Massachusetts Privacy Laws 201-CMR-17
Published by Document Shredding in Document Shredding. Massachusetts privacy law calls for tighter information security. November 25th, 2008[NOTE: New information is available at this link about the Massachusetts Privacy Law, which has evolved since this original The Commonwealth of Massachusetts enacted a law in September protecting state citizens’ personal information. Originally scheduled for January 1, 2009, the law will now take effect for all Massachusetts businesses and third-party providers beginning May 1, 2009, with other requirements coming into effect January 1, 2010. The law intends to protect employees’ personal information from unauthorized access and possible exploitation.
Personal information to be protected includes a person’s name and address, combined with a complete social security number, driver’s license or another state-issued number, and complete credit card or bank account numbers.
Companies that do keep this information will need to take some prescribed steps toward compliance. They must:
- Establish written policies and procedures for the protection of these files, both in electronic and physical formats.
- Be able to justify the need for all such information kept in-house. Obviously, employee data is needed for the tax, 401K, and insurance withholdings. But for client records is it possible to only maintain the last four digits of a credit card number?
- Establish robust user password requirements for the designated employee(s) to gain access to these files.
- The most complex frequently changed password complexities possible should be in place for employees accessing this data.
- Companies need to review who can access these now-protected files.
- It is advised to minimize the number of staff who would have this access.
- Companies should also consider implementing auditing tools that track who, when and what personal information was accessed.
- Put in place a personal information security officer responsible for maintaining, updating, and training company employees about personal information protection policies.
- Make sure disciplinary measures for violations are in place.
- Maintain hard copy files of personal information in always-locked files, with only the minimum of access by designated employees.
- Have in place enterprise security tools, firewalls, then server and workstation malware, and antivirus protection, which are current and can be automatically updated on a regular basis.
- Consider outsourcing this risk whenever possible – for example, transferring the responsibility for maintaining employee personal information to a certified online personal records service provider. Consider using a certified credit card processing service, with your company only inputting, but not being able to record, client credit card information. 3rd party certifications for 201 CMR 17.00 must be in place before January 1st, 2010.
- Ensure that any electronic communication of this protected data, whether wireless or online, be conducted using robust encryption.
- Ensure that any storage of this protected data on laptops is robustly encrypted by May 1, 2009. Protected data stored on PDAs, memory sticks, CDs, or other portable devices must be encrypted by January 1, 2010.
- Minimize the amount and the duration of time personal information is stored. Companies should regularly review the protected data it maintains and purge all but what was absolutely necessary to keep on file.
Security threats continue to rise, and lost information can be devastating to companies and can be an indicator that fraud is being perpetrated. As the new Massachusetts law dictates, companies that hold such information will have to take appropriate measures to safeguard privacy. To Protect your consumer privacy, all documents must be shredded, try our economy document shredding service: