Tuesday, January 19, 2010

New Massachusetts Data Privacy/Confidentiality Rules Going into Effect Shortly

Massachusetts is in the news today for several reasons. One important issue relevant to law firms are the data privacy and confidentiality regulations going into effect March 1, 2010 (201 CMR 17.00). These rules explicitly apply to law firms with offices or clients in the commonwealth, who should take care to comply. The new regulations include provisions that organizations that “store” or otherwise have access to personal information about Massachusetts residents:
  • Must comply, even if they are located in other states (the rules affect firms with clients based in Massachusetts) 
  • Must have written information security policy (WISP), which includes training and retention/destruction practices
  • Must put in place protections and controls to ensure compliance. These should include confidentiality enforcement controls that include monitoring/reporting capabilities.
  • Cannot communicate information in an unencrypted format (including email)
Relevant personal information includes names, social security numbers, driver’s license numbers / state ID numbers, financial account numbers. Several articles and resources provide additional information. See also the text of the regulation and a concise FAQ.

No comments:

Post a Comment