February 8, 2010 — The Massachusetts Privacy Law: 201 CMR 17 was enacted in an effort to protect Massachusetts’ residents from the rising incidence of fraud and identity theft. This regulation institutes a minimum standard for protecting the personal information of Massachusetts’ residents that you may be in possession of either in electronic form or in paper records. If you fall within the guidelines established, you are mandated to comply.
Paresky Flitt & Company implemented security measures during their recent renovation and expansion project and are pleased to report that all data is fully protected. Additionally our staff has received training in security protection.
As valued clients, we want to ensure that you understand the privacy law’s guidelines and implications for non-compliance. The regulation applies to those businesses that collect and retain personal information in connection with providing goods and services or for employment purposes.
Personal information or data is defined as retaining the first and last name of a Massachusetts resident or the first initial and last name along with their:
- Social security number
- Driver’s license number or state issued identification card number
- Financial account number, credit or debit card numbers-with or without any required security code, access code, address code, personal identification number or password that might permit access to a resident’s financial account
- A biometric indicator
The new Massachusetts Privacy Law requires the following criteria be met in order to ensure compliance:
- An internal and external risk assessment of the human, physical, technical environment based on criteria outlined in the bill
- Computer security provisions in the regulation use a risk-based approach that comply to the extent that it is technically feasible, meaning that reasonable means must be used to accomplish a required result if there is a reasonable technology available
- The results of the internal and external risk assessments must be documented in a Written Comprehensive Information Security Program (WISP)
- The scope of WISP must be reviewed at least on an annual basis or whenever there is a change in business practices that may impact security controls
This is merely an overview of the Massachusetts Privacy Law. Additional information can be found at this link.
Violators could be faced with a civil penalty of $5,000 for each violation and be required to pay the reasonable costs for investigation and litigation.