Massachusetts To Implement Far-Reaching Law To Protect Personal Data

by Barry A. Guryan

May 2009

The Commonwealth of Massachusetts has recently issued regulations regarding a new "Data Protection" law, entitled, Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 CMR 17:00.

This regulation is effective January 1, 2010.

Issued by the Office of Consumer Affairs and Business Regulations (OCABR) and enforced by the Massachusetts Attorney General, the regulation requires: (1) the implementation of a security program (which goes beyond merely addressing the IT aspects); (2) the protection of retained covered data and/or the encryption of transferred covered data; and (3) the continual monitoring (and, when necessary, re-tooling) of that security program.

The regulation is far-reaching in terms of both the entities that must comply and the data that it covers.

Who is Covered

The regulation applies to "all persons who own, license, store or maintain" (either paper or electronic) covered data about a resident of the Commonwealth.

This means that any company that transacts with a Massachusetts resident (i.e., as customers, such as by taking a credit or debit card transaction and either retaining on a computer or transmitting that data to a third party) or that employs a Massachusetts resident (due to existence of the information contained in employee records, especially where those records are shared with outside accountants, payroll firms, etc.) is covered by the regulation.

There is no exemption based on industry or the size of the company.

Covered Data

The personal data covered by this regulation is any non-public data, irrespective of how the company obtained the information, that contains:

(1) A Massachusetts resident's first and last name or an initial with last name; and

(2) Either (a) Social Security Number; (b) Driver's license number/state-issued identification card number; or (c) financial account number/credit card number/debit card number, even if without any security code, access code, PIN or password.


Generally, a company is under an obligation to implement a comprehensive written information security program that is reasonably consistent with industry standards. The company must put various safeguards (administrative, technical, and physical) in place to protect the personal data of employees and customers. Further, all employees of the business are to be made aware of this written program. As to the specific measures necessary to be in compliance, a given company's obligations will vary on a case by case basis depending upon the nature of the business and the type of data involved.

Compliance will require more than merely drafting a written program. The regulation requires, for example, that at least one employee is designated to maintain the comprehensive information security program. Further, it requires ongoing employee training (including temporary and contract employee), ensuring employee compliance, developing security policies for employees (including determining individual levels of access), imposing disciplinary measures for violations of the security program rules, and preventing terminated employees from gaining access.

In addition, reasonable steps must be taken to verify that any third-party service provider with access to personal information has the capacity to protect such information, as well as taking steps to ensure that such third-party service provider is applying such personal information protective security measures. This may require obtaining written assurances from such third-party providers.

Penalties For Non-Compliance

This regulation is enforced by the Massachusetts Attorney General's Office. A company found to be in non-compliance may be subject to: (1) an action to enjoin the conduct found to be in violation; (2) a fine payable to the state of up to $5,000 per "method, act or practice" that the business knew or should have known violated the regulations; and (3) the imposition of costs associated with any litigation, including reasonable attorney's fees.

For more information about this Client Alert, please contact: