The Commonwealth of Massachusetts enacted 201 CMR 17.00 which is designed to protect state citizens’ personal information. This law, which has already been revised and postponed three times, now requires all covered entities to achieve full compliance by March 1, 2010. Does the new Massachusetts privacy law apply to a company or entity that is located in New Hampshire? The answer is “yes”.
The regulations apply to any entity engaged in commerce that own or license personal information from a resident of the Commonwealth. Massachusetts has defined owns or licenses to mean “Receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of goods or services directly to a person that is subject to this regulation.”
Under the law, personal information to be protected includes a Massachusetts resident’s name (either first and last name or first initial and last name) as well as a complete social security number, driver’s license, or other state-issued number, a financial account number or a complete credit card or bank account number. The law speaks to a wide variety of informational records – everything from employee, client, customer and investor records to supplier, patient and student records. What it does not include is any information that is lawfully obtained from publicly available information or from federal, state or local government records lawfully made available to the general public. A person’s date of birth is an example of publicly available information that would not be protected under this law.
Even if an entity is located in New Hampshire, as long as it deals with a Massachusetts resident or company the entity is subject to the privacy law
Failure to Comply
The consequences of non-compliance include:
Increased exposure to lawsuits If a breach has been determined to have occurred and there has been a failure to comply, the Massachusetts Attorney General can file suit against the company.
A civil penalty of $5,000 may be awarded for each violation under Chapter 93H of the Massachusetts General Laws.
Businesses can be subject to a fine of up to $50,000 for each instance of improper disposal. under the portion of 93H concerning data disposal,
Other consequences of failure to comply include damages to a company’s reputation as well as the time and resources required to determine the cause and extent of a breach, notifying affected individuals of a breach and implementing corrective action to ensure a breach does not occur in the future.
Creating a Written Information Security Plan (WISP) is a Key Component of Compliance
Pursuant to 201 CMR 17.00, the Massachusetts Privacy Law, your entity must develop, implement, maintain and monitor a comprehensive Written Information Security Program (WISP) to ensure the security and confidentiality of personal information in both physical and electronic format. The actual scope and complexity of a WISP will vary depending on size and scope of business, availability of resources, nature and quantity of data stored, and the need for security and confidentiality of both consumer and employee information.
When drafting a WISP, you must balance the requirement to incorporate the required technical and physical safeguards for the protection of personal information you have obtained with the objective of reasonable and effective administration.
Paul D. Creme is an attorney with Hamblett & Kerrigan PA. His practice is focused on business and corporate law. Of particular interest are the areas of software and emerging technologies. You can reach Attorney Creme at [email protected]