jump to navigation

2013 Data Privacy Report 11/24/2014

Posted by Morse Barnes-Brown Pendleton in Attorney News, Computer Software & Hardware.
trackback

In September 2014, the Massachusetts Office of Consumer Affairs and Business Regulation released its 2013 Data Privacy Report, which includes an in-depth analysis of data breaches of personal information of Massachusetts residents during the year of 2013.

The report identifies the type of breaches reported (88% involving electronic records; 12% paper, faxes/mail/e-mail, both paper/electronic) and the industries most affected.  Not surprisingly, the financial services industry reflected the most significant activity and accounted for 85% of the total reported breaches, followed by the health care industry (5%).  As for the industry with the biggest increase in the number of those affected by data breaches, the education industry saw a massive 611% jump from 5,208 Massachusetts residents affected in 2012 to 31,780 in 2013.

The report also underscores the need for businesses to comply with the Massachusetts data security regulations that came into effect in 2010. Among other requirements, the regulations require any person or entity that owns or licenses personal information of Massachusetts residents to develop and implement a Written Information Security Plan (“WISP”).  In addition to further requirements, businesses acting in accordance with a WISP must: (1) designate an individual to maintain and be responsible for the program; (2) identify any reasonably foreseeable data security risks; (3) protect and restrict access to paper and electronic forms of any personal information; and (4) oversee any third party service providers and ensure that those service providers comply with the regulations. More information about the Massachusetts data security regulations can be found in our past client alerts from March 9, 2009March 17, 2009 and February 17, 2012.

When discussing possible liability of a business related to a data breach, the 2013 Data Privacy Report stated that a business’ “WISP and documentation of steps taken to guard and protect the personal information it retains or entrusts to a third party vendor and its response will be paramount in assessing its degree of culpability in the incident.”

In a year that has seen data breaches of several major corporations, this report serves as a reminder for all businesses to take a proactive approach by: (1) promoting a culture of security within their organizations; (2) committing to the protection of personal information by instituting mechanisms to ensure compliance with all applicable privacy and data protection laws, many of which require the implementation of reasonable administrative, technical, and physical safeguards to protect the confidentiality, and prevent the unauthorized interception, of personally identifiable information; and (3) being prepared to address the effects of a data breach in the event that one occurs.

 

For additional information, or to have a WISP prepared, reviewed, or revised to ensure compliance with the Regulations, please contact Faith KasparianMichael Cavaretta, or Howard Zaharoff.

Comments»

No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: