Last year, in the wake of the TJ Maxx data security breach, Massachusetts enacted a data security law intended to protect residents from identity theft. The law provides that businesses must provide prompt notice of security breaches relating to personal information. "Personal information" means a person's name together with either his or her Social Security Number, driver's license number, state identification number, financial account number, credit card number or debit card number. Because all employers hold their employees' Social Security numbers, the law applies to all employers in Massachusetts, not just those businesses that collect customer information, such as retailers.

Recently, Massachusetts issued comprehensive regulations relating to the law, which will impose a significant compliance obligation on virtually all businesses with employees or customers in Massachusetts. The regulations impose two broad requirements. First, the regulations require every business that holds personal information to implement and maintain a comprehensive, written "information security program." While the regulations make it clear that the program should be tailored to the particular business or industry, all programs must address the following issues:

  1. Designating one or more employees as being responsible for the program;
  2. Identifying and assessing internal and external risks relating to the security of personal information and evaluating and improving safeguards, such as through employee training;
  3. Developing security policies for employees, including their use and access of personal information outside of business premises;
  4. Imposing disciplinary measures on employees for violations of the program;
  5. Preventing terminated employees from accessing records containing personal information;
  6. Taking reasonable steps to ensure that third-party service providers with access to personal information protect such information;
  7. Limiting the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected;
  8. Identifying paper and electronic records, systems and computer equipment, including laptops and portable equipment, which contain personal information;
  9. Creating reasonable restrictions upon physical access to records containing personal information;
  10. Monitoring to ensure that the program is operating in a manner to prevent unauthorized access to or unauthorized use of personal information;
  11. Auditing the scope of security measures at least annually; and
  12. Documenting actions taken in response to any security breaches, including mandatory post-incident review of events and actions taken.

The foregoing issues establish only minimum standards, and the regulations explain that industry requirements or other laws may impose additional requirements.

Second, the regulations impose computer security requirements on all businesses that hold or transmit personal information in electronic form. Employers must control user access to their computer systems, including any wireless networks, and must limit access to records containing personal information to those who need such information to perform their job duties. Because many security breaches have involved the theft of laptop computers, the regulations require that all personal information stored on laptops or portable devices be encrypted. To the extent technically feasible, such information also should be encrypted when sent via a wireless network or across a public network. Employers also should have reasonably up-to-date firewall protections and security software in place. Finally, employers are expected to provide education and training to employees on the proper use of computer security systems and the importance of personal information and security.

The regulations are the most comprehensive of their kind in the United States and apply to all entities with customers or employees in Massachusetts. There are significant penalties associated with non-compliance. The Massachusetts Attorney General may bring an action under Chapter 93A (the Massachusetts consumer protection statute), which permits the imposition of significant fines, injunctive relief and attorneys' fees. Massachusetts consumers may also seek damages, which in some cases may be trebled, under Chapter 93A. The new data security regulations take effect on January 1, 2009.

All businesses which hold or transmit personal information of their customers and employees must review their existing policies and employee handbooks to ensure compliance with these new regulations. Businesses also may need to review or create training programs on these issues. We intend to hold a seminar on the new requirements in the coming weeks and to create a model program.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.