Understanding The New Massachusetts Data Protection Law

After months of defining, redefining, extending deadlines and planning, a new law in Massachusetts that affects all businesses that handle personal data of Massachusetts residents is finally about to go into effect. According to Massachusetts 201 CMR 17:

"The objectives of this regulation are to insure (sic) the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer."

The implication for businesses is clear: regardless of where your business is physically or operationally, if you handle or store the personal information of any Massachusetts resident, you are legally obligated to protect that information. Failure to comply with MA 201 CMR 17 could result in fines of up to $5,000 per violation, although "per violation" has yet to be clearly defined.

Barring any unforeseen changes, the deadline for compliance with the new law is March 1, 2010. The date has already been pushed back three times; MA 201 CMR 17 was originally scheduled to go into effect on January 1, 2009, but some parts were delayed until May 1, 2009, and others were then extended until January 1, 2010. The entire law was finally set to enact on (continue reading...)