Skip to content

UPDATE: New Massachusetts Data Privacy Regulations Take Effect March 1, 2010

January 4, 2008

SUMMARY

Effective March 1, 2010, any business that receives, accesses, processes, maintains, or stores non-public personal information of Massachusetts residents must have in place and implement a written security policy that safeguards that information, regardless of the type of record and media in which it is contained, and must obligate its third-party service providers to do likewise.

This means that, by March 1, 2010:

  • Counsel should review your existing policy for compliance
  • If you do not have a written policy you should work with counsel to prepare or obtain one that is compliant
  • Counsel should review your existing service contracts for compliance
  • Counsel should prepare a form of agreement for your use with service providers

BACKGROUND

In September 2008, the Massachusetts Office of Consumer Affairs and Business Regulation issued final regulations establishing standards for the protection and storage of Massachusetts residents’ personal information. Found at 201 C.M.R. §§17.00 et seq., the regulations define “personal information” as a Massachusetts resident’s first (or first initial) and last name in combination with his or her (a) Social Security number; (b) driver’s license number or state-issued identification card number; and/or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number, or password, that would permit access to a resident’s financial account.  Financial accounts include debtor accounts for routine business and are not limited to bank or credit card accounts. Publicly available information is not within the scope of this definition.

Originally scheduled for implementation in 2009, push-back by business interests resulted in some modest relaxation – however, the overall thrust of the regulations remains largely the same.  The regulations impose minimum standards by which any person, natural or corporate, other than a governmental body, that receives, stores, maintains, processes, or otherwise has access to non-public personal information about a resident of the Commonwealth in connection with the sale of goods and services or employment,  must develop and implement a written security program, including disciplinary policies for infractions and corrective measures for failures, and obligate third-party service providers to likewise develop and implement their own compliant written security program.  Where data is stored electronically, the program must take computers and wireless systems into account as well.

Originally scheduled to take effect  first on January 1, 2009, and then May 1, 2009, the effective date for compliance is March 1, 2010.


srlogoweb5


Advertisement
from → Massachusetts - New Statutes and Regulations
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.