So you Want to do Business in Boston? Posted By Daniel Kaiser, Esq. on July 12, 2010
Never mind dropping your Rs, how’s your WISP?
And no, I don’t means lisp.. How’s your Written Information Security Plan?
Vigorous identity theft regulations introduced by the Massachusetts Office of Consumer Affairs and Business Regulation (201 CMR 17.00 et. seq.) requires any person or business that owns or licenses (receives, maintains, processes or accesses) personal information about a resident of the Commonwealth of Massachusetts to meet minimum standards in safeguarding that personal information—whether in paper or electronic form. Such parties must develop and implement a Written Information Security Plan to protect personal information in a manner fully consistent with industry standards and other applicable laws and regulations.
In this case “personal information” is defined as a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
So what do you need to do? A few highlights pulled from the Regulations’ obligations include:
- Write, implement, maintain and monitor a “comprehensive written information security program”;
- Appoint an Information Security Manager or committee who will help your staff carry out the Information Security Plan and audit compliance regularly;
- Provide written notification when you know or have reason to know that there has been a security breach; and
- Dispose of personal information in a manner that precludes access to or reconstruction of the documents.
While this brings a little extra in the way of administrative oversight, it’s certainly doable.. and worth it. Like Massachusetts health care reform, it’s likely a sign of things to come. Just look at the attention Facebook and Google have been enjoying, look at the fees paid to IT Security consultants, and there’s no arguing it: privacy’s stock is rising.
So check out the specific administrative, physical and electronic security measures required by the Regulations. Because if you’re not doing business in Boston now, you may be soon.. and then you’ll be wicked late!
shameless promotion: Logik complies with Massachusetts’ standards 
Post A Comment