ActionCOACH
Van Smick
Home | Contact
       

      Business Speaker
MA Data Breach Info

 

The deadline for achieving compliance with the MA Data Breach law is March 1st and you probably are impacted.  The law says “Every person that owns, licenses, stores, or maintains Personal Information (PI) about a resident of the Commonwealth”, including non-Massachusetts businesses must comply with the new law. If you have employees, by definition you store the employee’s PI and therefore are subject to the law.

The kicker in this law is that if there is a breach of customer/client data you may be liable to your clients for the loss of their identity data AND the Commonwealth can add a fine of $5k per breach.

 
The key provisions of the law are:
  1. Adopt a written policy of privacy and security practices, termed a “written information security program”, for handling personal information of clients/customers/employees.
  2. Make all employees aware of the written policy.
  3. Monitor the implementation of the policy through both audit software and manually, and review the policy each year.
  4. Make sure that all personal information leaving its premises on laptops or other portable devices is encrypted.
  5. Obtain written certification from any third party service providers who have access to the personal information, such as a payroll company or IT consultant, that such providers are also in compliance with the regulations.
  6. Limit the amount of personal information collected and retained to that reasonably necessary to accomplish its business purposes, limit access to those reasonably required to have it, and limit retention to comply with state and federal law.
  7. Identify which records, both electronic and paper, and which storage media, including laptops and portable devices, contain personal information, or have its security policy provide that all records are to be handled as if they contain personal information.
  8. Place reasonable restrictions on access to physical records containing personal information, and have the written security policy set forth the manner in which physical access is restricted.
  9. Store records containing personal information in locked facilities.
  10. Document any actions taken in response to an incident involving a security breach and make changes to its policy to protect personal information if necessary.
  11. Determine if its computer system complies with the encryption requirements set forth in the regulations. The business may need to hire an outside IT consultant to assist it with this.
  12. Breach Notification Requirements Should a breach of security occur you are required to notify the specific residents of Massachusetts that are affected by the PI that has been compromised, the attorney general, and the director of consumer affairs and business relations “as soon as practicable and without unreasonable delay”.
  13. Penalties - The enforcement for non-compliance rests with the Attorney General under M.G.L. c. 93A, which carries a civil penalty of not more than $5,000 per violation, may require payment of the reasonable costs of investigation, litigation, and attorney's fees. In addition, private civil lawsuits could also be available to individuals suffering from a breach.
Click here for template for a WISP and click here for the compliance checklist.