What happens elsewhere is eventually going to affect you!
Good question. Why should you care what happens in Massachusetts unless you live there? The answer is because what happens in states such as California and now Massachusetts tends to spread to other states. The breach notification law started in California has spread to almost all of the states, and similar ones are being debated across Europe and Asia. If the Massachusetts privacy laws spread like the California law, you'll want to be prepared. Let's take a closer look.
What's Happening in Massachusetts?
There's a new law officially known as "201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth." The law establishes standards for organizations that store or maintain personal information about a resident of the Commonwealth (or State) of Massachusetts. The purpose of the law is to (i) ensure the security and confidentiality of this personal information in a "manner consistent with industry standards, (ii) protect against anticipated threats or hazards to the security or integrity of the information, and (iii) protect against unauthorized access to or use of the information in a manner that creates a substantial risk of identity theft or fraud against such residents."
Massachusetts defines personal information as a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, credit card number, or debit card number--with or without any required security code, access code, personal identification number, or password--that would permit access to a resident's financial account. It does not include any information that can be lawfully obtained from publicly available information or from generally available federal, state, or local government records.
Right away you can see that this law--like the original California breach notification law--affects non-Massachusetts-based organizations. You only need the record of one Massachusetts resident in your database to be affected by this law. So what if you are affected? Or what happens if similar laws start to spread to other states or countries? Let's talk about why you should care about this law and what you'll need to do if you're affected.
Why You Should Care
While not as specific as the Payment Card Industry's (PCI's) Data Security Standards (DSS), unlike most data privacy laws--even the long-standing EU Data Protection Directive--this law dictates the use of specific protection mechanisms and other actions that should be taken to protect the private data. For example, it requires that access to private data be restricted to only "those who need such information to perform their job duties." In addition, it requires that the protection be addressed in a comprehensive manner. It demonstrates this by requiring education and training of employees on the "proper use of the computer security system and the importance of personal information security" as well as the appointment of "one or more employees to maintain the comprehensive information security program." Most laws just state the fact that data must be protected. They don't dictate how the data is to be protected.
The Cost of Non-Compliance
Beyond being the "right thing to do" to protect this data, another motivating factor for compliance with this law is the penalty risk. This law is associated with the Massachusetts breach notification law (Massachusetts General Law 93H), which allows for civil penalties to be levied.
Fortunately, you have a few months if you must comply with the Massachusetts law. The original date for compliance was January 2009, then it was moved to May 2009, and it's now set for January 1, 2010.
How SkyView Partners Can Help
SkyView Partners has performed an analysis of the Massachusetts Data Protection Law and included compliance tips as well as tips for using the SkyView products to ease the pain of compliance. If you'd like a copy, click here.