is a material change in practice.
The particular plan that the company adopts should be based on the company’s size, scope, and type of business; resources available; amount of stored data (whether in paper or electronic format); and the need for the security and confidentiality of both employee and consumer information. 
 
Massachusetts previously has extended the effective date of these regulations to provide companies with additional time to come into compliance. Companies must be in compliance by March 1, 2010.
 
If you have any questions regarding the content of this Client Alert, please contact Ted Claypoole on 704-331-4910, Jennifer Kashatus on 202-857-4506, or any member of the firm’s Privacy and Data Protection Group.

 

Womble Carlyle client alerts are intended to provide general information about significant legal developments and should not be construed as legal advice on any specific facts and circumstances, nor should they be construed as advertisements for legal services.

IRS CIRCULAR 230 NOTICE: To ensure compliance with requirements imposed by the IRS, we inform you that any U.S. tax advice within this client alert is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed in a client alert.