Information on new Data Security Regulations

In July 2007, the Massachusetts Legislature passed a comprehensive identity theft prevention bill which went into effect on October 31, 2007.  This new law provides that Massachusetts  consumers must be notified of any breach of their personal information that creates a substantial risk of identity theft or fraud as soon as practicable and without unreasonable delay after a breach occurs, except when a law enforcement agency determines that notice may impede a criminal investigation. 

 

The notification must include:

·         the date or approximate date of the breach

·         steps that have been taken or are planned to deal with the breach

·         consumers’ right to obtain a police report

·         instructions for requesting a credit report security freeze

 

On Friday, October 30, 2009 the Office of Consumer Affairs and Business Regulations filed final regulations for 201 CMR 17.00 with the Secretary of State. These amended regulations represent the Administration’s implementation of M.G.L. 93H, which was signed into law in August of 2007. Filing of the final regulations ends more than two years period of debate, among state officials and consumer groups that included four revisions and three delays in the effective date of the regulations.

 

201 CMR 17.00 represents the toughest data security regulations in the nation, a comprehensive set of rules governing the way in which all employers and others engaged in commerce maintain the privacy of personal information for Massachusetts residents.

 

The updated regulations will take effect March 1, 2010 and employers should recognize that expertise in all business areas including operations, legal, technical and human resources is necessary for a comprehensive analysis and compliance. The regulations make clear that their approach to data security is a risk-based approach that is especially important to small businesses that may not handle a lot of personal information about customers. Under a risk-based approach, a business, in developing a written security program, should take into account its size, nature of its business, the kinds of records it maintains, and the risk of identity theft posed by its operations.  Click on the following for more information:

• Frequently Asked Questions (Office of Consumer Affairs and Business Regulation)

• Presentation (Johnson Haley LLP)