Background – State Privacy Regulations

State privacy regulations safeguarding personal information (P.I.) have been established by over forty states. One of the most recent states to establish privacy regulations and security breach notification requirements is Massachusetts. The Massachusetts Privacy Regulations are the most comprehensive state regulations, and they are likely to become the model for other states. The Massachusetts Privacy Regulations require businesses and other holders of personal information to ensure that consumers’ information is kept safe. The Regulations may affect how your business protects certain confidential personal information, even if you are not located in Massachusetts. best registered agents

The impetus for the Massachusetts Privacy Regulations included over 450 reported cases of stolen or lost personal information that affected nearly 700,000 Massachusetts residents during 2007-08.

Achieving compliance with at least the minimum requirements of the Massachusetts Privacy Regulations will likely minimize future compliance efforts as states and the federal government strengthen their requirements for protecting personal information.

Massachusetts Privacy Regulation 201 CMR 17:00

The Massachusetts Privacy Regulations affect companies in all 50 states. The Regulations apply to all businesses and legal entities that collect or store confidential personal data regarding consumers and employees residing in Massachusetts. and to consumers with no physical presence in Massachusetts.

The Massachusetts Privacy Regulations preserve the privacy of consumers and employees by increasing the level of security on personal data held by businesses and other types of organizations. The Regulations mandate that personal info, including a combination of a name along with a Social Security number, bank account number, or credit card number be encrypted when stored on portable devices, or transmitted wirelessly or on public networks. Encryption of personal info on portable devices carrying identity data including laptops, PDAs and flash drives must also be implemented by Jan. 1, 2010, ensuring increased protection of personal information.

The majority of personal info security breaches involve the theft of portable devices. Data encryption significantly neutralizes consumer risk if information is lost or stolen. The regulations require businesses to encrypt documents containing personal information sent over the Internet or saved on laptops or flash drives, encrypt wireless transmitted data, and utilize up-to-date firewall protection that creates an electronic gatekeeper between the data and the outside world and only permits authorized users to access or transmit data.

The Massachusetts Privacy Regulations require businesses and other organizations to prepare and maintain an up to date Written Information Security Program (WISP) to achieve compliance with the Regulation and to prepare for compliance audits. Conducting a State Privacy Regulation Compliance Survey is a highly effective way to gather comprehensive information required for creating a WISP and achieving compliance with privacy regulations. Personal Information Privacy Compliance Surveys collect information from your company’s employees about their handling of employees’ and customers’ personal information.

State Privacy Regulation Compliance Surveys

State Privacy Regulation Surveys assess how companies and other types of organizations currently handle employee and consumer personal information as part of their effort to comply with state privacy regulations.

The Massachusetts Privacy Regulations Survey gathers comprehensive information that identifies what needs to be done to comply with the Massachusetts Privacy Regulations. The survey collects a wide range of information from employees located in Massachusetts and across the U.S. Survey reports provide data about the handling of private customer and employee information for the organization overall and for each organizational unit.

Complying with the Massachusetts Privacy Regulations and other state privacy regulations requires knowing which employees in your organization receive, handle, store (including on-site and 3rd party off-site storage), transmit and perform other processes with personal data in electronic and paper formats. Companies are also required to know the sources and where, how and how frequently P.I. is received, handled, stored and transmitted. The Massachusetts Privacy Regulations also require having control over document/data retention/destruction schedules where personal information is included. You also need to know which automated and manual systems are used for storing and transmitting personal info.

State Privacy Regulation Surveys enable companies and other types of organizations to comply with federal and state privacy laws. The surveys help avoid costs and negative publicity associated with breaches in personal information privacy due to P.I. theft and carelessness on the part of employees while handling personal information of customers and employees.

Massachusetts Privacy Regulations Compliance Deadlines

· The general compliance deadline for 201 CMR 17.00 was extended from January 1, 2009 to May 1, 2009.

· The deadline for ensuring that third-party service providers are capable of protecting personal information and contractually binding them to do so will was extended from January 1, 2009 to May 1, 2009, and the deadline for requiring written certification from third-party providers will be further extended to January 1, 2010.

· The deadline for ensuring encryption of laptops was extended from January 1, 2009 to May 1, 2009, and the deadline for ensuring encryption of other portable devices was extended to January 1, 2010.

201 CMR 17.00 – Answers to Frequently Asked Questions (FAQs)

  1. Your information security program must be in writing. Everyone who stores or maintains personal information must have a written plan detailing the measures adopted to safeguard such information.
  2. You are responsible for independent contractors working for you.You have the duty to take all reasonable steps (1) to verify that any third-party service provider with access to personal info has the capacity to protect personal data as provided for in 201 CMR 17.00; and (2) to ensure that third party service providers are applying to personal info protective security measures at least as stringent as those required to be applied to P.I. under 201 CMR 17.00.