Bookmark and Share
 

E-Alerts

Massachusetts Data Security Reminder

Only Ten Business Days Remain Before The March 1, 2010 Compliance Deadline!

The March 1, 2010 deadline for compliance with the Massachusetts Data Security Regulations (201 CMR 17.00) is right around the corner, leaving covered entities with little time to bring their organizations into compliance.  The Regulations apply to all entities that own, license, store, maintain, process or otherwise have access to records containing “personal information” of Massachusetts residents.

Personal Information is defined as:  a Massachusetts resident’s first and last name, or first initial and last name, combined with a financial account number, a credit or debit card number, a Social Security number, a driver’s license number and/or a state-issued identification number.

By March 1, 2010, covered entities must implement certain information technology security requirements, a detailed Comprehensive Written Information Security Program (“WISP”), conduct employee training in the WISP, and address service provider compliance issues.  Each of these required measures is summarized below.  Please see our previous E-alert for additional information.

There are many personnel policies and agreements that are affected by the new regulations – each of which must be promptly updated for compliance.  The list includes, but is not limited to: electronic communications, confidentiality, data retention, employee conduct and termination/return of company property policies, as well as telecommuting, non-disclosure, non-compete, independent contractor, severance and executive employment agreements.

Information Technology Security

Covered entities must implement certain information technology security requirements, such as strong password and user-authentication protocols, firewalls, security system monitoring, and encryption of electronically stored or transmitted Personal Information, to the extent technically feasible, in order to protect the security of Personal Information.

Develop A WISP

Covered entities must develop and implement a Comprehensive Written Information Security Program (“WISP”), which is a detailed policy that sets forth the covered entity’s security, technical and administrative protocols for safeguarding Personal Information.

Employee Training

Covered entities must conduct employee training regarding the policies and procedures contained in the WISP.

Third Party Service Providers

Covered entities must contractually require third-party service providers to implement and maintain appropriate security measures to protect Personal Information, except with respect to certain preexisting contracts, which may be subject to a two-year grace period.

*          *          *

As there is no time to spare, covered entities must act now  to achieve compliance with the new Massachusetts Data Security Law by March 1, 2010.  In this regard, the Firm is available to assist in the preparation of your organization’s WISP, update all personnel policies and agreements, conduct employee training and/or advise regarding vendor compliance issues.  We would be happy to assist in bringing your organization into compliance.