The Massachusetts Identity Theft/Data Security Regulations Effective March 1, 2010
Massachusetts updated its identity theft policy requirements, effective March 1, 2010.
The rule applies to all businesses in the Commonwealth, who collect and retain personal information in connection with the provision of goods and services or for the purposes of employment. All policies must be in writing, but the scope and complexity of the policy is dependent on the nature and scope of each business. Employees must be trained on what they need to do to protect confidential information.
The updates to the legislation cover four (4) areas:
- The rule adopts a risk-based approach. Businesses are required to establish a written security program that takes into account the particular business’ size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security. This is particularly important for small businesses who typically do not handle or store large amounts of personal and confidential information.
- What had been requirements for inclusion in policies have been removed, and should be used as guidance only.
- The encryption requirement has been changed to be technology neutral and technical feasibility has been applied to all computer security requirements.
- The third party vendor requirements have been changed to be consistent with Federal law.
The statute can be found at http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf, and FAQs can be found at http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf.