Scribd Logo
Upload

Welcome to Scribd!

  • Massachusetts Data Protection Regs Advisory March 2010

    Uploaded by

    gesmer
    354 views2 pages
    Gesmer Updegrove client advisory on new Massachusetts data regulations

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Gesmer Updegrove client advisory on new Massachusetts data regulations

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    354 views2 pages

    Massachusetts Data Protection Regs Advisory March 2010

    Uploaded by

    gesmer
    Gesmer Updegrove client advisory on new Massachusetts data regulations

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    This may be considered advertising under Mass. R. Prof. C. Rule 7.

    3(c)

    ClientAdvisory
    March 2010

    Massachusetts Data Protection


    Regulations Take Effect
    After three different drafts were circulated The regulations apply to both paper and elec-
    by the Commonwealth, the Massachusetts Data tronic records, and can cover such commonplace
    Protection Regulations have finally taken effect. items as benefits records, payroll files, invoices
    As of March 1, 2010, any person or business evidencing customer payments, and databases
    with personal information about a Massachusetts that use Social Security numbers as unique iden-
    resident must comply with a new regulatory tifiers. Virtually any business with a Massachu-
    scheme intended to protect that information from setts employee falls under the regulations’ scope.
    improper use or disclosure.
    The regulatory requirements are extensive
    The Office of Consumer Affairs and Business and detailed, and demand the adoption and main-
    Regulations originally promulgated the regula- tenance of a written information security plan and
    tions in Fall 2008, mandating that those holding designation of an individual to be responsible for
    personal information about Massachusetts resi- it. The information security plan must:
    dents devise and implement specific, detailed
    policies to protect the security and integrity of that 1. identify reasonably foreseeable risks to
    information. Virtually all Massachusetts busi- records containing personal information;
    nesses are covered, and the regulations also
    2. address policies regarding the storage
    apply to entities outside the Commonwealth that
    and transportation of records outside of
    hold Massachusetts residents’ Social Security business premises;
    numbers, credit card numbers, driver’s license
    numbers or financial account numbers.

    The regulations have been controversial, par-

    Mar
    ticularly among members of the Massachusetts

    1
    business community, who widely complained that
    they were inflexible, overly broad and expensive
    to implement.

    The final version of the regulations were aimed


    at addressing some of those concerns, while still
    adhering to the fundamental goal of requiring

    2010
    business practices that minimize the risk of future
    data breaches.

    © 2009 Gesmer Updegrove LLP. All rights Reserved. www.gesmer.com 40 Broad Street, Boston, MA 02109 617.350.6800
    3. mandate disciplinary measures for 11. require the encryption of any personal
    violations; information that is transmitted over the
    Internet, transmitted over an unsecured
    4. prevent access to personal information by wireless network, stored on a laptop, or
    former employees; stored on a portable device such as a
    Blackberry;
    5. with respect to third-party service providers
    with access to a personal information, 12. provide for up-to-date anti-virus software,
    it must provide for due diligence and operating system security patches and
    appropriate contractual terms to ensure firewall patches with respect to any
    that the contract will treat such information computers that can access personal
    in a manner consistent with regulatory information; and
    mandates;
    13. establish regular education and training of
    employees on the proper use of computer
    security systems and the importance of
    personal information security.

    While the regulations are directly enforceable


    by the Attorney General, a business’ failure to
    comply with them may leave it exposed in civil
    litigation, jeopardize insurance coverage, and put
    it at risk of breaching contractual representations
    and commitments.

    6. require physical records containing


    personal information to be kept in locked
    containers or facilities;
    If you would like to
    7. provide for regular monitoring of the plan, learn more, call Joseph
    and for updates when circumstances merit; Laferrera at Gesmer
    Updegrove LLP. He
    8. establish procedures for post-incident can be reached at joe.
    actions in the event of a data breach; laferrera@gesmer.com
    or (617) 350-6800.
    9. require secure user authentication protocols
    with respect to computer equipment that
    can access personal information;

    10. impose access control measures such


    that only those individuals with a need can
    access electronic personal information
    records;

    Gesmer Updegrove LLP www.gesmer.com 40 Broad Street, Boston, MA 02109 617.350.6800

    You might also like