State Issues Final Data Breach Regulations – Finally…
Two years after the passage of the Massachusetts Identity Theft Law, the Office of Consumer Affairs and Business Regulation (OCABR) has finalized new data breach regulations. After several delays and many changes from the original regulation, the revised regulation will become effective on March 1, 2010. RAM wishes to thank Undersecretary Barbara Anthony for her significant time and effort that went into this revision.
The new regulation applies to any person or business that collects or retains personal information of Massachusetts residents. Personal information includes a person's first and last name or a person's first initial and last name in combination with one of more of the following numbers: (a) Social Security number; (b) driver's license number or state issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a Massachusetts resident's financial account. Personal information does not include information that is lawfully obtained from publicly available information.
There are several differences between the final regulation and the draft regulation issued earlier this year. The final regulation uses a risk-based approach that directs a business to establish a written security information program based on their size, scope and available resources. Additionally, specific requirements for a written security information program outlined in the previous regulations are now listed in a guidance form only. Finally, the definition of encryption has been amended to make it technology neutral to allow for developments in technology.
It is important to note that if you use “swipe technology” for credit cards, and you do not have actual custody and control over personal information, then you do not own or license that information. Therefore, as long as you batch out such data in accordance with the Payment Card Industry Standards you do not have additional obligations under these regulations for that specific data. You are, however, still obligated to comply with the regulations for any other personal information you collect or store including but not limited to employee records.
Click on link to view the regulation http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf