We have looked at Section One of the Massachusetts law dealing with privacy and the security of personal data. The key take-away in that section was that if you have personal information on even one Massachusetts resident, you are covered by the laws and face penalties if you are not in compliance. Also, we learned that my dog is not sufficient protection for the data you have, as vicious as he might be (he is not at all vicious, or smart). If you missed the article on Section 17.01, the link will take you right to it. Also, the laws and regulations are available free, with no registration required, at the White Space Resource Center.
Now we move on to Section 17.02, which pertains to definitions used in the regulations. This is an important part of the regulation and any business with any data or personal information should familiarize themselves with these definitions.
Breach of Security: The regulation defines a breach of security as the unauthorized use or acquisition of data that could compromise the “security, confidentiality or integrity of personal information” that creates a substantial risk of identity theft or fraud against a resident of Massachusetts. If the acquisition of the information is lawful and the information was acquired in good faith but not authorized, it is not a breach. An example of this might be procuring a list from a licensed list broker who represents that the data is legal and the use authorized, but in reality, the use was not authorized. In such a case, there is no breach. This is a somewhat loose definition and I am predicting that this will be the subject of litigation and judicial interpretation.
Electronic: This is a lot more straightforward. Electronic data is data stored in an electronic medium. That could be digital, magnetic, wireless, optical or the like.
Encrypted: This definition pertains to transformation of data into a form that cannot be used without the corresponding encryption key. Encrypting data, especially when transmitting it, is a good practice no matter where you are doing business.
Owns or Licenses: This definition is wide reaching. It pertains to any person (defined below) that receives, stores, maintains, processes or has access to personal information in connection with the provision of goods or services or in connection with employment.
Person: A person is considered a natural person (like you or me) or a corporation, association, partnership or other legal entity (trust, LLC, etc…). The exception here is that agencies and offices of the Commonwealth of Massachusetts appear to be immune from these regulations.
Personal Information: This is the data that needs security and for which your written comprehensive data security policy should be aimed at protecting. This data includes the first name or first initial and the last name of a Massachusetts resident with one or more of the following data associated with the name:
- social security number;
- driver’s license number or state issued ID number;
- financial account number, including bank or credit card numbers.
Note that personal information that is public record, such as that contained in the Registry of Deeds, is not considered confidential personal information and that data is not subject to compliance so long as it is legally available to the general public.
Record or Records: Here we have another wide reaching definition. Records can take the form of any material on which the data in question is written, drawn spoken, imaged or otherwise recorded and preserved. So if your CRM system is a series of index cards, or cocktail napkins for that matter, it is covered and you must provide data security to remain in compliance.
Service Provider: A service provider is one who, through their provision of services to those covered under this law, receives, stores, maintains, possesses or has access to covered personal information.
So there we have a through review of Section 2 of the Standards For the Protection of Personal Information of Residents of the Commonwealth. Next, we will take a look at Section Three, which discusses the duty owed to protect the data and the standards for that protection. So check back often or, even better, sign up for our RSS feed or email notifications. That way, you know you will not miss a single bit of information that could lead to a violation of the law.
As always, if you have any questions, please feel free to contact us. And if you have any comments of thoughts on this subject, or a subject you would like to know more about, please leave a comment. Your input is always welcome.
DISCLAIMER: The information presented here is general in nature, does not take your jurisdiction or actual circumstances into account and therefore may not apply to your circumstances or in your jurisdiction. You should not rely on this general information as a substitute for legal advice from your attorney. This is not an attorney-client communication. You should seek individual advice from an attorney of your choosing if you require assistance in any legal or compliance matters.