Edwards Angell Palmer & Dodge LLP has recently drafted two Client Advisories related to Massachusetts data security requirements. Click here and here to view the Advisories. They describe new requirements imposed by Massachusetts to be effective May 1, 2009 mandating procedures to be put into effect to protect personal information (defined below) of Massachusetts residents. (Note that the deadline of January 1, 2009 was just extended to May 1.) All of our clients who obtain and maintain personal information about Massachusetts residents are affected. This includes any client (i) with an employee residing in Massachusetts (even if the client is not in Massachusetts), (ii) with a customer who resides in Massachusetts from whom the client obtains personal information, or (iii) who has personal information of a Massachusetts resident for any other reason, including as a third party vendor. For clients in the insurance industry, this would also include claim or underwriting information that includes personal information of individuals who are Massachusetts residents (e.g. information produced by insureds to underwriters, or information of claimants maintained in claim files).
It doesn't matter where the company is located, the Massachusetts requirements apply. Personal information that is subject to the mandatory protection requirements are first and last names (or initial) with any one or more of the following: Social Security number, driver’s license number, financial account number, or credit or debit card number, with or without passwords or PIN.
No client will be in compliance without taking affirmative steps, including the adoption of a specific written information security program, and the implementation of encryption and other required safeguards.
Click here to view the official press release extending the January 1, 2009 compliance deadline to May 1, 2009.