As of March 1, 2010, any company, organization, association or entity that has any sensitive personal information of a Massachusetts resident must now comply with a new law – Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00). This new law impacts an entity even if it is not located in or even does business in Massachusetts – all that is necessary to trigger a compliance obligation is that the firm maintains personal information on Massachusetts residents, including information on any customers and employees.
Taking a page from the FTC’s Red Flags regulations, the new law requires that companies implement a written security plan to protect protected personal information. An employee needs to oversee this security program, it must be regularly monitored, and the efficiency of the program needs to be reviewed at least annually or at any time when there’s a major change in a company’s business practices.
Going further than the FTC and not wanting to disappoint given its name, Massachusetts has actually set forth specific data security standards in its new law. For example, all records containing personal data that are transmitted wirelessly or sent via public networks need to be encrypted. As well, sensitive personal data stored on laptops and other portable devices also must be encrypted. Companies will need to restrict access to records and files that contain personal information to only those employees who need such information to do their jobs.
Third party vendors who contract with businesses after March 1, 2010 are subject to the new law and also need to comply. Those companies who contracted prior to March 1, 2010 are given two additional years to comply. It remains to be seen whether other states will follow suit with Massachusetts but given the reach of the statute, it may not even matter. Between the FTC and MA, good common sense may dictate that your firm implement a written ID theft prevention program sooner rather than later.