Massachusetts Privacy Law – 201 CMR 17.00
Covered in this post:
Compliance date of March 1, 2010 for Mass. Data Privacy Law
What’s it going to cost?
PC encryption can help
Penalties: $5,000 per violation
Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts, 201 CMR 17.00
If you do business in Massachusetts, you know by now that your company will have to abide by the “Massachusetts Encryption Laws.” While the rules compromise more than the encryption of personal data, it’s expected that a lot of the costs of compliance will be centered around encryption. Compliance is required on or before March 1, 2010.
The following two URLs to http://www.mass.gov/ show the actual legal text (quite readable, considering) and a FAQ for the layperson. As a layperson myself, I’d recommend reading the FAQ first. It just makes things easier, not to mention it covers most aspects of what an organization–be it small, medium, big, or Fortune 500–is supposed to do to become compliant. MA Privacy Law201 CMR 17.00: M.G.L. c. 93H here: http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf
Some highlights to the law:
Laptops with sensitive information must be encrypted (per the FAQ).
Other portable devices with sensitive data must also be encrypted if technically feasible.
Password-protection is not an acceptable substitute to encryption.
The regulations apply to anyone and everyone that “collects and retains personal information in connection with the provision of goods and services or for the purposes of employment” including lawyers, hospitals, etc. About the only exclusions are individuals (you won’t have to encrypt your family’s data on your home computer, for example) and government agencies, including municipalities.
What’s Compliance Going to Cost?
In March 2009 I found an on-line document from OCABR (Office of Consumer Affairs and Business Regulation) that listed a hypothetical cost based on the following assumptions:
1 network server, serving 7 desktops
Network consultant already employed (having such a mix of computers usually means there is one being employed by the business)
The upfront cost was expected at $3,000 with $500 a month for on-going technical support. My guess is that once the amended law was announced back in November 2009, they decided their calculations may not be up-to-date anymore. I’d expect, however, that the price wouldn’t veer too far from the above. Shred Consumer and client Documents
$5,000 Per Violation: MA 201 CMR 17.00 Penalties For Non-Compliance
Under the law (MGL, Ch93A.4), the Attorney General of Massachusetts has the ability to seek injunctive relief against any organizations that are in violation of MA 201 CMR 17. What this means is that the AG can ask for a court order to stop an organization from being in violation of the law.
I’d say that’s essentially a roundabout way of stating that you’ll have to encrypt your laptops, install any firewalls, get yourself a locking file cabinet, etc.–whatever’s necessary to be in compliance with the law. Not so bad, considering that a business had to do it to begin with.
However, the same law also authorizes the courts to impose a maximum $5,000 civil penalty for each violation.” It’s been pointed out that the language is quite nebulous: is losing a laptop computer with a database of 1,000 names one violation or 1,000 violations? Depending on the interpretation, it could mean a maximum fine of $5,000 or $5 million. This article is compliment of Massachusetts Document shredding company