M.G.L. c. 93H
On October 31, 2007, the Massachusetts General Law was amended to add Chapter 93H (“Security Breaches”). This law charged the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) with developing and enforcing regulations to prevent the disclosure of personal information on residents of the commonwealth by businesses to unauthorized people. This law came about in part as a reaction to high-profile breaches of security such as the one in which credit and debit card numbers of more than 45 million customers of TJX (the parent company of such retailers as T.J. Maxx and Marshall’s) were stolen due to insufficient protections on the company’s data.
201 CMR 17.00
These regulations developed by the Office of Consumer Affairs as required by M.G.L. c. 93H have been published in the Code of Massachusetts Regulations as 201 CMR 17.00. The regulations present specific legal definitions of terms such as “personal information”; establish a minimum set of procedures that businesses must follow to protect personal information; require that businesses disclose any breaches of security that they become aware of; and creates stiff financial penalties for failure to comply.
The regulation defines “personal information” as the name of a Massachussetts resident (first and last name or first initial and last name), and one of the following identifying numbers: social security number, drivers license number, or financial account number (such as bank account or credit card number). This regulation, arguably the most aggressive in the country, will require almost all businesses to make changes to their technology infrastructure and business practices.
The original deadline for companies to comply with the new regulation was January 1, 2009. In response to feedback from the business community about the far-reaching nature of the regulation and the difficulty of complying, the OCABR has extended the deadline for companies to become compliant several times. Currently, all companies must be compliant by March 1, 2010.
Computer system security requirements
Section 17.04 of the regulation (“Computer System Security Requirements”) establishes specific requirements for the protection of personal information stored electronically. Atlas Technology Consulting provides many services to help clients like you improve your technology infrastructure to move towards compliance with this section of the regulation.