Companies engaging in e-commerce with Massachusetts residences should be aware that effective March 1, 2010, the Commonwealth of Massachusetts will require a higher level of protection for private information of Massachusetts residents. The Massachusetts law (201 CMR 17.00) will require the development, implementation, and maintenance of a comprehensive information security program by anyone collecting or storing the names of Massachusetts’s residents in connection with his/her (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number.
The statute requires that information security programs include administrative, technical and physical safeguards. These safeguards include, but are not limited to:
- Designating an employee(s) to maintain security program;
- Identifying and assessing reasonably foreseeable risks to the security and confidentiality of records containing personal information;
- Evaluating and improving the effectiveness of the current safeguards;
- Providing ongoing employee training;
- Imposing disciplinary measures for violations of the comprehensive information security program rules;
- Preventing terminated employees from accessing records containing personal information;
- Taking reasonable steps to oversee the use of personal information by third-party service providers;
- Implementing reasonable restrictions upon physical access to records containing personal information;
- Monitoring application of the security program; and
- Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.
The statute also includes new computer system security requirements for anyone collecting and storing relevant personal information about Massachusetts residents. These requirements include secure user authentication protocols, secure access control measures, encryption of certain transmissions and relevant data residing on laptops and other portable devices, the monitoring of the computer security program, and training programs for employees.
Failure to comply with 201 CMR 17.00 could result in fines of up to $5,000 per violation. Furthermore, under a related Massachusetts law regarding data disposal, businesses can be subject to a fine of up to $50,000 for each instance of improper disposal of personal data.