My co-chair of the BBA solo and small firm section, Lori Yarvis, Esq., recently sent the following newsletter to her clients concerning the impact of the Massachusetts data breach Law on the small businesses. I thought that the topic was of sufficient concern to solo and small firm attorneys, that I requested her permission to post her newsletter on my blog. She graciously agreed and I hope that you read her newsletter with interest:
New regulations from the Massachusetts Office of Consumer Affairs and Business now effective May 1, 2009, impose obligations on businesses to protect Massachusetts residents from data breaches. The regulations apply to any business which uses “personal information” of a Massachusetts resident. “Personal information” includes a Massachusetts resident’s first and last name in combination with any one or more of the following: (i) a social security number, (ii) a driver’s license number or state issued identification card number, and (iii) a credit or debit card or other financial account number regardless of whether a PIN or security code is included.
Compliance with the regulations will be judged on a case by case basis, taking into consideration the size of the business, the resources available to the business, the amount of data stored by the business, and the need for privacy and security of the client/customer/employee data. The regulations were precipitated by the highly publicized recent thefts of personal information from customers of The TJX Companies and Hannafords Supermarkets, respectively.
For failure to comply, the Massachusetts Attorney General’s Office may seek injunctive relief or recover civil fines of up to $5,000.00, and attorneys’ fees and costs. The Attorney General’s Office has not yet clarified its role in enforcing the regulations.
In order to comply with the regulations, a business is required to, among other things:
1. Adopt a written policy of privacy and security practices, termed a “written information security program”, for handling personal information of clients/customers/employees. (Guidelines for formulating a “written information security program” are available on the Massachusetts Office of Consumer Affairs and Business website, along with a compliance checklist.)
2. Make all employees aware of the written policy.
3. Monitor the implementation of the policy through both audit software and manually, and review the policy each year.
4. Make sure that all personal information leaving its premises on laptops, for example, is encrypted.
5. Obtain written certification from any third party service providers who have access to the personal information, such as a payroll company or IT consultant, that such providers are also in compliance with the regulations.
6. Limit the amount of personal information collected and retained to that reasonably necessary to accomplish its business purposes, limit access to those reasonably required to have it, and limit retention to comply with state and federal law.
7. Identify which records, both electronic and paper, and which storage media, including laptops and portable devices, contain personal information, or have its security policy provide that all records are to be handled as if they contain personal information.
8. Place reasonable restrictions on access to physical records containing personal information, and have the written security policy set forth the manner in which physical access is restricted.
9. Store records containing personal information in locked facilities.
10. Document any actions taken in response to an incident involving a security breach and make changes to its policy to protect personal information if necessary.
11. Determine if its computer system complies with the encryption requirements set forth in the regulations. The business may need to hire an outside IT consultant to assist it with this.
Lori Yarvis, Esq., Schlesinger and Buchbinder, LLP, 1200 Walnut Street, Newton, MA 02461, 617 965-3500, f 617 965-6824, lyarvis@sab-law.com, www.sab-law.com.
For further information or discuss technology issues implicated by this new regulation contact LOMAP at Rodney@masslomap.org.
