Massachusetts Data Privacy Protection Law Third Party Provision Takes Effect March 1

The Massachusetts Offices of Consumer Affairs and Business Regulations (OCABR) passed strict data privacy and security regulations ‘201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH’ that went into effect March 1, 2010 to protect the personal information of Massachusetts residents by requiring businesses to have a multitude of safeguards including a comprehensive Written Information Security Policy (WISP). Effective March 1, 2012, any company, in any location, that holds the personal information of Massachusetts residents must amend its existing third party vendor contracts to require compliance with Massachusetts data security regulations. The law is available at:  http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf.

The Massachusetts law 201 CMR 17.00 covers any business that “receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of good or services or in connection with employment.” The rules define “personal information” as a Massachusetts resident’s name combined with financial, bank, or credit card account, driver’s license, or social security numbers. The regulations also applied to third parties and required that there be contracts to ensure that the regulations are implemented and maintained, although the contracts did not need to be updated before March 1, 2012. Massachusetts rules apply to out of state firms that handle personal information as well.

The Massachusetts regulations required companies handling personal information to adopt several administrative, technical, and physical safeguards, including computer system security requirements that involve encryption of personal information on laptops and other portable devices as well as data transmitted across public networks or wirelessly. Businesses regulated by these rules must also implement a comprehensive Written Information Security Policy (WISP) that included the following elements:

  • Designation of Employee(s) to Maintain the WISP Program.
  • Identification and Assessment of Internal and External Risks.
  • Restricting Physical or Electronic Access to Personal Information.
  • Verifying Third-Party Service Providers can Protect Personal Information.
  • Collection, Access, and Retention Standards for Personal Information.
  • Access, Storage, Use, and Disclosure of Personal Information.
  • Review, Responsive Action, and Documentation of Responsive Action.
  • Destruction of Personal Information No Longer Needed.
  • Employee Training on WISP Program.
  • Monitoring the WISP Program.
  • Review of WISP Program.

The Massachusetts law has been described as the toughest in the nation, and should go a long ways toward improving privacy and data security and fighting identity theft. A text of the new regulations ‘201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH’ can be viewed at: http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf.

With many strict information security regulations now in effect, employers must ensure that their background screening firms are in full compliance. For more information on privacy and data security as it relates to background checks, visit Employment Screening Resources (ESR) – ‘The Background Check AuthioritySM’ and a nationwide background screening provider accredited by The National Association of Professional Background Screeners (NAPBS®) – at http://www.esrcheck.com/ or call 415.898.0044 or 888.999.4474.

Source: http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf.

About Employment Screening Resources (ESR):
Employment Screening Resources (ESR) – ‘The Background Check AuthoritySM – provides accurate and actionable information, empowering employers to make informed safe hiring decisions for the benefit for our clients, their employees, and the public. ESR literally wrote the book on background screening with “The Safe Hiring Manual” by Founder and CEO Lester Rosen. ESR is accredited by The National Association of Professional Background Screeners (NAPBS), a distinction held by less than two percent of all screening firms. By choosing an accredited screening firm like ESR, employers know they have selected an agency that meets the highest industry standards. For more information about Employment Screening Resources (ESR), visit http://www.esrcheck.com/ or call 415.898.0044 or 888.999.4474.

About ESR News:
The Employment Screening Resources (ESR) News blog – ESR News – provides employment screening information for employers, recruiters, and jobseekers on a variety of topics including credit reports, criminal records, data privacy, discrimination, E-Verify, jobs reports, legal updates, negligent hiring, workplace violence, and use of search engines and social network sites for background checks. For more information about ESR News or to send comments or questions, please email ESR News Editor Thomas Ahearn at tahearn@esrcheck.com.