August 1, 2014
by John E. Ottaviani
Partridge Snow & Hahn, LLP – USFN Member (Massachusetts)
The data breaches that Target, Michael’s, Neiman Marcus, and other large companies have suffered gained a great deal of attention in the media. These public and costly embarrassments serve as reminders that all businesses should have a comprehensive information security policy and should closely monitor their servers and third-party data interfaces for potential breaches.
Since 2010, Massachusetts has had one of the country’s strictest data security laws. What many companies fail to realize, however, is that the Massachusetts rules apply to businesses located outside of Massachusetts. Any business (wherever located) that has one or more employees or customers who live in Massachusetts is most likely subject to the Massachusetts data security requirements and must have an information security program. If pending federal legislation is passed, even more businesses will be required to adopt similar information security programs.
Currently, any person or business that owns, stores, or maintains personal information about a Massachusetts resident is required to: (a) develop, implement, and maintain a comprehensive, written information security program; (b) implement physical, administrative, and extensive technical security controls, including the use of encryption; and (c) verify that any third-party service providers that have access to this personal information can protect the information. “Personal information” can be as little as a first name, last name, and the last four digits of a social security number, credit card number, or bank account number of a Massachusetts resident.
There are several reasons why it is important that all businesses — even those not specifically covered by the Massachusetts data security requirements — prepare and update an information security policy:
• Information security policies help to reduce the risk of liability and adverse publicity should a data breach occur. The Massachusetts attorney general has pursued and obtained six-figure civil judgments for violations of the requirements.
• As mentioned above, any federal legislation that is passed is likely to be modeled after the Massachusetts requirements. Businesses not covered presently by the Massachusetts requirements should get a jump on their compliance obligations.
• Information security programs subject to the Massachusetts requirements must be reviewed at least annually — a reminder to companies that initially prepared information security policies but have not reviewed or updated those policies since 2010.
© Copyright 2014 USFN and Partridge Snow & Hahn, LLP. All rights reserved.