Effective March 1, 2010 all businesses regardless of size that own, store, or maintain personal information of Massachusetts residents will be required to comply with the Code of Massachusetts Regulations, 201 CMR 17. This regulation requires businesses to take rigorous steps to protect the information they have and not only affects Massachusetts-based businesses but any company doing business with Massachusetts residents.
In 2005 over 45 million credit card numbers were stolen in a TJX (TJ Maxx) security breach. In response to this significant breach, the Massachusetts legislature began working on writing a law that would protect all residents of the Commonwealth regardless of the location of any business with whom they conducted a non-cash transaction.
What is personal information?
Personal information includes the residents last name and either first name or first initial
COMBINED with any of the following:
- Social Security Number
- Driver’s license number or state issued ID card number
- Financial account number
- Debit or credit card number
Do you need to comply?
All non-cash businesses collect personal information (PI) in some form and thus must comply with this new regulation. Cash businesses may need to comply as well if they have employees or subcontractors. “Cash or credit card” only businesses will also need to comply. Compliance includes a written plan detailing how this data will be secured (this is referred to as a “WISP” or Written Information Security Program).
How do you comply?
The level of compliance differs for each business and is determined by the amount of personal information collected in any form. Each company’s WISP must include administrative, technical, and physical safeguards for PI protection. Among the elements of a company’s WISP will be specifics on how that business protects personal information as well as who has access to this data within the company, training of those individuals, steps taken upon termination, procedures handling a security breach, and transporting data offsite of the business. Any business using a third-party service provider must ensure that provider, by contract, is capable of maintaining security measures in compliance with 201 CMR 17.
IT requirements include secure user authentication protocols and access controls; paid antivirus protection set to update a minimum of once per day; a business-class firewall; regular network maintenance, with updates at least every thirty days; unique password policies; and laptop, portable storage, and email encryption. The law specifically requires notification to the attorney general and a company’s clients if a laptop containing personal information is stolen.
The following is a partial list of typical business activities and the minimum compliance required:
|DO YOU:||AT A MINIMUM YOU NEED TO:|
|Accept checks and:|
||Keep register, drawer, etc. locked when not in use.|
Regardless of where the copy is kept, the file must be kept in a secure location when not in use.Accept debit or credit cards and:
- Your merchant receipt or batch printout includes the full card number
- Numbers are maintained:
- in a paper file
- electronically (i.e. accounting software)
Keep in a secure location.
Keep in a secure location.
Use strong password protection on any document containing PI. See below for further details.Have employees?
Use subcontractors or day laborers for which you issue 1099s?Keep payroll data (W4s, payroll reports) and W9s as well as copies of distributed 1099s in a secure location.Transmitt personal information via
Encrypt email and/or attachments sent over a public network. Many companies now provide PI information via a secure website.
Whenever possible do not send faxes containing PI. If unavoidable at a minimum include a disclosure statement.
Maintain personal information on a desktop computer?Use strong password protection.Maintain personal information on a
- laptop computer
- removable device such as a USB drive or CD?
Encryption required (either entire hard drive or the portion where PI files are kept).
Make periodic backups of any electronic data containing PI?Encryption required.
Additional information available by clicking on these links: