In response to the growing problems of data breaches and identity theft, Massachusetts is adopting a new law imposing detailed requirements on any person or business that owns, stores, maintains or licenses “personal information” about Massachusetts residents, likely covering every business in Massachusetts.  The new law requires that you develop and implement a comprehensive written data security program by the March 1, 2010 deadline.

---

What is “personal information”? “Personal Information” is data that includes:

• First name or initial and last name; and
• Social security number, driver’s license number, state-issued ID card number, credit card number, debit card number or financial account number

What do I have to do to comply? You must develop and implement a comprehensive written data security program, which must:

• Designate an employee to oversee the data security program
• Perform a comprehensive assessment to identify internal and external risks to data security and confidentiality
• Identify ways to improve data security for both paper and electronic records
• Develop written policies for employee use of and access to data
• Educate and train employees
• Restrict physical access to data
• Adopt policies for off-site use of data
• Impose disciplinary measures for employee violations of policies
• Immediately shut off system access for terminated employees
• Adopt “technically feasible” security measures for computer and wireless systems – this can include some or all of encryption of data, user authentication and lockout controls, system monitoring, firewall, and scheduled updates of security and anti-virus software
• Adopt data destruction policies that comply with existing Massachusetts data destruction laws
• Oversee service providers with access to data, and include data security requirements in vendor contracts (including updates to existing contracts within two years)
• Regularly monitor the data security program and upgrade as necessary
• Review the program at least annually
• Document all responses after a breach, do post-breach assessment, and comply with existing Massachusetts data security breach notification laws

Why worry about compliance? The current scheduled deadline to comply with the new law is March 1, 2010.  Developing and implementing a data security program for large or small businesses can require a great deal of time and effort, even months, so our advice is: do not delay.  Failure to comply can lead to civil penalties and costs plus restitution costs, as well as long-term damage to your reputation, if you suffer a data security breach.

The above is intended to be a brief overview of the new Massachusetts data security law.  If you would like more information or have questions about how the new law may apply to your business, please contact Ethan Flaherty at eflaherty@pabianrussell.com.