As a reminder, Massachusetts has enacted stringent data protection regulations (the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 C.M.R. 17.00 et seq. (the “data protection regulations”) and data disposal legislation (Mass. Gen. Laws ch. 93I) (the “disposal law”).
These laws likely apply to your business to the extent that you collect information (either from your own employees or in connection with providing goods/services) that falls within the meaning of “personal information” under the data protection regulations. Although the definition of “personal information” under the data protection regulations is relatively narrow (a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account), the data protection regulations impose high minimum standards for protecting such information. (The definition of “personal information” under the disposal law includes the same information as that in the data protection regulations’ definition, except that the disposal law’s definition also includes a Massachusetts resident’s first name and last name or first initial and last name in combination with a biometric indicator.)
Among other requirements, the data protection regulations require the adoption of a written information security program (WISP) including certain minimum administrative, technical, and physical safeguards – among which are to oversee third-party service providers and adhere to specific computer system security requirements. The disposal law sets forth minimum standards for the proper disposal of records (including paper documents and non-paper media) containing personal information.
To assist in the compliance process with respect to the data protection regulations, the Massachusetts Office of Consumer Affairs and Business Regulation has created a compliance checklist, as well as a guide for small businesses entitled “A Small Business Guide: Formulating A Comprehensive Written Information Security Program.”
If you would like help in preparing a WISP or addressing other compliance issues, please contact MBBP Attorney Faith Kasparian.