In our inaugural issue of the Employee Defection & Trade Secrets Digest, we wrote about state information security laws and how they apply in the employee defection context. (At the bottom of this post, you can obtain a copy of the Digest and read State Information Security Laws: What Are They and What Do They Have To Do With Employee Defection? by James P. McLaughlin) The passage of time has demonstrated not only that these laws are not going away, they are becoming more commonplace and more stringent. A recent example includes Massachusetts’ recent regulation entitled “Standards for the Protection of Personal Information of Residents of the Commonwealth.” (201 CMR 17.01(2). A copy of the Massachusetts’ regulation may be obtained at http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf.) The regulation applies to businesses that own or license personal information about a resident of Massachusetts. Personal information is defined to mean a Massachusetts resident’s first name in combination with information that would permit access to their financial account, such as a social security number, driver’s license number, or account number.
The regulation “establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records.” 201 CMR 17.01(1). Companies are required develop, implement, and maintain a comprehensive information security program that contains appropriate administrative, technical, and physical safeguards. Appropriate measures include, but are not limited to the following:
- Preventing terminated employees from accessing records containing personal information;
- Designating one or more employees to maintain the comprehensive information security program;
- Identifying and assessing reasonably foreseeable internal and external risks to the security and confidentiality of personal information; and
- Developing security policies for employees relating to the storage, access and transportation of records containing personal information outside of business premises.
The regulation also requires companies to document responsive actions taken in connection with any incident involving a breach of security, and it contains computer system security requirements concerning the storage, transmission and accessing of personal information. If your company loses an employee, whether in Massachusetts or elsewhere, it may be worth a moment to determine whether a state information security law or regulation is implicated.