Skip to main content

M.G.L. 93H and Data Privacy Basics

Massachusetts has enacted one of the strictest data-privacy laws in the country and is scheduled to go into effect on March 1, 2010. Any personal information that any business entity maintains or stores is subject to Massachusetts General Laws Chapter 93H, while M.G.L 93I governs the destruction of physical and electronic documents and data. Both M.G.L. 93H and M.G.L. 93I define “personal information” as a person’s last name and either his or her first name or first initial, combined with any one of the following: a social security number; driver’s license number or state-issued identification card number; financial account number, debit or credit card number, with or without any required security code, access code, personal identification number or password that would permit access to a resident’s financial account.

Guidance for business’ implementation of M.G.L. 93H can be found in 201 CMR 17.00, and creates an affirmative duty to every person that “owns, stores or maintains personal information about a resident of the Commonwealth” to “develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing . . . personal information.” In determining whether such comprehensive security program complies with M.G.L. 93H and accompanying 201 CMR 17.00, a court will consider:
(a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program;
(b) the amount of resources available to such person;
(c) the amount of stored data;
(d) the need for security and confidentiality of both consumer and employee information.

Any business must have a written information security program (“WISP”) that establishes security policies for the firm’s computers and wireless system, and all personal information contained therein. All personal information stored on laptops or “other portable devices” must be encrypted. All records and files, including emails, containing personal information that is transmitted across public networks or wirelessly must be encrypted “[t]o the extent technically feasible.” The written security program must include plans for systems monitoring for unauthorized use, up-to-date firewall protection, and up-to-date system security software that is set up to receive regular security updates.

Authentication protocols must include a “reasonably secure method of assigning and selecting passwords.” 201 CMR 17.04(1)(b). Assigning random complex passwords to clients would be a preferable defensive strategy. Such passwords must be controlled “in a location and/or format that does not compromise the security of the data they protect.”

With that in mind, businesses should develop a policy which includes:
(a) Encryption of all emails that contain personal information.
(b) Encryption of all personal information stored on portable devices
(c) Installation of system security agent software that is set up to receive security updates
(d) Maintenance of firewall protection for all files on a system connected to the internet.
(e) Implement a termination/Disciplinary policy for misuse of personal information.
(f) Education/Training of employees on proper use of computer security system and importance of personal information security.

Attorney Trask of Kelsey & Trask, P.C. was a cryptologic materials manager in the U.S. Marines, and has experience planning and implementing encrypted communications (voice and data) networks. If you have any questions regarding M.G.L. 93H, contact us at (508) 655-5980 or click here.

Comments

  1. We have done all of the business rules for this new law, and documented everything that needed to be documented. We added a Timeline for the Guidelines to our blog. It is very informative and can be viewed at: http://blog.nskinc.com/IT-Services-Boston/bid/20014/Your-Timeline-for-Compliance-with-MGL-93H-201CMR17-00
    or

    http://nskinc.blogspot.com/2009/10/your-timeline-for-compliance-with-mgl.html

    Cathie Briggette
    NSK Inc.

    ReplyDelete

Post a Comment

Popular posts from this blog

New Massachusetts Child Support Guidelines (2021): Big Changes, Little Changes, Typos & some Unexpected Results

UPDATE: The court has released a web calculating version of the 2021 MA Child Support Guidelines Worksheet .  It resolves some of the typos referred to below, but the unexpected calculations still apply. Every four years, per federal mandate, the Massachusetts Probate & Family Court revisits the Child Support Guidelines through the work of a Task Force appointed by the Chief Justice.  The 2021 Massachusetts Child Support Guidelines were recently posted.  They take effect on October 4, 2021.    If you are interested in a training on all of these changes to the new Child Support Guidelines: DMTA Presents the 2021 MA Child Support Guidelines Update  – Attend this event to learn the key updates you need to know for your mediation clients. Presented by Justin Kelsey of  Divorce Mediation Training Associates  and  Skylark Law & Mediation, PC . For a full comparison of all the  tracked changes between the 2018 and 2021 Massachusetts Child Support Guidelines you can download a pdf sho

What is the purpose of the Divorce Nisi waiting period?

In Massachusetts the statutory waiting period after a Judgment of Divorce and before the divorce becomes final (or absolute) is called the Nisi period. After a divorce case settles or goes to trial, a Judgment of Divorce Nisi will issue and it will become Absolute after a further ninety (90) days. This waiting period serves the purpose of allowing parties to change their mind before the divorce becomes final. If the Judgment of Divorce Nisi has issued but not become final yet, and you and your spouse decide you don't want to get divorced, then you can file a Motion to Dismiss and the Judgment will be undone. Although many of my clients who are getting divorced think the idea of getting back together with their ex sounds crazy, I have had cases where this happened. In addition to offering a grace period to change your mind, the Nisi period has three other legal effects: 1. The most obvious effect of the waiting period is that you cannot remarry during the Nisi period, be

Online Tool for Creating Parenting Plans

It is our hope that all families find a way to resolve conflict peacefully.  This is especially true when children are involved.  Divorced or separated parenting has many complications and the first is just deciding how to share time with a child from two separate households.  Developing a schedule can result in a lot of tension, especially if parents have trouble picturing how this new schedule will interact with their work schedules and the schedules of their children. To help make this easier, we've created an online tool for creating parenting plans that is simple and easy to use: We encourage parents, regardless of the process they are using to divorce, to use this form to assist in evaluating and settling custody disputes. The form allows you to choose between the Model Parenting Plan proposals or customize your parenting plan over a four week period by clicking directly on the form.  When you click on a section of the calendar it switches between Mom and Dad, an