Tax Article -The Protection of Personal Information of Residents in Massachusetts Effective January 1, 2009

In August of last year, Governor Patrick signed a comprehensive data security bill to protect against identity theft that will take effect starting January 1, 2009, just less than two months away.  Any person or business who own, license, store or maintain personal information about a resident of Massachusetts will not to oblige with certain standards for the protection of personal information. 

The provisions of M.G.L. c. 93H establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records.  Personal information is defined by the regulation as:

“A] Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.”

Since every employer within Massachusetts most likely has personal information about a resident of Massachusetts, the majority of business will have to comply.  Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written, information security program applicable to any records containing such personal information. This program should have one more employees designated to maintaining the security program as well as documenting and mitigating any foreseeable risks (such third party service providers and terminated employees) with unwarranted access.

Furthermore, any computer system must have the following elements in its security system:

• Secure user authentication protocols including:
  • control of user IDs and other identifiers
  • a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices
  • control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect
  • restricting access to active users and active user accounts only; and
  • blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

• Secure access control measures that:
  • restrict access to records and files containing personal information to those who need such information to perform their job duties
  • assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;

• To the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted wirelessly.

• Reasonable monitoring of systems, for unauthorized use of or access to personal information;

• Encryption of all personal information stored on laptops or other portable devices;

• For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.

• Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

• Education and training of employees on the proper use of the computer security system and the importance of personal information security.

Also, it is very important that your employee's laptops do not contain any information that would be considered a breach under this law if the laptop were lost or stolen.

Please contact Feeley & Driscoll's Massachusetts tax experts by Email or call us at 1 (888) 875-9770.

related links