On January 1, 2010, new regulations will become effective in Massachusetts that will require businesses, including private investment funds and investment advisers, which store personal information of Massachusetts residents to take specific steps to safeguard such information. These regulations, entitled "Standards for the Protection of Personal Information of Residents of the Commonwealth" (the "Privacy Regulations"), apply to the storage of data in paper or electronic format. Personal information is considered to be the combination of a name along with a Social Security number, bank account number, credit card number or state issued identification card number. Businesses that maintain such personal information about residents of Massachusetts will be required to implement, maintain and monitor a detailed, written information security program. Computer system security requirements include administering secure user authentication protocols, secure access control measures and firewalls and maintaining current security software. In addition, such businesses must establish and maintain a security system that, wherever technically feasible, encrypts any personal information that is stored on portable devices, transmitted wirelessly or conducted on public networks.
Massachusetts added the "technical feasibility" standard to the regulation in August to make the rule more consistent with federal law and to take reasonableness into account. Encryption is considered to be "technically feasible" if "there is a reasonable means through technology to accomplish a required result." (Frequently Asked Questions Regarding 201 CMR 17.00 http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf.) Whenever encryption is not technically feasible, best practices should be implemented to protect personal information, such as not sending emails that contain personal information.
Although the Privacy Regulations specify elements that should be incorporated into an information security program, because the regulations may be difficult for small businesses to implement to the same extent as large businesses, small businesses are permitted to tailor their programs. Factors that small businesses may consider in the implementation of their program include: (1) the size, scope and type of business; (2) the amount of available resources; (3) the amount of data stored by the business; and (4) the need for security and confidentiality of information.
Through the Privacy Regulations, Massachusetts is placing the onus on businesses to proactively prevent breaches of private data by requiring the implementation of specific data protection and compliance standards.
If you have any questions as to how the Privacy Regulations apply to your business, please do not hesitate to contact Daniel G. Viola at (212) 573-8038, dviola@sglawyers.com.