Headline

Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam erat volutpat. Ut wisi enim ad minim veniam, quis nostrud exerci tation ullamcorper suscipit lobortis nisl ut aliquip ex ea commodo consequat. Duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie consequat, vel illum dolore eu feugiat nulla facilisis at vero eros et accumsan et iusto odio dignissim qui blandit praesent luptatum zzril delenit augue duis dolore te feugait nulla facilisi. Nam liber tempor cum soluta nobis eleifend option congue nihil imperdiet doming id quod mazim placerat facer possim assum.

Follow Me

On March 1, 2010, a new Massachusetts law (see the actual law) designed to protect personal information becomes effective. The legislation represents one of the most far-reaching data security requirements anywhere in the country and impacts any organization, for-profit or nonprofit, that collects and maintains personal information. There are no exceptions.

As a business owner or manager, here’s what you need to know.

First, the law defines personal information as:

a Massachusetts resident’s first name and last name, or first initial and last name in combination with any one or more of the following:

  • Social Security number
  • driver’s license number or state-issued identification card
  • financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account. 

Second, if you collect and hold personal information, here’s what the law requires you to do:

A written information security program must be developed and implemented. Within the program, an employee must be designated to maintain security.

All employees must receive data security training. Compliant access, storage, and transportation of personal information must be understood by everyone in the organization. A plan must also be in place to deal with security violations.

Personal information stored or transmitted electronically must be protected by secure authorization measures including proper access codes, updated security software, and firewall protection. Personal information transmitted across public networks, wirelessly, or in any portable device, must be encrypted.

All reasonable steps must be taken by the business owner to verify that any third-party service provider with access to personal information has the capacity to adequately protect the data, and is actually applying the protective security measures.

Reasonably foreseeable internal and external security risks must be identified and monitored regularly. Any breach of personal information security must be documented, and any necessary changes to the security program must be implemented as soon as possible.

The financial consequences of a security breach can be significant. Sullivan, Garrity & Donnelly offers insurance coverage from three different carriers to protect your data security liability. Chubb's CyberSecurity program is an example of the type of coverage available. For a CyberSecurity e-brochure, click here.

Chubb also offers an excellent CyberSecurity fact sheet.

For more information on how to manage data security risk, contact Kerry O'Keefe at 781-383-8505.