Are you aware of the Massachusetts Data Protection regulations? You should be. Even if you are located outside of the Commonwealth of Massachusetts, you are subject to the regulations if your company owns, stores or licenses personal information about a resident of the Commonwealth. The regulations, which have been in effect since March 1, 2010, were filed by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) in order to protect “the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.” The regulations have been seen as among the strictest data protection laws in the country.
As of September 2011, more than 1,800 data breaches affecting Massachusetts residents, involving companies both inside and outside of Massachusetts, had been brought to the attention of the Massachusetts Attorney General through its receipt of notices of data breaches. Additional breaches surely have occurred since then. At least three breach-related enforcement actions have been reported by the Attorney General’s office.
Does your business own, store or license personal information?
If you have any customers from Massachusetts, you probably do. “Personal information” is defined broadly as a person’s first and last name (or first initial and last name) in combination with any of the following: (a) Social Security number, (b) driver’s license or state-issued identification card number, or (c) financial account number, credit card number or debit card number or similar information, with or without any security code, access code, personal information number or password that would permit access to the resident’s financial account, other than publicly available information.
The definition of “owns or licenses” covers any person who “receives, stores, maintains, possesses, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.”
Given the broad nature of these two definitions, it is likely that if you have any customers from Massachusetts, you are subject to the regulations.
What can you do?
The requirements under the regulations can be confusing for retailers. In order to assist retailers and other companies, OCABR has published a checklist for compliance. While the document is not all inclusive, it provides retailers with a starting point in considering the types of data security plans and policies they might need in light of the Massachusetts regulations.