To Whom The Law Applies:
This law requires that, if you own, license, store or maintain personal information on one or more Massachusetts citizens, you must implement the law - even if you are anywhere else in the country. Personal information is defined as first and last name or first initial and last name, in conjunction with any one or more of the following: social security number; driver's license number; state-issued ID card number; financial account number; and credit or debit card number.
Effective Date
As of March 1, 2010, no matter where you're based, all companies who hold sensitive personal information on any Massachusetts citizens must have a Written Information Security Program (WISP). These companies must also implement other safeguards that require thorough IT environment reviews.
What Must Be Included In The Security Program
At a minimum, businesses must:
- Designate an Information Security Officer to be responsible for developing the company's formal written Information Security Plan.
- Identify administrative, technical, and physical risks associated with personal information security and document all possible breaches.
- Secure servers, networks, laptops, flash drives, and portable hard drives with passwords, firewall security, and anti-virus and anti-spyware software.
- Encrypt e-mails and e-mail attachments, USB flash drives, and PDAs containing personal information.
- Manage record destruction properly (in-office shredding, offsite-shredding or on-site shredding).
- Train employees in information security procedures and how to avoid the loss of personal information.
- Create an employee termination checklist to disable former employee access to personal information.
- Develop a security breach incident response plan detailing what to do should there be a security breach.
- Conduct a required annual information security program review.
Penalties for Non-Compliance
Violators may face severe consequences including lawsuits, costly fines, crisis management expenses and loss of clients. The Massachusetts data privacy law, the strictest of any state, will likely become the standard for the nation, significantly impacting the way client personal information is handled in the future.