Featured Publications

Labor, Employment and Benefits: Alert - February 6, 2012

The U.S. Supreme Court recently denied an employer’s request for review of a decision by the U.S. Court of Appeals for the Eighth Circuit, which held that tipped employees spending more than 20 percent of their time performing related but non-tipped duties must be paid the full minimum wage for that time, without the tip credit.

More

Financial Institutions: Alert - January 31, 2012

The Dodd-Frank Wall Street Reform and Consumer Protection Act impacted many investment advisers who previously were not registered.

More

Search Our Library

Search

  • Print Article
  • Email this page to a friend
  • Print Newsletter / Alert
Intellectual Property and Technology
Alert - December 12, 2008
 
Businesses Must Comply With New Massachusetts Identity Theft Regulations by May 1, 2009
 
 December 12, 2008
 
Ieuan Mahony - Boston

Businesses Should Start Compliance Efforts Now

To further combat identity theft, Massachusetts recently enacted broad regulations governing the use of “personal information” concerning Massachusetts residents, and set the deadline for compliance at May 1, 2009. Under these regulations, if your business stores or processes personal information concerning Massachusetts citizens, you must put in place a program to safeguard this information (a “Data Protection Program”). Your Data Protection Program must cover information in both paper-based as well as electronic form. Further components of a Data Protection Program are outlined below.

The new Massachusetts regulations are part of a considerably larger movement, on both the federal and state levels, to increase protections against identity theft. These other protections include the wide range of new state “notice of security breach” statutes (such as Massachusetts General Laws, chapter 93H), as well as the new “Red Flags Rules” issued by the Federal Trade Commission (along with five other federal agencies) that will also take effect on May 1, 2009.

Frequently Asked Questions

The following are frequently asked questions concerning the new regulations and brief answers:

Q: Do the regulations apply to the personal information of Massachusetts residents only?
A: Yes. The regulations apply only if your business maintains personal information of Massachusetts residents, and only to the extent of the Massachusetts residents’ information. Therefore, if your business relies in part on personal information from residents of other states, and in part on personal information of Massachusetts residents, the regulations will govern only your handling of the Massachusetts residents’ information.

Attend Our Webinar

On Thursday, January 8, 2009 at 1:30 p.m. EST, Holland & Knight will provide a one-hour Webinar, to further explain these new Massachusetts regulations, outline structures for Data Protection Programs that comply and place the regulations within the wider regulatory context of protections against identity theft.

Please click on the following link to access this event:

http://www.hklaw.com/id36/EventID1084/



A core method for limiting the compliance obligations of your business is to reduce, eliminate, or segregate reliance on those components of “personal information” that fall under the “C” component of the above definition.

Q: If I operate my business outside of Massachusetts, do the regulations apply?

A: Perhaps. If your business relies on personal information of Massachusetts residents, the regulations state that they will apply, irrespective of where your business resides.

Q: Assuming my business is covered by the regulations, what should my Data Protection Program look like?

A: The regulations allow your business to tailor your Data Protection Program to the size, scope and type of business activities in which you engage, as well as to the available resources of your business, the amount of stored personal information your business maintains, and the need for protecting the customer and employee personal information held by your business.

With these considerations in place, a baseline Data Protection Program should include the following: (i) a designee responsible for the program; (ii) an assessment of the risk of identity theft concerning Massachusetts residents’ personal information based on the business’ then-current safeguards, employee training, intrusion detection systems, and related protections; (iii) an identification of areas (including network-based, local drive-based and paper-based areas) where your business stores personal information; (iv) safeguards with respect to third parties’ access to personal information; (v) physical and technical access controls to protect personal information in your business location, on your network and on the portable devices of your employees; (vi) appropriate employee training; (vii) annual reviews of your safeguards; and (viii) documentation concerning actions your business took in response to security incidents. Finally, (ix) your Data Protection Program should include procedures to encrypt personal information that you transmit outside your organization.


For more information on the Massachusetts regulations, you may attend the Webinar described above, or contact:

Ieuan G. Mahony
617.573.5835
ieuan.mahony@hklaw.com
toll free: 1.888.688.8500

About the Intellectual Property Practice

Related Practices