On Monday, MA 201 CMR 17.00, which protects personal information collected from consumers, will take effect in Massachusetts. The new rules are meant to ensure the security and confidentiality of personal information, to protect against anticipated threats to the security or integrity of such information, and to safeguard against unauthorized access to and use of personal information in a manner that creates a substantial risk of identity theft or fraud.

The rules were set to take effect in January, but implementation was delayed to give businesses more time to get ready. Under the rules that take effect Monday, any institution that holds personal data about residents of Massachusetts must create a written policy for protecting the data, and must train employees to follow the rules. In addition, organizations must encrypt any personal information – scrambling files to conceal their content – when it is transmitted over the Internet or a wireless data network. Data must also be encrypted when it’s stored on portable devices like laptops or thumb drives, to defend against identity theft if the devices are lost or stolen.

Regardless of physical location, any organization that owns, licenses, stores or maintains personal information about a resident of the state will be expected to have a data security plan in place. In addition, the organization that meets these criteria will also be expected to verify that any third party service providers employ appropriate safeguards of personal information.

A preexisting law, enacted in 2007, requires institutions to inform state regulators if they suffer a loss of data that could result in identity theft. Organizations that fail to comply with the new regulations, and which suffer such a data breach, can be fined up to $5,000 for each violation.

Tags: consumer data, data security, data security legislation

Categories: Data Security Planning.