Massachusetts’ New ID Theft Protection Regulations- Extended Deadline

In light of emerging economic uncertainties for companies, Massachusets has extended the deadline for compliance with its new consumer privacy guidelines. 201 CMR 17.00 was originally set to go into effect January 1, 2009, but has been extended until May 1, 2009 to allow companies more time to get their consumer data protection plans in order.

The Massachusets Office of Consumer Affairs and Business Regulation has published a lengthy checklist fo…

In light of emerging economic uncertainties for companies, Massachusets has extended the deadline for compliance with its new consumer privacy guidelines. 201 CMR 17.00 was originally set to go into effect January 1, 2009, but has been extended until May 1, 2009 to allow companies more time to get their consumer data protection plans in order.

The Massachusets Office of Consumer Affairs and Business Regulation has published a lengthy checklist for compliance which is available at  their website. The main requirement of the new regulation is putting a written information security program (WISP) in place for all records containing personal information on residents of Massachusets, as well as monitoring third parties’ abilities to protect personal information. Once a company implements a plan, the legislation states that an employee or employees must be dedicated to maintaining and supervising its implication. It also requires ongoing employee training and procedures for maintaining employee compliance. 

The WISP must secure all records that contain personal information and put in place technical, administrative, and physical safeguards to protect ‘personal information’, which in the actual legislation is defined as:

“a Massachusets resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: Social Security number, driver’s license number or state issued identification card number; or financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided however, that “personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully available to the general public.”

In a nutshell, the legislation requires companies to do the following:

– limit the amount of personal information gathered, limit the amount of time the info is retained, and limit the individuals who have access to personal information to such that is necessary to accomplish an intended purpose.

– determine the location of all records that contain personal information, whether it be on laptops, paper, or other storage devices and secure all areas/storage devices that contain these records.

– impose detailed, written restrictions on access to the records

– regular monitoring of the information security system including upgrading info safeguards to limit risks

– annual review of the scope of security measures or a review when business practices concerning security change

– documentation of actions taken in response to breaches of information security and, upon review, necessary security changes made concerning the breach.

In part two of this post, we will review computer system requirements.

Link to original post