Protecting Personal Data: Comprehensive Information Security Programs

You better have better data security than this!

We discussed in a previous article the growing concern among State and Federal lawmakers regarding protection of data.  More specifically, protection of consumer’s personal information.  This issue was escalated to the forefront of compliance practitioners and consultants with the implementation of a Massachusetts regulation (201 CMR 17.00), acknowledged to be the strictest rules on data security in the United States (so far).  The regulations and related laws are available for download in their entirety at no cost or obligation at the White Space Resource Center under “Privacy Laws and Regulations.”  As most businesses will have to address data security and protection of personal information, it is worth taking a closer look at the Massachusetts regulations.

The regulation, entitled Standards For the Protection of Personal Information of Residents of the Commonwealth, is divided into five sections.  This series of articles will analyze each of these sections.

Section 17.01 – Purpose and Scope

The regulation implements the provisions of the Massachusetts Consumer Protection Statute, Massachusetts General Law Chapter 93H.  The law applies to “persons who own or license personal information about a resident of the Commonwealth of Massachusetts.”  This means that no matter where your business might be located, if you own or use personal information about any resident of Massachusetts, you must comply with the law.  The law’s stated purpose is to provide a minimum standard for the protection personal data.  The law is intended to protect against the “unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.”

The most important take-away for this section is that any business that owns or licenses data related to a Massachusetts resident is required to comply with the regulation.