Massachusetts 201 CMR 17.00: How Does it Affect You?

On March 1, 2010, the state of Massachusetts joined the ranks of other states like Nevada in enacting strict regulations for all public and private entities that store, transmit or have access to consumer personal information. Massachusetts, unlike other states, took the regulations a step further in mandating that all third party providers who do business in the state also abide by the regulations, set forth in Mass. CMR 17.00, CH 93 (http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm).

So What Does This Mean for You?

In short, it means that if you are a business located in Mass., or if you do business with, or provide services to, a business or consumer located in Mass., you are mandated by the state to take all reasonable security precautions in storing, transmitting, allowing access to, and disposing of any and all instances of personal information.

What Sort of Data Does ‘Personal Information’ Include?

Personal information is defined as a combination of name – either full first and last name, or first initial and last name – along with a Social Security number, bank account number or credit card number, or any other financial account information.

What Happens if I Don’t Comply?

While the Mass. law is somewhat unclear as to what exactly constitutes a “violation” (Is it per case, per file, per person?), the penalties and fines are substantial – up to $5,000 per violation. On top of that, the Mass. Attorney General has the authority to file suit against a company found in violation of the regulations, and can treble the damages if it’s found that there was a willful or knowing violation. The regulations even allow Mass. individual residents to possibly file suit, with fines equaling actual damages or $25, whichever is greater.

How Do the Fines Add Up?

Let’s say that you email 2 spreadsheets to a client that contain the names and Social Security numbers of 100 people. When the email is intercepted by a data thief because it wasn’t encrypted prior to transmittal, 100 people have had their personal information compromised. Here’s how the fines could add up:

$5,000 per violation – if it’s per case, $5,000. Per file, $10,000. Per person, $500,000.
Residents file suit – $25 each, $2,500. Actual damages of $100 each, $10,000.
Mass. Attorney General files suit, trebles damages – $???

So the fines and penalties for one simple email being intercepted could be anywhere from $5,000 to well over a half-million dollars – and that doesn’t include the cost of actual data breach (costs of mailing notifications, lost revenue, irate clients) Can your business afford that?

So What Do I Need to Do to Comply?

A good place to start is with the 201 CMR 17.00 Compliance Checklist (http://www.mass.gov/ocabr/docs/idtheft/compliance-checklist.pdf), published by the Mass. Office of Consumer Affairs and Business Administration as a series of questions designed to help businesses make sure they are in compliance.

In general, you need to make sure that every instance of personal information is secured at all times. You should ensure that:

• Paper records are stored in a locked area.
• Office networks are secured.
• Laptops and flash drives are encrypted.
• Data that is transmitted over the Internet, through email, on public networks, or wirelessly, is encrypted with at least 128-bit encryption.
• An “Information Security Plan” must be documented.
• A designated “captain”, or person responsible for implementing the security plan, must be identified.

Article by SHUGO.