Wednesday, April 28, 2010

New Massachusetts data security law

Have you heard about Massachusetts law 201 CMR 17.00? It went into effect on March 1, 2010, but seems to have flown under most of the reporting radars. If you store personally identifiable information (PII) about a Massachusetts resident, it affects you. It doesn't matter where you live. Here is how the law defines personal information:
A Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
If you do store this information get ready for some fun. The information must be encrypted end to end during transmission and even when at rest. If you store the information on a portable device the whole device must be encrypted. You must file a written statement with the Massachusetts state government stating that you have a plan for dealing with information security. You don't have to file the plan itself, just the statement.

The fines associated with this law are massive. Someone steals a laptop with unencrypted data on 200 residents: that'll be $1,000,000 please. If you are discovered to be passing PII in clear text that will cost $5,000 per resident's information exposed. Write down a Massachusetts resident's PII and don't shred it -- that's $5,000, too.

I will readily concede a lot of this is common sense, but some of it will be onerous for a small business to implement.


  1. "I will readily concede a lot of this is common sense, but some of it will be onerous for a small business to implement."

    To paraphrase Hillary Clinton from 1994: The Commonwealth of Massachusetts can't be responsible for every undercapitalized small business in America.

    Seriously though, if a company in Oregon accepts an online job application from someone in Massachusetts, that company is obligated to file a written statement with the Massachusetts state government? Good luck with enforcing that.

  2. Considering the only companies they'll be able to enforce this with are those in Mass., this sounds like another winner for the Massachusetts economy.

    Did anybody ever stop to think that this wouldn't be needed if the federal government didn't *require* SSN for so many industries to comply with various *other* regulations?