Featured Publications

Religious Institutions: Update - May 17, 2012

This month’s update warns of sanctions religious institutions could face should they transfer something of value to someone in the organization whom the IRS determines to be “disqualified,” resulting in an “excess benefit transaction.”

More

Labor, Employment and Benefits: Alert - May 16, 2012

A federal district court in Washington, D.C., ruled on May 14, 2012, that the National Labor Relations Board's revised union representation election rule that went into effect on April 30 is invalid because the NLRB lacked a quorum for the final vote that approved the rule.

More

Search Our Library

Search

  • Print Article
  • Email this page to a friend
  • Print Newsletter / Alert
Intellectual Property and Technology
Alert - February 26, 2010
 
Massachusetts ID Theft Regulation Set to Take Effect on March 1, 2010: Potential Impact on Entities Across the United States
 
 February 26, 2010
 
Maximillian J. Bodoin- Boston
Ieuan Mahony - Boston

On March 1, 2010, the Office of Consumer Affairs and Business Regulation is scheduled to begin enforcing the new Massachusetts identity theft regulation, also known as 201 CMR 17:00 (“Regulation 201”). Regulation 201 establishes standards for the protection of personal information of Massachusetts residents.

What Does Regulation 201 Cover?

Regulation 201 requires individuals, corporations, associations, partnerships and other legal entities (but generally excluding governmental organizations) that possess “personal information” about Massachusetts citizens to develop, implement and maintain a comprehensive written information security program. The scope of Regulation 201 is broad and compliance is triggered based on the records – not the location of the covered entity. For example, a California company would need to comply with Regulation 201 if it held records containing personal information about Massachusetts residents.

Regulation 201 sets out specific measures that covered entities must take to be in compliance. In addition to creating a written program, entities are obligated to:

      • designate personnel with responsibility for the program
      • assess the existing security measures designed to protect records containing personal information of Massachusetts residents and improve measures where foreseeable risks have been identified
      • obtain contractual assurances from third parties that are given relevant records by the covered entity (for example, an outside payroll company)
      • implement physical and electronic security measures to protect the confidentiality and integrity of relevant records including, but not limited to, technical access controls and encryption of electronic records
      • provide employee training
      • regularly review the program and revise it as necessary

Assistance in Developing and Implementing an Information Security Program

To assist covered entities in preparing and implementing an Information Security Program, Holland & Knight has developed a baseline, fixed-fee Regulation 201 compliance package.

Related Practices