Massachusetts will have a new data security regulation that goes into effect on March 1 of this year. Under the new regulation, those who “receive, store, maintain, process, or otherwise access [certain limited] personal information in connection with the provision of goods or services or in connection with employment” (these activities defined in the regulations collectively as “owning” data) must have a data security program in place. The type of information that triggers the law is limited to first and last name with one or more of the following: (1) Social Security number; (2) drivers’ license or state-issued ID card number; or (3) financial account or credit card number.
Those who “own” such data about Massachusetts residents must have a security program in place that includes the following: (1) a written security program; (2) an employee in charge of the program and training for all employees about the program and its requirements; (3) provisions for when data is being transported off-site; (4) oversight of vendors who handle such information on the company’s behalf; and (5) monitoring compliance with and regular review of the program to ensure its effectiveness. The requirements are more detailed than this overview, but the foregoing gives a good example of the types of things that must be included in a program.
TIP: If you collect Social Security numbers, drivers’ license numbers, or credit card numbers from individuals in Massachusetts as part of the provision of goods and services (or in connection with employment), you should ensure that you have sufficient measures in place to protect that data. To meet the laws requirements, you will need to have those measures formalized into a security program that includes the elements required by the Massachusetts law.
It is not clear if the law would apply when Social Security numbers are being collected in connection with sweepstakes/contest awards. However, even if this law doesn't directly apply, companies should still be taking steps to protect sensitive information in order to avoid liability under, for example, data breach notification and unfair business practice laws. This new regulation can give guidance for what a protection program might look like to help avoid limit such liability.