Massachusetts Data Protection Law 201 CMR 17.00
Next week, March 1, 2010, Massachusetts will implement the most stringent data protection law in the nation.
Massachusetts Data Protection Law 201 CMR 17.00 will require businesses, engaged in commerce, to adopt written security polices and encrypt personal data, of any Massachusetts resident, stored or transmitted through the Internet or wirelessly. Personal information includes a combination of customers’ or employees’ names and their Social Security, bank account or credit card numbers. The key to this new law is that regardless of where your business is physically or operationally, if you handle or store the personal information of any Massachusetts resident, you are legally obligated to protect that information.
This is the first data privacy law that allows a court to impose a $5,000 civil penalty for each violation—if a ‘violation‘ is interpreted by a judge to mean the unauthorized access to a single individual’s personal information, the potential damages could be enormous. In addition to fines, failure to comply may risk your company to expensive audits and costly civil litigation.
If your organization owns or licenses personal information then you need to ensure that this information does not get transmitted and is not stored in clear text.
Check out the Boston Herald article, “State to firms: Protect data”.