Learn how this law impacts you—even if you don’t work in Massachusetts.
If you’ve heard of the Massachusetts Privacy Law, your first reaction may be: “I don’t work in Massachusetts, so why should I care?”
The answer is simple: because you can’t afford not to! The Massachusetts Privacy Law—201 CMR 17.00, sometimes known as the Massachusetts Data Protection Law or simply the Mass. Law—is an important piece of state legislation that has an impact far beyond the borders of the state of Massachusetts. The Mass. Law is designed to protect the personal information of Massachusetts citizens—no matter where that information is held. Therefore, the law applies to Massachusetts businesses and to individuals and businesses that own, license, store, or maintain personal information about citizens of Massachusetts.
The intent of the law is to prevent personal information from being compromised in the first place and to establish reporting protocols in the event of breach. The Mass. Law is different than earlier privacy and data security legislation because it mandates encryption of PII, requires the reporting of breaches, and imposes higher penalties for non-compliance, including severe financial penalties for each violation.
Features of the Mass Law
The kind of personal information protected by the Mass. Law includes credit cards, social security numbers, financial account numbers, and state-issued identification numbers. Working with any personal data for Massachusetts residents requires a higher level of security and higher penalties.
Did You Know?
According to the Massachusetts General Law, Chapter 93I, a fine of up to $50,000 can be assessed for each instance of improper data disposal.
The law requires that organizations encrypt all personal information travelling across public networks whenever it is “technically feasible.” If it is not technically feasible to encrypt the data, it should not be sent in an e-mail. It also requires that organizations encrypt all personal information contained on laptops and other portable devices.
If an information breach occurs, and no prescribed information security efforts were in place, organizations may be subject to both criminal and civil penalties.
You can help protect our organization and customers from a security breach by:
- Reporting a breach when you know of one.
- Staying alert to social engineering techniques.
- Being vigilant about physical access.
- Recognizing the signs of malware.
- Following our organization’s privacy and document destruction policies.