Deadline for Massachusetts' “Written Information Security Program” looms
As of 1 March 2010, Massachusetts will require that all Massachusetts companies — and even companies operating outside the Commonwealth, but which do business in Massachusetts — to implement stringent personal data privacy law, the data protections pertain to not just electronically stored and transmitted information but also hard copy formats
Two months ago we reported that on 1 March 2010, 201 Massachusetts’s CMR 17.00 will go into effect and businesses across the United States will need to be in compliance. The stringent personal data privacy law requires that even companies operating outside the Commonwealth, but which do business in Massachusetts, must be in compliance. The data protections pertain to not just electronically stored and transmitted information but also hard copy formats (“New Massachusetts Law Affects Data Privacy,” 21 December 2009 HSNW).
Partridge Snow & Hahn LLP reminds companies that they should ask themselves whether or not their “Written Information Security Program” is ready for the 1 March 2010 Deadline. Michael A. Gamboli Esq. writes that Massachusetts General Laws Chapter 93H requires every company that maintains or stores personal information (“PI”) of a resident of the Commonwealth of Massachusetts to provide extensive notification to authorities if PI is ever compromised. In order to prevent PI from ever being compromised, new regulations promulgated under this statute now require companies to develop, implement and maintain a comprehensive “Written Information Security Program” (“Program”) to protect PI. The deadline for putting a Program in place is 1 March 2010. “The level of detail required of a Program is generally considered excessive, which likely accounts for the fact that the deadline for compliance has been extended three times. However, further extension of the March 1, 2010 deadline is not anticipated,” Gamboli writes.