Massachusetts General Law 93H (MGL 93H) requires anyone holding the personal data of a Massachusetts resident to take measures to prevent identity theft. 201 CMR 17.00 further defines the requirements of the regulation. The law became effective March 1st 2010 and applies to nearly all Massachusetts businesses, non-profits, and universities, as well as many nationwide businesses with customers in Massachusetts. Personal Data Compliance helps businesses create a roadmap of measures that must be taken to comply with the regulation.
Examples of personal data include a person’s name in any combination with their social security number, driver’s license number, or financial account number, such as a credit or debit card. Federal regulations require any business with employees to maintain W-2 and I-9 forms containing personal data, so every Massachusetts organization with employees is subject to the new regulation. Additionally, many out-of-state organizations must comply, including internet retailers with customers from Massachusetts and third party service providers handling personal data of Massachusetts residents. The regulation is sweeping and far reaching. Every organization must take compliance seriously, as breaches may result in government action including financial penalties, liability in civil suit, contractual risk, and even risk insurance coverage.
1. Each organization holding personal data must designate a Data Security Coordinator to implement and maintain a Written Information Security Plan (WISP).
2. Create a WISP. The plan must inventory personal data and assess internal and external risks. It must review policies relating to disciplinary measures, terminated employees, third party service providers, and physical and off-premises access.
3. Maintained and monitored for plan effectiveness including employee awareness and accountability.
4. The WISP must be reviewed and modified annually to include new risks.