Monday, March 1, is the current deadline for entities doing business in Massachusetts to comply with a tough new state law designed to safeguard residents' personal information. Are you in compliance?
The new law, Massachusetts identity theft regulations, 201 Code of Massachusetts Regulations 17.00, applies to any individual, company or organization that handles personal information in connection with employment or the sale of goods or services. Under the law, Massachusetts will require any entity that stores or transmits residents' personal information to encrypt the data when it's stored on portable devices or transmitted via the Internet. The personal information is a combination of customers' or employees' names and their Social Security, bank account or credit card numbers.
The state's goal is to stop data breaches that in the last two years exposed the personal information of more than 1.05 million people in Massachusetts. Of the 807 breaches reported to the state through last October, 495 resulted from criminal or other unauthorized acts such as the theft of laptop computers or outside hacking into unencrypted databases, while the remainder fell to improper employee handling of personal information - from transporting sensitive information to mailing the wrong document.
Ed Goodman, chief privacy officer, Identity Theft 911, tells Security magazine that unlike the rest of the regulatory landscape regarding data privacy, which is almost universally reactive in nature (the uniform requirement being that AFTER you experience a breach of security that releases personal information you notify the victims); 201 CMR 17.00 is highly prescriptive. "It relies on what would be commonly recognized as simple industry best practices around data security," he says.
"While the statute has received criticism for having extraterritorial application (outside of Massachusetts) and being potentially “burdensome” for small business, the reality is that this is the minimum that any business that handles personal information on ANY consumer should be doing," he says. "While this statute is obviously in the best interest of the consumer, considering the high cost of security breaches due to required notification, remediation, defense and settlement costs; putting proactive measures in place to avoid these data security breach situations from ever happening actually makes good business sense."