As of March 1, 2010, all businesses in the Commonwealth of Massachusetts will be required to comply with 201 CMR 17.00, Standards for the Protection of Personal Information of Residents of the Commonwealth. This Regulation is requiring all persons who own, license, store or maintain personal information of Massachusetts residents to take steps to protect against unauthorized access to that information.
Personal Information is defined as a "Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that "Personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public." 201 CMR 17.00
This Regulation will undoubtedly affect business owners across the Commonwealth. If you fail to comply with the minimum requirements set forth in this Regulation you or your business could be facing FINES up to $5,000.00 for each violation and up to $50,000.00 for improper disposal of personal information.
That is the bad news. The good news is that we can help. We have researched the requirements of the 201 CMR 17.00 and we can help you or your business by drafting a Written Information Security Program (WISP) or reviewing the plan which you have drafted to ensure compliance with the Regulation. If you don’t know where to start, or this is the first you have heard of this new Regulation, feel free to contact us and we can help you begin the process immediately.