On March 1, 2011, the Massachusetts data security law, M.G.L. c. 93H, came into effect. The purpose of the law was to (1) ensure the security and confidentiality of personal information; (2) protect personal information against threats or hazards and (3) protect personal information against unauthorized access or use that could create a substantial risk of identity theft or fraud. This new law placed Massachusetts as one of the most aggressive states in the country to protect personal data following the epidemic of corporate data breaches and identity theft in the state including the 2006 theft of 45 million credit card numbers from Framingham, MA based TJX and the debit card servers owned by Hannaford Supermarket chain.
Is your business in compliance with the new law?
- You must have a comprehensive written information security program (“WISP”) that reflects (1) the size, scope and type of business; (2) the amount of resources available to the business; (3) the amount of stored information maintained by the business; and (4) the sensitivity of the information.
- The WISP should protect personal information in both paper and electronic forms.
- There needs to be protocols in place to evaluate the WISP, to discipline employees who violate the WISP and to ensure that terminated employees are prevented from accessing personal information.
- Reasonable steps must be taken to ensure that all third party vendors associated with your business are protecting personal information.
Are their any penalties for failing to comply?
If your business is not in compliance with the new regulations and a breach occurs, the company could be susceptible to fines ranging from $5,000 to $50,000. Additionally, Chapter 93H authorizes the Massachusetts Attorney General to remedy a violation of the statute by bringing an action under M.G.L.ch.93A which prohibits unfair and deceptive business practices. Chapter 93A provides for civil penalties, awards of multiple damages and attorneys’ fees. Therefore, failure to comply with the new regulation could have serious consequences.
As many experts projected, most companies survived the new regulation unscathed since many of the provisions of the data security law are basic industry standards that have long been required. However, this does not mean that you can ignore the new regulation. Companies need to make sure that they have taken all steps necessary to come into compliance.