Featured Publications

Securities & Financial News to Note : Bulletin - February 6, 2012

This bulletin is published every other week on Monday and is disseminated via electronic mail. It features brief summaries of current legal developments in the SEC/corporate, accounting/tax, banking, litigation, as well as other business and financial service areas when appropriate.

More

Hospitality Industry: Mediation of Golf Industry Disputes Alert - January 31, 2012

Golf clubs and their developers, owners, builders, operators, managers and members are still taking their disputes to court to duke, or "club" it out. This trend continues even when there are readily available options to full-blown litigation, such as alternative dispute resolution (ADR).

More

Search Our Library

Search

  • Print Article
  • Email this page to a friend
  • Print Newsletter / Alert
Healthcare & Life Sciences
Alert - December 12, 2008
 
Businesses Must Comply With New Massachusetts Identity Theft Regulations by May 1, 2009
 
 December 12, 2008
 
Ieuan Mahony - Boston

Businesses Should Start Compliance Efforts Now

To further combat identity theft, Massachusetts recently enacted broad regulations governing the use of “personal information” concerning Massachusetts residents, and set the deadline for compliance at May 1, 2009. Under these regulations, if your business stores or processes personal information concerning Massachusetts citizens, you must put in place a program to safeguard this information (a “Data Protection Program”). Your Data Protection Program must cover information in both paper-based as well as electronic form. Further components of a Data Protection Program are outlined below.

The new Massachusetts regulations are part of a considerably larger movement, on both the federal and state levels, to increase protections against identity theft. These other protections include the wide range of new state “notice of security breach” statutes (such as Massachusetts General Laws, chapter 93H), as well as the new “Red Flags Rules” issued by the Federal Trade Commission (along with five other federal agencies) that will also take effect on May 1, 2009.

Frequently Asked Questions

The following are frequently asked questions concerning the new regulations and brief answers:

Q: Do the regulations apply to the personal information of Massachusetts residents only?
A: Yes. The regulations apply only if your business maintains personal information of Massachusetts residents, and only to the extent of the Massachusetts residents’ information. Therefore, if your business relies in part on personal information from residents of other states, and in part on personal information of Massachusetts residents, the regulations will govern only your handling of the Massachusetts residents’ information.

Attend Our Webinar

On Thursday, January 8, 2009 at 1:30 p.m. EST, Holland & Knight will provide a one-hour Webinar, to further explain these new Massachusetts regulations, outline structures for Data Protection Programs that comply and place the regulations within the wider regulatory context of protections against identity theft.

Please click on the following link to access this event:

http://www.hklaw.com/id36/EventID1084/



A core method for limiting the compliance obligations of your business is to reduce, eliminate, or segregate reliance on those components of “personal information” that fall under the “C” component of the above definition.

Q: If I operate my business outside of Massachusetts, do the regulations apply?

A: Perhaps. If your business relies on personal information of Massachusetts residents, the regulations state that they will apply, irrespective of where your business resides.

Q: Assuming my business is covered by the regulations, what should my Data Protection Program look like?

A: The regulations allow your business to tailor your Data Protection Program to the size, scope and type of business activities in which you engage, as well as to the available resources of your business, the amount of stored personal information your business maintains, and the need for protecting the customer and employee personal information held by your business.

With these considerations in place, a baseline Data Protection Program should include the following: (i) a designee responsible for the program; (ii) an assessment of the risk of identity theft concerning Massachusetts residents’ personal information based on the business’ then-current safeguards, employee training, intrusion detection systems, and related protections; (iii) an identification of areas (including network-based, local drive-based and paper-based areas) where your business stores personal information; (iv) safeguards with respect to third parties’ access to personal information; (v) physical and technical access controls to protect personal information in your business location, on your network and on the portable devices of your employees; (vi) appropriate employee training; (vii) annual reviews of your safeguards; and (viii) documentation concerning actions your business took in response to security incidents. Finally, (ix) your Data Protection Program should include procedures to encrypt personal information that you transmit outside your organization.


For more information on the Massachusetts regulations, you may attend the Webinar described above, or contact:

Ieuan G. Mahony
617.573.5835
ieuan.mahony@hklaw.com
toll free: 1.888.688.8500

About the Health Law & Life Sciences Practice

Related Practices