Massachusetts Privacy Law Calls For Tighter Information Security:
Document shredding is now a matter of Law Compliance
[NOTE: New information is available at this link about the Massachusetts Privacy Law, which has evolved since this original post.]
The Commonwealth of Massachusetts enacted a law in September protecting state citizens’ personal information. Originally scheduled for January 1, 2009, the law will now take effect for all Massachusetts businesses and third party providers beginning May 1, 2009, with other requirements coming into effect January 1, 2010. The law intends to protect employee personal information from unauthorized access and possible exploitation.
Personal information to be protected includes a person’s name and address, combined with complete social security number, driver’s license or other state-issued number, complete credit card or bank account numbers.
Companies that do keep this information will need to take some prescribed steps towards compliance. They must:
1. Establish written policies and procedures for the protection of these files, both in the electronic and physical formats.
2. Be able to justify the need for all such information kept in house. Obviously employee data is needed to for tax, 401K, and insurance withholdings. But for client records is it possible to only maintain the last four digits of a credit card number?
3. Establish robust user password requirements for the designated employee(s) to gain access to these files.
• The most complex, frequently changed password complexities possible should be in place for employees accessing this data.
• Companies need to review who can access these now protected files.
• It is advised to minimize the number of staff who would have this access.
• Companies should also consider implementing auditing tools that track who, when and what personal information was accessed.
4. Put in place a personal information security officer responsible for maintaining, updating and training company employees about personal information protection policies.
5. Make sure disciplinary measures for violations are in place.
6. Maintain hard copy files of personal information in always-locked files, with only the most minimum of access by designated employees.
7. Have in place enterprise security tools, firewalls, then server and workstation malware and anti virus protection, which are current and can be
automatically updated on a regular basis.
8. Consider outsourcing this risk whenever possible – for example, transferring the responsibility for maintaining employee personal
information to a certified online personal records service provider. Consider using a certified credit card processing service, with your company only inputting, but not able to record, client credit card information. 3rd party certifications for 201 CMR 17.0 must be in place before January 1st 2010.
9. Ensure that any electronic communication of this protected data, whether wireless or online, be conducted using robust encryption.
10. Ensure that any storage of this protected data on laptops be robustly encrypted by May 1, 2009. Protected data stored on PDA’s, memory sticks, CDs or other portable devices must be encrypted by January 1 2010.
11. Minimize the amount and the duration of time personal information is stored. Companies should regularly review the protected data it maintains and purge all but what was absolutely necessary to keep on file.
Security threats continue to rise, and lost information can be devastating to companies and can be an indicator that fraud is being perpetrated. As the new Massachusetts law dictates, companies who hold such information will have to take appropriate measures to safeguard privacy.
Small and Large businesses are now required to have a plan to protect consumer data and plan for shredding these documents. myDocumentShredding.com can help by providing safe and affordable shredding service that comes with Notarized Certificate of Destruction for the extra peace of mind and audit purposes.