New Massachusetts Law Protecting Personal Information Goes Into Effect March 1, 2010
Massachusetts is allowing until March 1, 2010 for businesses and organizations to comply with 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth. This sweeping new data privacy law has far reaching implications for businesses in Massachusetts or provide services to Massachusetts residents.
What are the key requirements?
The Massachusetts law is the first in the nation to require specific technology when protecting personal information. Both "data at rest" and "data in transit" over a public network, such as the Internet, that contain personal information must be encrypted.Personal information is defined as a Massachusetts resident's name in combination with one of the following – with or without a security code, access code, PIN, or password that would permit access to a resident’s financial account:
- Social Security number
- Driver's license number or state-issued identification card number
- Financial account number or credit/debit card number
What organizations are impacted?
This new legislation affects all organizations who own or license personal information of Massachusetts residents — regardless of the size or location of the business. And, organizations must require and oversee that third-party service providers with access to personal information also comply with the new law. Organizations affected include:- Businesses that track customers by account numbers (such as healthcare institutions and related vendors)
- Retailers that accept credit cards for purchases by Massachusetts customers
- Financial institutions (such as banks, insurers, or brokerages) with customers residing in Massachusetts
- Companies with branch offices located in Massachusetts
Back to Insurance News
