Privacy and Data Security Alert

Reminder: March 1, 2010 Deadline to Comply With Massachusetts Information Security Regulations Is Right Around the Corner

February 17, 2010

Businesses that have not adopted written information security programs to comply with the Massachusetts information security regulations have little more than a week to wrap up their compliance efforts.  Monday, March 1, 2010 is the deadline set by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) for businesses around the world that handle the personal information of Massachusetts residents to comply with the strict Massachusetts regulations. 

The Massachusetts identity theft regulations, 201 Code of Massachusetts Regulations 17.00, apply to any individual, company or organization that handles personal information in connection with employment or the sale of goods or services.  “Personal information” includes name of Massachusetts residents in combination with Social Security numbers, state driver's license numbers, identification card numbers or financial account numbers. If your business collects or maintains personal information, you must come into compliance with the regulations by the March 1st deadline.

To comply with the regulations, affected businesses are required to adopt a comprehensive, written information security program that adopts reasonable security measures to safeguard personal information.  While a compliant program should be appropriate to the size of the company and the amount of personal information at issue, the regulations contain a number of specific requirements such as encrypting personal information sent in emails, stored on laptops or mobile devices, and making sure that company anti-virus software is up-to-date.