Massachusetts Amends Its Strict Data Privacy Law (Yet, Again)

Massachusetts-State-House

Massachusetts has revised its data privacy regulations one more time. The revised regulations are less demanding that the original version released over a year ago. But this law is the strictest in the country and will be the de facto law of the land for many companies.

Office of Consumer Affairs and Business Regulation released a press release announcing that revised regulations have been filed with the Secretary of State and published on the OCABR website.

Fortunately, Gabriel M. Helmer of Foley Hoag’s Security & Privacy practice produced a redline showing the changes.

There are very few changes to the regulations that were released in August:

  • The Massachusetts Data Privacy regulations apply to anyone who “stores” personal information, in addition to those who receive, maintain, process, or otherwise have access to personal information.
  • Service Providers include anyone who “stores” personal information through their provision of services to anyone is subject to the regulations, in addition to those who receive, maintain, process, or otherwise are permitted access to personal information.
  • The U.S. Postal Service is no longer expressly excluded from the definition of “Service Providers.”
  • Service Provider agreements entered into before March 1, 2010 do not have to be amended to comply with these regulations until March 1, 2012.

The effective date is still March 1, 2010.

The regulations apply to personal information of Massachusetts residents. The reach of the regulations is not limited to businesses in Massachusetts.

References:

Author: Doug Cornelius

You can find out more about Doug on the About Doug page

12 thoughts on “Massachusetts Amends Its Strict Data Privacy Law (Yet, Again)”

  1. If this applies to anyone who receives personal information or otherwise accesses personal information, what does this mean about online social networks? I can access a lot of personal information about my Massachusetts friends via facebook, etc. could a lawsuit be brought against an individual if their facebook is compromised and their friends data breached?

    1. The definition of “personal information” is the key to your question. Facebook clearly collects lots of personal information, but not the “Personal Information” defined under Massachusetts law:

      Personal information, a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

      Since Facebook does not collect SSNs or financial account info, I don’t think the kind of breach you mention is covered under the law.

    1. Absolutely!

      If you have a Massachusetts client’s name and their social security number, then you are subject to this law. If you get a W-9 or tax filings or other filings through email and those filings have a Massachusetts client’s name and their social security number, then that means your laptop and blackberry need to be encrypted. Your document systems need to be secure and you need proper protocols in place.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.