To All Firm Clients –
On March 1, 2010, Massachusetts regulation 201 CMR 17.00 went into effect. This new regulation will require anyone who collects or stores the names of Massachusetts residents in connection with their social security number, driver’s license number, or credit card or debit card number to develop and maintain a comprehensive information security program. The information security program must include technical, administrative, and physical safeguards for this sensitive information.
Most states have requirements for companies in the event of a security breach involving sensitive customer or employee information. However, Massachusetts‘ new regulation is unusual in that it requires companies to take action prior to any breach, and it is unique in the level of specificity of the requirements that it imposes. For example, among other requirements, companies that collect or store Massachusetts residents‘ sensitive information must now designate a specific employee to oversee their security program, provide ongoing employee training for their security program, take “reasonable” steps to ensure the proper use of sensitive information released to third-party service providers, and, notably, meet very specific computer system security technical requirements such as the use of data-encryption technology and secure user authentication protocols.
It remains to be seen how vigorous or aggressive Massachusetts will be in enforcing these new regulatory requirements. However, clients who are concerned with potential compliance issues under this new regulation should contact the firm immediately, as most of the new compliance requirements are already in effect. Clients seeking additional information or guidance should contact Michael Donahue at firstname.lastname@example.org or 703-714-1319.