All businesses handling the “personal information” of Massachusetts residents (employees or customers) are required to implement a written information security program (“WISP”) to safeguard physical and electronic records, according to Massachusetts business regulations (201 CMR 17.00). This requirement took effect March 1, 2010.
The new regulations affect all such businesses, including those that are not located in Massachusetts, as well as the self-employed. The “personal information” includes a Massachusetts resident’s name in combination with a Social Security number, a driver’s license number, or some account, credit or debit card number.
The rule adopts a risk-based approach so that each business’ WISP should take into account the size of the business, the amount of resources, and its need for security (e.g., employee data, customer data).
Among other concerns, businesses should consider updating their employment contracts to require employees to comply with the WISP and their contracts with third-party service providers to ensure that the providers are implementing appropriate security measures for personal information.
The regulations may be enforced by the Attorney General. In addition to possible civil fines, violators could be exposed to private lawsuits and possible actions under Chapter 93A for unfair and deceptive trade practices.
Subscribe to:
Posts (Atom)
Posts
