Top 5 Points Employers Need to Know About Data Security With The Massachusetts Data Security Breach Law looming many businesses are still unsure of exacly how the new law could impact their organization. Telamon Insurance & Financial Network has compiled the Top Five questions and concerns we are hearing from our clients and friends, accompanied by soem details to help explain each one. 1. What is the Massachusetts Data Security Breach Law?
The Massachusetts Data Security Breach Law goes into effect March 1, 2010. The law holds businesses to a higher standard regarding the protection of Massachusetts residents’ personal information. Businesses that own, license, store or maintain “personal information” about Massachusetts citizens must comply. The regulations are not explicitly limited to companies doing business in Massachusetts; if any personal information of Massachusetts residents is being collected, stored or maintained, these regulations apply.
2. What is Considered “Personal Information”?
Under the law, ‘personal information” that must be protected includes a person’s first and last name or first initial and last name combined with:
• a complete social security number
• driver’s license or other state-issued number, or
• a complete credit card, debit card or financial account number.
Examples include everything from customer records, personnel files, medical records, student records and vendor records. This encompasses a wide variety of business records – everything from employee, client, customer and investor records to supplier, patient and student records.
3. How Should Personal Information be Handled?
Massachusetts General Laws Chapter 93I requires each agency or person to meet the following minimum standards for proper disposal of records containing personal information:
(a) paper documents containing personal information shall be either burned, pulverized or shredded to that personal data cannot practicably be read or reconstructed; and
(b) electronic media and other non-paper media containing personal information shall be destroyed or erased so that personal information cannot practicably be read or reconstructed.
4. What Happens if a Business is Not in Compliance?
The Massachusetts Attorney General can file suit against the company after a breach, if it is determined that the law has not been followed.
Penalties include:
• Violators may also be subject injunction, restitution, civil penalties, and payment of the cost of the investigation and litigation, including attorneys’ fees.
• Civil penalties of $5,000
• Unsecured data disposal, businesses can be subject to a fine of up to $50,000 for each instance of improper disposal.
• Damages to a company’s reputation in the marketplace as well as the time and resources required to determine the cause and extent of a breach, notifying affected individuals of a breach, and implementing corrective action to prevent a future breach.
5. Steps to Take When Checking Compliance
• Identify Data Sensitive Information
• Develop Company’s Data Security Policy (Use WISP Guideline) include HIPAA info.
• Identify What To Do If There Is A Breach
• Provide Training to Employees & Managers
• Revise New Hire Orientation & New Manager’s Training
• Insurance – Do You Have Proper Coverage to Protect Your Organization? For additional information or assistance with your organizations Data Security please contact Lauren Brenner, President HR DIvision at 617-614-1271. |
