On March 1, 2010, Standards for the Protection of Personal Information of Residents of Massachusetts went into effect. These Standards require businesses that collect personal information from Massachusetts residents to create a comprehensive written information security program. Since “personal information” is defined to include the first name or initial combined with the last name of the individual, together with a social security number, credit card number, or bank account number, every Massachusetts employer will likely need to comply. The Standards apply to electronic and paper records.
The Standards require a business to implement a wide variety of data security “best practices.” Employers will need, among other things, to assess how information is handled and secured, train employees (including temporary and contract employees) on privacy and security matters, ensure the physical security of electronic and paper records containing personal information, control whether and how employees may access personal information outside the business, encrypt personal information that is uploaded on laptops or mobile devices or transmitted outside of the company’s network, and ensure that service providers protect the security of the personal information.