Massachusetts’ new data security law requires businesses to implement certain procedures for the protection or disposal of “personal information” in its possession. You may find that your business retains much of this information in electronic form. Whether paper or electronic, the security of personal information must be addressed. This law went into effect March 1st, 2010. Businesses must take immediate action to comply. What follows are answers to some commonly asked questions about the new law.
Why do we have this new law?
Many recent security breaches of consumer information have led to the enactment of this legislation. Take for example the major breach reported by TJX Companies in January 2007. It is no wonder then, that the bill was signed in August 2007.
Does this apply to my business?
If you keep any personal information on employees and/or customers, the answer is YES.
What is considered personal information?
Generally, the combination of the first name, last name or first initial with last name
AND
Social security number OR driver’s license OR state issued I.D. number OR financial account number OR credit or debit number
What does the law require me to do?
Every business must develop a comprehensive written information security plan, commonly referred to as a WISP. Some of the required aspects include: identifying information, developing secure storage techniques, notifying third - party service providers of the need for compliance, encrypting PI records, and maintaining safeguards.
What should employees know?
Data security also affects your existing human resource documents. Data security - related policies and forms, such as orientation forms and termination exit forms, as well as your employee handbooks, should include data security references.
What if I have a security breach? What must I do?
Massachusetts law requires that breached entities report data breaches to the Massachusetts Office of Consumer Affairs and Business Regulation 617-973-8700.