Featured Publications

Education: Alert - May 17, 2012

Every university, college or educational institution that operates a broadcast station must renew its federal broadcasting license. Failure to file a license renewal application on time may cause significant regulatory problems, including possible loss of license.

More

Labor, Employment and Benefits: Alert - May 14, 2012

New legislation recently enacted in Maryland will make it unlawful for employers to request or require employees or job applicants to provide user names or passwords relating to personal email or social media platforms.

More

Search Our Library

Search

  • Print Article
  • Email this page to a friend
  • Print Newsletter / Alert
Intellectual Property and Technology
Alert - December 12, 2008
 
Businesses Must Comply With New Massachusetts Identity Theft Regulations by May 1, 2009
 
 December 12, 2008
 
Ieuan Mahony - Boston

Businesses Should Start Compliance Efforts Now

To further combat identity theft, Massachusetts recently enacted broad regulations governing the use of “personal information” concerning Massachusetts residents, and set the deadline for compliance at May 1, 2009. Under these regulations, if your business stores or processes personal information concerning Massachusetts citizens, you must put in place a program to safeguard this information (a “Data Protection Program”). Your Data Protection Program must cover information in both paper-based as well as electronic form. Further components of a Data Protection Program are outlined below.

The new Massachusetts regulations are part of a considerably larger movement, on both the federal and state levels, to increase protections against identity theft. These other protections include the wide range of new state “notice of security breach” statutes (such as Massachusetts General Laws, chapter 93H), as well as the new “Red Flags Rules” issued by the Federal Trade Commission (along with five other federal agencies) that will also take effect on May 1, 2009.

Frequently Asked Questions

The following are frequently asked questions concerning the new regulations and brief answers:

Q: Do the regulations apply to the personal information of Massachusetts residents only?
A: Yes. The regulations apply only if your business maintains personal information of Massachusetts residents, and only to the extent of the Massachusetts residents’ information. Therefore, if your business relies in part on personal information from residents of other states, and in part on personal information of Massachusetts residents, the regulations will govern only your handling of the Massachusetts residents’ information.

Attend Our Webinar

On Thursday, January 8, 2009 at 1:30 p.m. EST, Holland & Knight will provide a one-hour Webinar, to further explain these new Massachusetts regulations, outline structures for Data Protection Programs that comply and place the regulations within the wider regulatory context of protections against identity theft.

Please click on the following link to access this event:

http://www.hklaw.com/id36/EventID1084/



A core method for limiting the compliance obligations of your business is to reduce, eliminate, or segregate reliance on those components of “personal information” that fall under the “C” component of the above definition.

Q: If I operate my business outside of Massachusetts, do the regulations apply?

A: Perhaps. If your business relies on personal information of Massachusetts residents, the regulations state that they will apply, irrespective of where your business resides.

Q: Assuming my business is covered by the regulations, what should my Data Protection Program look like?

A: The regulations allow your business to tailor your Data Protection Program to the size, scope and type of business activities in which you engage, as well as to the available resources of your business, the amount of stored personal information your business maintains, and the need for protecting the customer and employee personal information held by your business.

With these considerations in place, a baseline Data Protection Program should include the following: (i) a designee responsible for the program; (ii) an assessment of the risk of identity theft concerning Massachusetts residents’ personal information based on the business’ then-current safeguards, employee training, intrusion detection systems, and related protections; (iii) an identification of areas (including network-based, local drive-based and paper-based areas) where your business stores personal information; (iv) safeguards with respect to third parties’ access to personal information; (v) physical and technical access controls to protect personal information in your business location, on your network and on the portable devices of your employees; (vi) appropriate employee training; (vii) annual reviews of your safeguards; and (viii) documentation concerning actions your business took in response to security incidents. Finally, (ix) your Data Protection Program should include procedures to encrypt personal information that you transmit outside your organization.


For more information on the Massachusetts regulations, you may attend the Webinar described above, or contact:

Ieuan G. Mahony
617.573.5835
ieuan.mahony@hklaw.com
toll free: 1.888.688.8500

About the Intellectual Property Practice

Related Practices